Restore audit log on recovered primary Admin Node
PDF of this doc site
- Get started
Install and maintain appliance hardware
SG100 and SG1000 services appliances
- Prepare for installation (SG100 and SG1000)
SG6000 storage appliances
- Prepare for installation (SG6000)
- Configure hardware (SG6000)
SG5700 storage appliances
- Prepare for installation (SG5700)
- Configure hardware (SG5700)
SG5600 storage appliances
- Prepare for installation (SG5600)
- Configure hardware (SG5600)
- SG100 and SG1000 services appliances
Install and upgrade software
- Upgrade StorageGRID software
- Install Red Hat Enterprise Linux or CentOS
- Install Ubuntu or Debian
Perform system administration
- Manage security settings
- Manage Admin Nodes
- Manage Archive Nodes
Manage objects with ILM
- ILM and object lifecycle
- Create storage grades, storage pools, EC profiles, and regions
- Administer StorageGRID
- Use a tenant account
- S3 REST API supported operations and limitations
Monitor and maintain StorageGRID
Monitor and troubleshoot
- Troubleshoot a StorageGRID system
- Expand your grid
Recover and maintain
Grid node recovery procedures
- Recover from Storage Node failures
- Recover from Admin Node failures
- All grid node types: Replace Linux node
- Grid node decommission
- Network maintenance procedures
- Grid node procedures
- Grid node recovery procedures
Review audit logs
- Audit messages and the object lifecycle
- Monitor and troubleshoot
If you were able to preserve the audit log from the failed primary Admin Node, you can copy it to the primary Admin Node you are recovering.
The recovered Admin Node must be installed and running.
You must have copied the audit logs to another location after the original Admin Node failed.
If an Admin Node fails, audit logs saved to that Admin Node are potentially lost. It might be possible to preserve data from loss by copying audit logs from the failed Admin Node and then restoring these audit logs to the recovered Admin Node. Depending on the failure, it might not be possible to copy audit logs from the failed Admin Node. In that case, if the deployment has more than one Admin Node, you can recover audit logs from another Admin Node as audit logs are replicated to all Admin Nodes.
If there is only one Admin Node and the audit log cannot be copied from the failed node, the recovered Admin Node starts recording events to the audit log as if the installation is new.
You must recover an Admin Node as soon as possible to restore logging functionality.
By default, audit information is sent to the audit log on Admin Nodes. You can skip these steps if either of the following applies:
See Configure audit messages and log destinations for details.
Log in to the recovered Admin Node:
Enter the following command:
Enter the password listed in the
Enter the following command to switch to root:
Enter the password listed in the
After you are logged in as root, the prompt changes from
Check which audit files have been preserved:
Copy the preserved audit log files to the recovered Admin Node:
scp admin@grid_node_IP:/var/local/tmp/saved-audit-logs/YYYY* .
When prompted, enter the password for admin.
For security, delete the audit logs from the failed grid node after verifying that they have been copied successfully to the recovered Admin Node.
Update the user and group settings of the audit log files on the recovered Admin Node:
chown ams-user:bycast *
Log out as root:
You must also restore any pre-existing client access to the audit share. For more information, see the instructions for administering StorageGRID.