Restore audit log on recovered non-primary Admin Node
If you were able to preserve the audit log from the failed non-primary Admin Node, so that historical audit log information is retained, you can copy it to the non-primary Admin Node you are recovering.
-
The recovered Admin Node is installed and running.
-
You have copied the audit logs to another location after the original Admin Node failed.
If an Admin Node fails, audit logs saved to that Admin Node are potentially lost. It might be possible to preserve data from loss by copying audit logs from the failed Admin Node and then restoring these audit logs to the recovered Admin Node. Depending on the failure, it might not be possible to copy audit logs from the failed Admin Node. In that case, if the deployment has more than one Admin Node, you can recover audit logs from another Admin Node as audit logs are replicated to all Admin Nodes.
If there is only one Admin Node and the audit log can't be copied from the failed node, the recovered Admin Node starts recording events to the audit log as if the installation is new.
You must recover an Admin Node as soon as possible to restore logging functionality.
By default, audit information is sent to the audit log on Admin Nodes. You can skip these steps if either of the following applies:
See Configure audit messages and log destinations for details. |
-
Log in to the recovered Admin Node:
-
Enter the following command: +
ssh admin@recovery_Admin_Node_IP
-
Enter the password listed in the
Passwords.txt
file. -
Enter the following command to switch to root:
su -
-
Enter the password listed in the
Passwords.txt
file.
After you are logged in as root, the prompt changes from
$
to#
. -
-
Check which audit files have been preserved:
cd /var/local/audit/export
-
Copy the preserved audit log files to the recovered Admin Node:
scp admin@grid_node_IP:/var/local/tmp/saved-audit-logs/YYYY*
When prompted, enter the password for admin.
-
For security, delete the audit logs from the failed grid node after verifying that they have been copied successfully to the recovered Admin Node.
-
Update the user and group settings of the audit log files on the recovered Admin Node:
chown ams-user:bycast *
-
Log out as root:
exit
You must also restore any pre-existing client access to the audit share. For more information, see Configure audit client access.