Skip to main content

Restore audit log on recovered primary Admin Node

Contributors netapp-perveilerk netapp-madkat ssantho3 netapp-lhalbert
PDFs

If you were able to preserve the audit log from the failed primary Admin Node, you can copy it to the primary Admin Node you are recovering.

Before you begin

  • The recovered Admin Node is installed and running.

  • You have copied the audit logs to another location after the original Admin Node failed.

About this task

If an Admin Node fails, audit logs saved to that Admin Node are potentially lost. It might be possible to preserve data from loss by copying audit logs from the failed Admin Node and then restoring these audit logs to the recovered Admin Node. Depending on the failure, it might not be possible to copy audit logs from the failed Admin Node. In that case, if the deployment has more than one Admin Node, you can recover audit logs from another Admin Node as audit logs are replicated to all Admin Nodes.

If there is only one Admin Node and the audit log can't be copied from the failed node, the recovered Admin Node starts recording events to the audit log as if the installation is new.

You must recover an Admin Node as soon as possible to restore logging functionality.

Note

By default, audit information is sent to the audit log on Admin Nodes. You can skip these steps if either of the following applies:

  • You configured an external syslog server and audit logs are now being sent to the syslog server instead of to Admin Nodes.

  • You explicitly specified that audit messages should be saved only on the local nodes that generated them.

See Configure audit messages and log destinations for details.
Steps

  1. Log in to the recovered Admin Node:

    1. Enter the following command: ssh admin@recovery_Admin_Node_IP

    2. Enter the password listed in the Passwords.txt file.

    3. Enter the following command to switch to root: su -

    4. Enter the password listed in the Passwords.txt file.

    After you are logged in as root, the prompt changes from $ to #.

  2. Check which audit files have been preserved: cd /var/local/audit/export

  3. Copy the preserved audit log files to the recovered Admin Node: scp admin@grid_node_IP:/var/local/tmp/saved-audit-logs/YYYY* .

    When prompted, enter the password for admin.

  4. For security, delete the audit logs from the failed grid node after verifying that they have been copied successfully to the recovered Admin Node.

  5. Update the user and group settings of the audit log files on the recovered Admin Node: chown ams-user: bycast *

  6. Log out as root: exit

You must also restore any pre-existing client access to the audit share. For more information, see Configure audit client access.