An audit log is a record of commands executed at the console, through a Telnet shell or an SSH shell, or by using the rsh command. All the commands executed in a source file script are also recorded in the audit log. Administrative HTTP operations are logged. All login attempts to access the storage system, with success or failure, are also audit-logged.
In addition, changes made to configuration and registry files are audited. Read-only APIs by default are not audited but you can enable auditing with the auditlog.readonly_api.enable option.
By default, Data ONTAP is configured to save an audit log. The audit log data is stored in the /etc/log directory in a file called auditlog.
For configuration changes, the audit log shows the following information:
For commands executed through the console, a Telnet shell, an SSH shell, or by using the rsh command, the audit log shows the following information:
The maximum size of the audit-log file is specified by the auditlog.max_file_size option. The maximum size of an audit entry in the audit-log file is 511 characters. An audit entry is truncated to 511 characters if it exceeds the size limit.
Every Saturday at midnight, the /etc/log/auditlog file is copied to /etc/log/auditlog.0, /etc/log/auditlog.0 is copied to /etc/log/auditlog.1, and so on. This also occurs if the audit-log file reaches the maximum size specified by auditlog.max_file_size.
The system saves audit-log files for six weeks, unless any audit-log file reaches the maximum size, in which case the oldest audit-log file is discarded.
For information about forwarding audit logs to a remote syslog log host, see the na_auditlog(5) man page.