Manual Pages


Table of Contents

NAME

na_auditlog - contains an audit record of recent administrative activity

SYNOPSIS

<logdir>/auditlog

<logdir> is /etc/log for nodes and /logs for NetCache appliances.

DESCRIPTION

If the option auditlog.enable is on, the system logs all input to the system at the console/telnet shell and via rsh to the auditlog file. The data output by commands executed in this fashion is also logged to auditlog. Administrative servlet invocations (via HTTP, typically from FilerView) and API calls made via the ONTAPI interface are also logged to the auditlog. A typical message is:

Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:OUT:date: Wed Feb 9 17:34:09 GMT 2000

This indicates that there was an rsh session around Wed Feb 9 17:34:09 GMT which caused the date command to be executed. The user performing the command was root. The type of log is data output by the system as indicated by the OUT keyword.

Commands typed at the node's console or executed by rsh are designated by the IN keyword as in:

Wed Feb 9 17:34:03 GMT [rshd_0:auditlog]: :IN:rsh shell: RSH INPUT COMMAND is date

The start and end of an rsh session are specially demarcated as in

Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:START:rsh shell:orbit.eng.mycompany.com

and

Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:END:rsh shell:

The maximum size of the auditlog file is controlled by the auditlog.max_file_size option. If the file gets to this size, it is rotated (see below).

Every Saturday at 24:00, <logdir>/auditlog is moved to <logdir>/auditlog.0, <logdir>/auditlog.0 is moved to <logdir>/auditlog.1, and so on. This process is called rotation. Auditlog files are saved for a total of six weeks, if they do not overflow.

If you want to forward audit log messages to a remote syslog log host (one that accepts syslog messages via the BSD Syslog protocol specified in RFC 3164), modify the node's /etc/syslog.conf file to forward messages from the node's "local7" facility to the remote host. Do this by adding a line like:

local7.*
@1.2.3.4

to /etc/syslog.conf. An IP address has been used here, but a valid DNS name could also be used. Note that using a DNS name can fail if the node is unable to resolve the name given in the file. If that happens, your messages will not be forwarded.

On the log host, you'll need to modify the syslog daemon's configuration file to redirect syslog message traffic from the "local7" facility to the appropriate configuration file. That is typically done by adding a line similar to the one shown above for the node:

local7.*
/var/logs/filer_auditlogs

Then restart the daemon on the log host, or send an appropriate signal to it. See the documentation for your log host's syslog daemon for more information on how to make that configuration change.

FILES

<logdir>/auditlog
auditlog file for current week. <logdir>/auditlog.[0-5] auditlog files for previous weeks

SEE ALSO

na_options(1),na_syslog.conf(5)


Table of Contents