Table of ContentsView in Frames

Understanding audit logging

An audit log is a record of commands executed at the console, through a Telnet shell or an SSH shell, or by using the rsh command. All the commands executed in a source file script are also recorded in the audit log. Administrative HTTP operations are logged. All login attempts to access the storage system, with success or failure, are also audit-logged.

In addition, changes made to configuration and registry files are audited. Read-only APIs by default are not audited but you can enable auditing with the auditlog.readonly_api.enable option.

By default, Data ONTAP is configured to save an audit log. The audit log data is stored in the /etc/log directory in a file called auditlog.

For configuration changes, the audit log shows the following information:

For commands executed through the console, a Telnet shell, an SSH shell, or by using the rsh command, the audit log shows the following information:

The maximum size of the audit-log file is specified by the auditlog.max_file_size option. The maximum size of an audit entry in the audit-log file is 511 characters. An audit entry is truncated to 511 characters if it exceeds the size limit.

Every Saturday at midnight, the /etc/log/auditlog file is copied to /etc/log/auditlog.0, /etc/log/auditlog.0 is copied to /etc/log/auditlog.1, and so on. This also occurs if the audit-log file reaches the maximum size specified by auditlog.max_file_size.

The system saves audit-log files for six weeks, unless any audit-log file reaches the maximum size, in which case the oldest audit-log file is discarded.

You can access the audit-log files using your NFS or CIFS client, or using HTTP.
Note: You can also configure auditing specific to your file access protocol. For more information, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.

For information about forwarding audit logs to a remote syslog log host, see the na_auditlog(5) man page.