HowTo Enable and Disable Audit Events Netapp Cluster Mode
If you would like to Audit CIFS shares like who is accessing, reading, modifying, deleting and Etc. Which is useful to keep an eye on sensitive data like Finance information, Legal Information and company confidential document store path. Would like to use any auditing tool for this you compulsory enable auditing and configure it properly otherwise it will grow root volume like anything and it leads to trouble. In this Article we are going to see HowTo Enable Disable Audit Events Netapp Cluster Mode.
Enable and Disable Audit Events Netapp 7-Mode
In 7-mode Netapp Filers simple run one or two commands as mentioned below, which automatically enable disable audit events netapp
Ark-Netapp> cifs audit start
Ark-Netapp> Wed Sep 27 03:14:38 CST [Ark-Netapp: cifs.auditfile.enable.on:info]: ALF: CIFS auditing started.
Wed Sep 29 03:14:38 CST [Ark-Netapp: cifs.auditfile.autosaved.onsize:info]: Autosaving the CIFS audit log file (/etc/log/adtlog.evt)
Wed Sep 28 03:14:38 CST [Ark-Netapp: cifs.auditfile.logFile.IOInfo:info]: ALF I/O information for file /etc/log/adtlog.evt: saved 30309 records to audit file.
Ark-Netapp> options cifs.audit.enable on
Ark-Netapp> options cifs.audit.enable
cifs.audit.enable on
when we enable auditing on Netapp 7-Mode Filer it automatically writes the logs to /etc/log/adtlog.evt file which is stored in vol0 volume
cifs audit stop options cifs.audit.enable off
HowTo Enable Disable Audit Events Netapp Cluster Mode 8.x/9.x Versions
To avoid confusion in running commands, set context and run commands directly on particular Storage Virtual Machine (SVM) in command line it’s called as Vserver.
SNY-NA::> vserver context -vserver CIFS-SVM Info: Use 'exit' command to return. CIFS-SVM::> vserver audit create -destination /Auditlogs CIFS-SVM::> exit
shown above is the example to create audit events /AuditLogs volume, which means volume AuditLogs already created and mounted to /AuditLogs
ArkIT-Clu::> vserver audit modify -vserver CIFS-SVM -destination /AuditLogs -events file-ops -format evtx -rotate-size 200MB -rotate-limit 10 ArkIT-Clu::> vserver audit modify -vserver CIFS-SVM -destination /AuditLogs ArkIT-Clu::> vserver audit show -instance Vserver: CIFS-SVM Auditing State: false Log Destination Path: /AuditLogs Categories of Events to Audit: file-ops cifs-logon-logoff Log Format: evtx Log File Size Limit: 200MB LogRotation Schedule: Month: - LogRotate Schedule: Day of Week: - Log Rotation Schedule: Day: - Log Rotate Schedule: Hour: - LogRotation Schedule: Minute: - Rotation Schedules: - Log Files Rotation Limit: 10
At any point of time if you would like to change the audit log path from old volume to new volume, you can change it by using modify option. enable disable audit events Netapp Cluster Mode.
Note: you can’t enable multiple audits for same SVM.
We have created audit log path but audit is not running
ArkIT-Clu::> vserver audit show
Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS-SVM false file-ops evtx /AuditLogs
Enable auditing by running below command
ArkIT-Clu::> vserver audit enable -vserver CIFS-SVM
Error: command failed: Cannot enable auditing for Vserver "CIFS-SVM". Reason: Final consolidation is in progress. Retry after sometime.
ArkIT-Clu::> vserver audit enable -vserver CIFS-SVM
ArkIT-Clu::> vserver audit show
Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS-SVM true file-ops evtx /AuditLogs
Log Rotate options in Netapp Cluster mode
Rotating the log files can be done based on event file size, event file count and also by time. > vserver audit modify
- -rotate-schedule-month (January February March April May June July August September October November December)
- -rotate-size ({<integer>[KB|MB|GB|TB|PB]} Log File Size Limit)
- -rotate-schedule-dayofweek (Sunday Monday Tuesday Wednesday Thursday Friday Saturday)
- -rotate-schedule-day ( Particular Day)
- -rotate-schedule-minute ##based on minutes
- -rotate-limit (Log file count)
Disabling and Deleting Audit Configuration
::> vserver audit disable -vserver CIFS-SVM ::> vserver audit delete -vserver CIFS-SVM
That’s it about enable disable audit events Netapp Cluster Mode 8.x and 9.x versions
Conclusion
Enabling wrong audit log events will grow your volume un-wanted and leads to problems. Configure audit size, log file count and log rotation properly.
Related Articles
ClusterMode Monitoring Using Nagios Monitoring Tool
ClusterMode Commands Cheat Sheet
Thanks for your wonderful Support and Encouragement