ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • security audit log show

    Display audit entries merged from multiple nodes in the cluster

    Availability: This command is available to cluster administrators at the admin privilege level.

    Description

    The security audit log show command displays cluster-wide audit log messages. Messages from each node are interleaved in chronological order.

    Parameters

    { [-fields <fieldname>,…​]

    If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

    | [-detail ]

    This display option shows the individual fields of the audit record.

    | [-instance ] }

    If you specify the -instance parameter, the command displays detailed information about all fields.

    [-timestamp <Date>] - Log Entry Timestamp

    Selects the entries that match the specified input for timestamp. This will be in a human-readable format <day> <month> <day of month> <hour>:<min>:<sec> <year> in the local timezone.

    [-node {<nodename>|local}] - Node

    Selects the entries that match the specified input for node.

    [-entry <text>] - Log Message Entry

    Selects the entries that match the specified input for entry.

    [-session-id <text>] - Session ID

    This is the "session id" for this audit record. Eash ssh/console session is assigned a unique session ID. Eash ZAPI/HTTP/SNMP request is assigned a uniqueue session ID

    [-command-id <text>] - Command ID

    This is useful with ssh/console sessions. Each command in a session is assigned a unique command ID. Each ZAPI/HTTP/SNMP request does not have a command ID.

    [-application <text>] - Protocol

    This is the application used to connect to the cluster. Possible values include the following: internal, console, ssh, http, ontapi, snmp, rsh, telnet, service-processor

    [-location <text>] - Remote user location

    The remote IP address or remote access point.

    [-vserver <text>] - Vserver name

    Storage Virtual Machine name

    [-username <text>] - Username

    Username

    [-input <text>] - Command being executed

    The operation being attempted

    [-state {Pending|Success|Error}] - State of this audit request

    State of this request

    [-message <text>] - Additional information and/or error message

    Additional information which may be error or informative message.

    Examples

    The following example displays specific fields based on a custom query:

    cluster1::> security audit log show -fields application, location, state, input, message -location 10.60.* -state Error|Success -input v*|st* -timestamp >"Jul 10 12:00:00 2020"
    timestamp                  node  application location     input                                      state   message
    -------------------------- ----- ----------- ------------ ------------------------------------------ ------- -------
    "Fri Jul 17 11:32:44 2020" node1 ssh         10.60.250.79 storage aggregate create test -diskcount 5 Success -
    "Fri Jul 17 11:36:47 2020" node1 ssh         10.60.250.79 vserver create vs1                         Success -
    "Fri Jul 17 11:37:33 2020" node1 ssh         10.60.250.79 volume create vol1                         Error   One of the following parameters is required: -aggregate, -aggr-list, -auto-provision-as
    "Fri Jul 17 11:38:08 2020" node1 ssh         10.60.250.79 volume create vol1 -aggregate test         Success -
    Some more examples for -timestamp usage:
    cluster1::> security audit log show -timestamp "Mon Jan 03 18:37:05 2022"
    Time                      Node         Audit Message
    ------------------------  -----------  -----------------------
    Mon Jan 03 18:37:05 2022  node1
                                           [kern_audit:info:988] mlogd: started
    
    cluster1::> security audit log show -timestamp Mon Jan 03 *
    Time                      Node         Audit Message
    ------------------------  -----------  -----------------------
    Mon Jan 03 18:37:05 2022  node1
                                           [kern_audit:info:988] mlogd: started
    Mon Jan 03 18:37:06 2022  node2
                                           [kern_audit:info:988] mlogd: started
    Mon Jan 03 18:41:25 2022  node1
                                           [kern_audit:info:977] mlogd: started
    Mon Jan 03 18:41:25 2022  node2
                                           [kern_audit:info:977] mlogd: started
    
    cluster1::> security audit log show -timestamp Mon Jan 03 18:37*
    Time                      Node         Audit Message
    ------------------------  -----------  -----------------------
    Mon Jan 03 18:37:05 2022  node1
                                           [kern_audit:info:988] mlogd: started
    Mon Jan 03 18:37:06 2022  node2
                                           [kern_audit:info:988] mlogd: started
    2 entries were displayed.
    Top of Page