ONTAP 9 Manuals ( CA08871-402 )

Create an audit log

If you are using ONTAP 9.9.1 or earlier, you must first create a SnapLock aggregate and then you must create a SnapLock-protected audit log before performing a privileged delete or SnapLock volume move. The audit log records the creation and deletion of SnapLock administrator accounts, modifications to the log volume, whether privileged delete is enabled, privileged delete operations, and SnapLock volume move operations.

Beginning with ONTAP 9.10.1, you no longer create a SnapLock aggregate. You must use the -snaplock-type option to explicitly create a SnapLock volume by specifying either Compliance or Enterprise as the SnapLock type.

Before you begin

If you are using ONTAP 9.9.1 or earlier, you must be a cluster administrator to create a SnapLock aggregate.

About this task

You cannot delete an audit log until the log file retention period has elapsed. You cannot modify an audit log even after the retention period has elapsed. This is true for both SnapLock Compliance and Enterprise modes.

You can use either a SnapLock Enterprise volume or a SnapLock Compliance volume for audit logging. In all cases, the audit log volume must be mounted at the junction path /snaplock_audit_log. No other volume can use this junction path.

You can find the SnapLock audit logs in the /snaplock_log directory under the root of the audit log volume, in subdirectories named privdel_log (privileged delete operations) and system_log (everything else). Audit log file names contain the timestamp of the first logged operation, making it easy to search for records by the approximate time that operations were executed.

  • You can use the snaplock log file show command to view the log files on the audit log volume.

  • You can use the snaplock log file archive command to archive the current log file and create a new one, which is useful in cases where you need to record audit log information in a separate file.

For more information, see the man pages for the commands.

A data protection volume cannot be used as a SnapLock audit log volume.

Steps
  1. Create a SnapLock aggregate.

  2. On the SVM that you want to configure for audit logging, create a SnapLock volume.

  3. Configure the SVM for audit logging:

    snaplock log create -vserver SVM_name -volume snaplock_volume_name -max-log-size size -retention-period default_retention_period

    The minimum default retention period for audit log files is six months. If the retention period of an affected file is longer than the retention period of the audit log, the retention period of the log inherits the retention period of the file. So, if the retention period for a file deleted using privileged delete is 10 months, and the retention period of the audit log is 8 months, the retention period of the log is extended to 10 months. For more information about retention time and default retention period, see Set the retention time.

    The following command configures SVM1 for audit logging using the SnapLock volume logVol. The audit log has a maximum size of 20 GB and is retained for eight months.

    SVM1::> snaplock log create -vserver SVM1 -volume logVol -max-log-size 20GB -retention-period 8months
  4. On the SVM that you configured for audit logging, mount the SnapLock volume at the junction path /snaplock_audit_log.

Top of Page