ONTAP 9 Manuals ( CA08871-402 )

Forward the audit log to a destination

You can forward the audit log to a maximum of 10 destinations. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

About this task

To configure forwarding, you must provide the IP address of the syslog or Splunk host, its port number, a transmission protocol, and the syslog facility to use for the forwarded logs. Learn about syslog facilities

You can select one of the following transmission values:

UDP Unencrypted

User Datagram Protocol with no security (default)

TCP Unencrypted

Transmission Control Protocol with no security

TCP Encrypted

Transmission Control Protocol with Transport Layer Security (TLS)

A [Verify server] option is available when the TCP Encrypted protocol is selected.

You can forward audit logs from the ONTAP CLI, and beginning with ONTAP 9.11.1, from ONTAP System Manager.

ONTAP System Manager
  • To display audit log destinations, select [Cluster] > [Settings].

    A count of log destinations is shown in the [Notification Management tile]. Click kebab icon to show details.

  • To add, modify, or delete audit log destinations, select [Events & Jobs > Audit Logs], then click [Manage Audit Destinations] in the upper right of the screen.

    Click add icon, or click kebab icon in the [Host Address] column to edit or delete entries.

CLI
Steps
  1. For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.

    cluster1::> cluster log-forwarding create -destination 192.168.123.96
    -port 514 -facility user
    
    cluster1::> cluster log-forwarding create -destination 192.168.123.98
    -port 514 -protocol tcp-encrypted -facility user
    • If the cluster log-forwarding create command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the -force parameter with the command bypasses the connectivity verification.

    • When you set the -verify-server parameter to true, the identity of the log forwarding destination is verified by validating its certificate. You can set the value to true only when you select the tcp-encrypted value in the -protocol field.

  2. Verify that the destination records are correct by using the cluster log-forwarding show command.

    cluster1::> cluster log-forwarding show
    
                                                     Verify Syslog
    Destination Host          Port   Protocol        Server Facility
    ------------------------- ------ --------        ------ --------
    192.168.123.96            514    udp-unencrypted false  user
    192.168.123.98            514    tcp-encrypted   true   user
    2 entries were displayed.

    See the man pages for details.

Top of Page