Skip to main content

security audit log show

Display audit entries merged from multiple nodes in the cluster

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security audit log show command displays cluster-wide audit log messages. Messages from each node are interleaved in chronological order.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.
| [-detail ]
This display option shows the individual fields of the audit record.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all fields.
[-timestamp <Date>] - Log Entry Timestamp
Selects the entries that match the specified input for timestamp. This will be in a human-readable format <day> <month> <day of month> <hour>:<min>:<sec> <year> in the local timezone.
[-node {<nodename>|local}] - Node
Selects the entries that match the specified input for node.
[-entry <text>] - Log Message Entry
Selects the entries that match the specified input for entry.
[-session-id <text>] - Session ID
This is the "session id" for this audit record. Eash ssh/console session is assigned a unique session ID. Eash ZAPI/HTTP/SNMP request is assigned a uniqueue session ID
[-command-id <text>] - Command ID
This is useful with ssh/console sessions. Each command in a session is assigned a unique command ID. Each ZAPI/HTTP/SNMP request does not have a command ID.
[-application <text>] - Protocol
This is the application used to connect to the cluster. Possible values include the following: internal, console, ssh, http, ontapi, snmp, rsh, telnet, service-processor
[-location <text>] - Remote user location
The remote IP address or remote access point.
[-vserver <text>] - Vserver name
Storage Virtual Machine name
[-username <text>] - Username
Username
[-input <text>] - Command being executed
The operation being attempted
[-state {Pending|Success|Error}] - State of this audit request
State of this request
[-message <text>] - Additional information and/or error message
Additional information which may be error or informative message.

Examples

The following example displays specific fields based on a custom query: 

cluster1::> security audit log show -fields application, location, state, input, message -location 10.60.* -state Error|Success -input v*|st* -timestamp >"Jul 10 12:00:00 2020"
timestamp                  node  application location     input                                      state   message
-------------------------- ----- ----------- ------------ ------------------------------------------ ------- -------
"Fri Jul 17 11:32:44 2020" node1 ssh         10.60.250.79 storage aggregate create test -diskcount 5 Success -
"Fri Jul 17 11:36:47 2020" node1 ssh         10.60.250.79 vserver create vs1                         Success -
"Fri Jul 17 11:37:33 2020" node1 ssh         10.60.250.79 volume create vol1                         Error   One of the following parameters is required: -aggregate, -aggr-list, -auto-provision-as
"Fri Jul 17 11:38:08 2020" node1 ssh         10.60.250.79 volume create vol1 -aggregate test         Success -