How ONTAP implements audit logging
Management activities recorded in the audit log are included in standard AutoSupport reports, and certain logging activities are included in EMS messages. You can also forward the audit log to destinations that you specify, and you can display audit log files by using the CLI or a web browser.
ONTAP logs management activities that are performed on the cluster, for example, what request was issued, the user who triggered the request, the user's access method, and the time of the request.
The management activities can be one of the following types:
Set requests, which typically apply to non-display commands or operations
These requests are issued when you run a create, modify, or delete command, for instance.
Set requests are logged by default.
Get requests, which retrieve information and display it in the management interface
These requests are issued when you run a show command, for instance.
Get requests are not logged by default, but you can use the security audit modify command to control whether get requests sent from the ONTAP CLI (-cliget) or from the ONTAP APIs (-ontapiget) are logged in the file.
ONTAP records management activities in the /mroot/etc/log/mlog/audit.log file of a node. Commands from the three shells for CLI commands—the clustershell, the nodeshell, and the non-interactive systemshell (interactive systemshell commands are not logged)—as well as API commands are logged here. Audit logs include timestamps to show whether all nodes in a cluster are time synchronized.
The audit.log file is sent by the AutoSupport tool to the specified recipients. You can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.
The audit.log file is rotated daily. The rotation also occurs when it reaches 100 MB in size, and the previous 48 copies are preserved (with a maximum total of 49 files). When the audit file performs its daily rotation, no EMS message is generated. If the audit file rotates because its file size limit is exceeded, an EMS message is generated.
You can use the security audit log show command to display audit entries for individual nodes or merged from multiple nodes in the cluster. You can also display the content of the /mroot/etc/log/mlog directory on a single node by using a web browser.