Skip to main content

Forwarding the audit log to a destination

You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

About this task

If the cluster log-forwarding create command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the -force parameter with the command bypasses the connectivity verification.

You can configure transmission security options when forwarding log files:

  • Protocols for sending messages to the destination

    You can select one of the following -protocol values:

    • udp-unencrypted : User Datagram Protocol with no security (default)
    • tcp-unencrypted : Transmission Control Protocol with no security
    • tcp-encrypted : Transmission Control Protocol with Transport Layer Security (TLS)

  • Verification of destination server identity

    When you set the -verify-server parameter to true , the identity of the log forwarding destination is verified by validating its certificate. You can set the value to true only when you select the tcp-encrypted value in the -protocol field.

  1. For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.

    Example

    cluster1::>  cluster  log-forwarding  create  -destination  192.168.123.96 -port 514 -facility user

    cluster1::>  cluster  log-forwarding  create  -destination  192.168.123.98 -port  514  -protocol  tcp-encrypted  -facility  user
  2. Verify that the destination records are correct by using the cluster log-forwarding show command.

    Example

    cluster1::> cluster log-forwarding show

                                                     Verify Syslog
    Destination Host          Port   Protocol        Server Facility
    ------------------------- ------ --------        ------ --------
    192.168.123.96            514    udp-unencrypted false  user
    192.168.123.98            514    tcp-encrypted   true   user
    2 entries were displayed.