Audit logging

An audit log is a record of commands executed at the console, through a Telnet shell, an SSH shell, or by using the rsh command. All the commands executed in a source file script are also recorded in the audit log. Administrative HTTP operations, such as those resulting from the use of FilerView, are logged. All login attempts to access the storage system, with success or failure, are also audit-logged.

In addition, changes made to configuration and registry files are audited. Read-only APIs by default are not audited but you can enable auditing with the auditlog.readonly_api.enable option.

By default, Data ONTAP is configured to save an audit log. The audit log data is stored in the /etc/log directory in a file called auditlog.

The maximum size of the auditlog file is specified by the auditlog.max_file_size option. The maximum size of an audit entry in the auditlog file is 200 characters. An audit entry is truncated to 200 characters if it exceeds the size limit.

Every Saturday at midnight, the /etc/log/auditlog file is copied to /etc/log/auditlog.0, /etc/log/auditlog.0 is copied to /etc/log/auditlog.1, and so on. This also occurs if the auditlog file reaches the maximum size specified by auditlog.max_file_size.

The system saves auditlog files for six weeks, unless any auditlog file reaches the maximum size, in which case the oldest auditlog file is discarded.

You can access the auditlog files using your NFS or CIFS client, or using HTTP.

• Configuring audit logging
  You can change the maximum size of the audit log file.
• Enabling or disabling read-only API auditing
  Data ONTAP enables you to control auditing of APIs based on their roles. If an API is used only for retrieving information and not for modifying the state of the system, the read-only API is not audited by default.