Friday, 1 March 2013

How to view the Audit Log / Command Log in Clustered ONTAP

This brief post will walk you through obtaining the command-history log in Clustered ONTAP (or Data ONTAP Cluster Mode, or previously Data ONTAP C-Mode.) The commands below were as run in the 8.1.2 SIM.

Previously in Data ONTAP 7-Mode, it was very handy to check the auditlog to see what commands have previously been run on the filer – by administrators via the CLI and OnCommand System Manager. In Clustered ONTAP, we view the command-history.log.

How to get to the command-history.log?

Note 1: If you’re connected via the node management IP, systemshell local will get you in the local node’s shell. If you’re connected via the cluster management IP, systemshell local will get you in the shell for the node that’s homing the cluster management LIF.
Note 2: If the diag password is already set, you don’t need to set it again.

CLUSTERA::> security login unlock -username diag
CLUSTERA::> security login password -username diag
Please enter a new password: XXXXXXXX
Please enter it again: XXXXXXXX
CLUSTERA::> set -privilege advanced
Do you want to continue? y
CLUSTERA::*> systemshell local
login: diag
Password: XXXXXXXX
CLUSTERA-01% cd /mroot/etc/log
CLUSTERA-01% ls

{SEE APPENDIX A for contents of /mroot/etc/log}

CLUSTERA-01% cd mlog
CLUSTERA-01% ls

{SEE APPENDIX B for contents of /mroot/etc/log/mlog}

CLUSTERA-01% cat command-history.log

Tip: Recommend setting up PuTTY to log ‘All session output’, log file ‘append’, don’t ‘Flush log file frequently’, and say 20000 ‘Lines of scrollback’ as in the images below

Image: PuTTY setup

APPENDIX A: Contents of cd /mroot/etc/log

acp
auditlog
auditlog.log.0000000001
autosupport
backup
backup.log.0000000001
clone
clone.log.0000000001
cm_stats_hourly
descriptors
ems
ems.log.0000000001
ems_persist
hm
leak_data
messages
messages.log.0000000001
messages.log.0000000002
mlog
nbu_snapvault
nbu_snapvault.log.0000000001
ndvm
playlist_diag
shelflog
sis
sis.log.0000000001
snapmirror
snapmirror.log.0000000001
ssram
stats
treecompare
treecompare.log.0000000001
vfiler_trans_migrate_cmds_log
vfiler_trans_migrate_cmds_log.log.0000000001
vfiler_trans_migrate_log
vfiler_trans_migrate_log.log.0000000001
volread

APPENDIX B: Contents of mlog

apache_access.log
apache_access.log.0000000001
apache_error.log
apache_error.log.0000000001
bcomd.log
bcomd.log.0000000001
command-history.log
command-history.log.0000000001
dead_logs
debug.log
debug.log.0000000001
jm-restart.log
jm-restart.log.old
memsnap-coresegd.log
memsnap-httpd.log
memsnap-mdnsd.log
memsnap-mhostexecd.log
memsnap-nchmd.log
memsnap-ndmpd.log
memsnap-schmd.log
memsnap-shmd.log
messages.log
messages.log.0000000001
mgwd.log
mgwd.log.0000000001
ndmpd.log
ndmpd.log.0000000001
notifyd.log
notifyd.log.0000000001
secd.log
secd.log.0000000001
sktlog
sktlogd.log
sktlogd.log.0000000001
spdebug.log
spmd.log
spmd.log.0000000001
var_dead_logs
vifmgr.log
vifmgr.log.0000000001
vldb.log
vldb.log.0000000001

3 comments:

  1. if any one has got good doc for cluster mode, please let us know on that...

    ReplyDelete
  2. In Cdot 8.3 simulator, when entering advanced privilege, there is no "systemshell local" command...Missing something here?

    ReplyDelete
  3. Hello Mihai, it's now in diag mode. Use ::> set d. Cheers VC

    ReplyDelete