search
top

How To Read Audit logs on Isilon

Introduction

One of the many painful things we get to do as Storage Administrators is to read logs on the Arrays. Some use GUI’s and some require command line. In this post we will look at how to read audit logs on Isilon from the command line.

Process

First step is to start an SSH session with Isilon.

navigate to /ifs/.ifsvar/audit/logs. Here we see our individual nodes.

# ls -al
total 120
drwxr-x— 14 root wheel 300 May 10 2014 .
drwxr-x— 4 root wheel 48 Jun 14 2015 ..
drwxr-x— 4 root wheel 50 May 10 2014 node001
drwxr-x— 4 root wheel 50 May 10 2014 node002
drwxr-x— 4 root wheel 50 May 10 2014 node003
drwxr-x— 4 root wheel 50 May 10 2014 node004
drwxr-x— 4 root wheel 50 May 10 2014 node005
drwxr-x— 4 root wheel 50 May 10 2014 node006
drwxr-x— 4 root wheel 50 May 10 2014 node007
drwxr-x— 4 root wheel 50 May 10 2014 node008
drwxr-x— 4 root wheel 50 May 10 2014 node009
drwxr-x— 4 root wheel 50 May 10 2014 node00a
drwxr-x— 4 root wheel 50 May 10 2014 node00b
drwxr-x— 4 root wheel 50 May 10 2014 node00c

Under each individual node there are two sub-directories config and protocol, we want protocol. Change into the protocol directory. Here are our logs. So how do we view them? That is done with the isi_audit_viewer command.

# isi_audit_viewer -h
Usage: isi_audit_viewer [ -n <nodeid> | -t <topic> | -s <starttime>|
-e <endtime> | -v ]
-n <nodeid> : Specify node id to browse (default: local node)
-t <topic> : Choose topic to browse. Topics are “config” and “protocol” (default: “config”)
-s <start> : Browse audit logs starting at <starttime>
-e <end> : Browse audit logs ending at <endtime>
-v verbose : Prints out start / end time range before printing records

Start and End times are expressible as a date format “YYYY-MM-DD HH:MM:SS”, where fields represent year/month/day/hours/minutes/seconds.
Time can also be expressed as HH:MM:SS; in this case the date is set to the current day. Time prefixes can also be used, in which case missing values are assumed to be 0.
E.g. “05:15” represents “05:15:00”. If not specified, end time defaults to now and start time to 24 hours before end time.

Example:

# isi_audit_viewer -t protocol -s <start time> -e <endtime>

Searching for something, use the grep command to narrow it down.

# isi_audit_viewer -t protocol -s <start time> -e <endtime> | grep -i <findme>

Conclusion

In this post we have covered the basics for looking at and finding Isilon audit logs.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

top