search
top

How To Read Audit logs on Isilon

Introduction

One of the many painful things we get to do as Storage Administrators is to read logs on the Arrays. Some use GUI’s and some require command line. In this post we will look at how to read audit logs on Isilon from the command line.

Process

First step is to start an SSH session with Isilon.

navigate to /ifs/.ifsvar/audit/logs. Here we see our individual nodes.

# ls -al
total 120
drwxr-x— 14 root wheel 300 May 10 2014 .
drwxr-x— 4 root wheel 48 Jun 14 2015 ..
drwxr-x— 4 root wheel 50 May 10 2014 node001
drwxr-x— 4 root wheel 50 May 10 2014 node002
drwxr-x— 4 root wheel 50 May 10 2014 node003
drwxr-x— 4 root wheel 50 May 10 2014 node004
drwxr-x— 4 root wheel 50 May 10 2014 node005
drwxr-x— 4 root wheel 50 May 10 2014 node006
drwxr-x— 4 root wheel 50 May 10 2014 node007
drwxr-x— 4 root wheel 50 May 10 2014 node008
drwxr-x— 4 root wheel 50 May 10 2014 node009
drwxr-x— 4 root wheel 50 May 10 2014 node00a
drwxr-x— 4 root wheel 50 May 10 2014 node00b
drwxr-x— 4 root wheel 50 May 10 2014 node00c

Under each individual node there are two sub-directories config and protocol, we want protocol. Change into the protocol directory. Here are our logs. So how do we view them? That is done with the isi_audit_viewer command.

# isi_audit_viewer -h
Usage: isi_audit_viewer [ -n <nodeid> | -t <topic> | -s <starttime>|
-e <endtime> | -v ]
-n <nodeid> : Specify node id to browse (default: local node)
-t <topic> : Choose topic to browse. Topics are “config” and “protocol” (default: “config”)
-s <start> : Browse audit logs starting at <starttime>
-e <end> : Browse audit logs ending at <endtime>
-v verbose : Prints out start / end time range before printing records

Start and End times are expressible as a date format “YYYY-MM-DD HH:MM:SS”, where fields represent year/month/day/hours/minutes/seconds.
Time can also be expressed as HH:MM:SS; in this case the date is set to the current day. Time prefixes can also be used, in which case missing values are assumed to be 0.
E.g. “05:15” represents “05:15:00”. If not specified, end time defaults to now and start time to 24 hours before end time.

Example:

# isi_audit_viewer -t protocol -s <start time> -e <endtime>

Searching for something, use the grep command to narrow it down.

# isi_audit_viewer -t protocol -s <start time> -e <endtime> | grep -i <findme>

Conclusion

In this post we have covered the basics for looking at and finding Isilon audit logs.

 

 

2 Responses to “How To Read Audit logs on Isilon”

  1. Roy says:

    Very helpful post. When i run the command on a single node i get an output with no problem but when i try to add isi_for_array to check the cluster i get an invalid output shown below. So i end up having to run this command on each node.

    isi_for_array isi_audit_viewer -t protocol -s “2017-06-26 12:00:01” -e “2017-06-26 19:00:00”
    Invalid argument: 12:00:01
    Usage: isi_audit_viewer [ -n | -t | -s |
    -e | -v ]
    -n : Specify node id to browse (default: local node)
    -t : Choose topic to browse.
    Topics are “config” and “protocol” (default: “config”)
    -s : Browse audit logs starting at
    -e : Browse audit logs ending at
    -v verbose : Prints out start / end time range before printing
    records

    Start and End times are expressable as a
    date format “YYYY-MM-DD HH:MM:SS”, where
    fields represent year/month/day/hours/minutes/seconds.
    Time can also be expressed as HH:MM:SS;
    in this case the date is set to the current day.
    Time prefixes can also be used, in which case missing values are
    assumed to be 0.
    E.g. “05:15” represents “05:15:00”.
    If not specified, end time defaults to now and
    start time to 24 hours before end time.

    • newlife007 says:

      Try running the command isi_for_array isi_audit_viewer -t protocol -s “2017-06-2612:00:01” -e “2017-06-2619:00:00”. It is complaining about the space between day and hour.

Leave a Reply

Your email address will not be published. Required fields are marked *

top