How To Read Audit logs on Isilon
Introduction
One of the many painful things we get to do as Storage Administrators is to read logs on the Arrays. Some use GUI’s and some require command line. In this post we will look at how to read audit logs on Isilon from the command line.
Process
First step is to start an SSH session with Isilon.
navigate to /ifs/.ifsvar/audit/logs. Here we see our individual nodes.
# ls -al
total 120
drwxr-x— 14 root wheel 300 May 10 2014 .
drwxr-x— 4 root wheel 48 Jun 14 2015 ..
drwxr-x— 4 root wheel 50 May 10 2014 node001
drwxr-x— 4 root wheel 50 May 10 2014 node002
drwxr-x— 4 root wheel 50 May 10 2014 node003
drwxr-x— 4 root wheel 50 May 10 2014 node004
drwxr-x— 4 root wheel 50 May 10 2014 node005
drwxr-x— 4 root wheel 50 May 10 2014 node006
drwxr-x— 4 root wheel 50 May 10 2014 node007
drwxr-x— 4 root wheel 50 May 10 2014 node008
drwxr-x— 4 root wheel 50 May 10 2014 node009
drwxr-x— 4 root wheel 50 May 10 2014 node00a
drwxr-x— 4 root wheel 50 May 10 2014 node00b
drwxr-x— 4 root wheel 50 May 10 2014 node00c
Under each individual node there are two sub-directories config and protocol, we want protocol. Change into the protocol directory. Here are our logs. So how do we view them? That is done with the isi_audit_viewer command.
# isi_audit_viewer -h
Usage: isi_audit_viewer [ -n <nodeid> | -t <topic> | -s <starttime>|
-e <endtime> | -v ]
-n <nodeid> : Specify node id to browse (default: local node)
-t <topic> : Choose topic to browse. Topics are “config” and “protocol” (default: “config”)
-s <start> : Browse audit logs starting at <starttime>
-e <end> : Browse audit logs ending at <endtime>
-v verbose : Prints out start / end time range before printing records
Start and End times are expressible as a date format “YYYY-MM-DD HH:MM:SS”, where fields represent year/month/day/hours/minutes/seconds.
Time can also be expressed as HH:MM:SS; in this case the date is set to the current day. Time prefixes can also be used, in which case missing values are assumed to be 0.
E.g. “05:15” represents “05:15:00”. If not specified, end time defaults to now and start time to 24 hours before end time.
Example:
# isi_audit_viewer -t protocol -s <start time> -e <endtime>
Searching for something, use the grep command to narrow it down.
# isi_audit_viewer -t protocol -s <start time> -e <endtime> | grep -i <findme>
Conclusion
In this post we have covered the basics for looking at and finding Isilon audit logs.
Very helpful post. When i run the command on a single node i get an output with no problem but when i try to add isi_for_array to check the cluster i get an invalid output shown below. So i end up having to run this command on each node.
isi_for_array isi_audit_viewer -t protocol -s “2017-06-26 12:00:01” -e “2017-06-26 19:00:00”
Invalid argument: 12:00:01
Usage: isi_audit_viewer [ -n | -t | -s |
-e | -v ]
-n : Specify node id to browse (default: local node)
-t : Choose topic to browse.
Topics are “config” and “protocol” (default: “config”)
-s : Browse audit logs starting at
-e : Browse audit logs ending at
-v verbose : Prints out start / end time range before printing
records
Start and End times are expressable as a
date format “YYYY-MM-DD HH:MM:SS”, where
fields represent year/month/day/hours/minutes/seconds.
Time can also be expressed as HH:MM:SS;
in this case the date is set to the current day.
Time prefixes can also be used, in which case missing values are
assumed to be 0.
E.g. “05:15” represents “05:15:00”.
If not specified, end time defaults to now and
start time to 24 hours before end time.
Try running the command isi_for_array isi_audit_viewer -t protocol -s “2017-06-2612:00:01” -e “2017-06-2619:00:00”. It is complaining about the space between day and hour.
What role would allow me to run this command?
I am trying to set up an Audit Admins user that would be able to run this command, but they wouldn’t be able to do anything else. I’m not sure how to do this. Since the AuditAdmin role is “read only” I end up getting permissions denied.