Skip to main content
NetApp Knowledge Base

What is the naming format of SnapLock Audit Logging

Views:
55
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
dp
Last Updated:

Applies to

ONTAP

Answer

The active log file i.e. file to which audit sub-system writes the records, will always be base-name_<start-time>-present.log residing in the directory. 
Once this file reaches the size limit or archived explicitly by user, it is renamed as base-name_<start-time>-<end-time>.log and a new active file will be created.

active log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-present.log
active log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210_GMT-present
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_031215_GMT-present

archive log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-<end-time(YYYYMMDDHHMMSS)>.log
archive log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210-20201118_091342_GMT
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_032210-20201118_091342_GMT

Additional Information

[-base-name {privileged-delete | system | legal-hold}] - Base Name of Log File
Specifies the log base-name, whose active log file needs to be archived. 
The base-name is the name of the source of log records. 
Valid base-names are system, privileged-delete and legal-hold. 
Each base-name has its own directory in which log files containing log records generated by base-name are stored. 

  • If at the time of creating log file or archiving log file, SnapLock detects a file with same name exists, it will append sequence number to avoid collision. 
    So in case of collision, name of active log file will be base-name_<start-time>-present-<sequence-number>.log and similarly name of the archive log file will be base-name_<start-time>-<end-time>-<sequence-number>.log.
    Here <start-time> and <end-time> refers to the timestamp in the format YYYYMMDDHHMMSS.
  • Regarding Audit log file names, there are some relative description on Creating an audit log as below.

You can find the SnapLock audit logs in the /snaplock_log directory under the root of the audit log volume, in subdirectories named privdel_log (privileged delete operations) and system_log (everything else). 
Audit log file names contain the timestamp of the first logged operation, making it easy to search for records by the approximate time that operations were executed.
• You can use the snaplock log file show command to view the log files on the audit log volume.
• You can use the snaplock log file archive command to archive the current log file and create a new one, which is useful in cases where you need to record audit log information in a separate file.
For more information, see the man pages for the commands.
Note: A data protection volume cannot be used as a SnapLock audit log volume.

 

 

 

  • Was this article helpful?
******************************************************* *******************************************************