What is the naming format of SnapLock Audit Logging
Applies to
ONTAP
Answer
The active log file i.e. file to which audit sub-system writes the records, will always be base-name_<start-time>-present.log residing in the directory.
Once this file reaches the size limit or archived explicitly by user, it is renamed as base-name_<start-time>-<end-time>.log and a new active file will be created.
active log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-present.log
active log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210_GMT-present
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_031215_GMT-present
archive log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-<end-time(YYYYMMDDHHMMSS)>.log
archive log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210-20201118_091342_GMT
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_032210-20201118_091342_GMT
Additional Information
- Regarding base-name, refer to the information below which comes from command man document .
[-base-name {privileged-delete | system | legal-hold}] - Base Name of Log File
Specifies the log base-name, whose active log file needs to be archived.
The base-name is the name of the source of log records.
Valid base-names are system, privileged-delete and legal-hold.
Each base-name has its own directory in which log files containing log records generated by base-name are stored.
- If at the time of creating log file or archiving log file, SnapLock detects a file with same name exists, it will append sequence number to avoid collision.
So in case of collision, name of active log file will be base-name_<start-time>-present-<sequence-number>.log and similarly name of the archive log file will be base-name_<start-time>-<end-time>-<sequence-number>.log.
Here <start-time> and <end-time> refers to the timestamp in the format YYYYMMDDHHMMSS. - Regarding Audit log file names, there are some relative description on Creating an audit log as below.
You can find the SnapLock audit logs in the /snaplock_log directory under the root of the audit log volume, in subdirectories named privdel_log (privileged delete operations) and system_log (everything else).
Audit log file names contain the timestamp of the first logged operation, making it easy to search for records by the approximate time that operations were executed.
• You can use the snaplock log file show command to view the log files on the audit log volume.
• You can use the snaplock log file archive command to archive the current log file and create a new one, which is useful in cases where you need to record audit log information in a separate file.
For more information, see the man pages for the commands.
Note: A data protection volume cannot be used as a SnapLock audit log volume.