Skip to main content
NetApp Knowledge Base

What is the naming format of SnapLock Audit Logging

Views:
192
Visibility:
Public
Votes:
2
Category:
ontap-9
Specialty:
dp
Last Updated:

Applies to

ONTAP

Answer

The active log file i.e. file to which audit sub-system writes the records, will always be base-name_<start-time>-present.log residing in the directory. 
Once this file reaches the size limit or archived explicitly by user, it is renamed as base-name_<start-time>-<end-time>.log and a new active file will be created.

active log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-present.log
active log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210_GMT-present
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_031215_GMT-present

archive log file format:
base-name_<start-time(YYYYMMDDHHMMSS)>-<end-time(YYYYMMDDHHMMSS)>.log
archive log file sample:
/vol/snaplock_audit_log/snaplock_log/privileged_delete_logs/20200927_032210-20201118_091342_GMT
/vol/snaplock_audit_log/snaplock_log/system_logs/20200927_032210-20201118_091342_GMT

Additional Information

[-base-name {privileged-delete | system | legal-hold}] - Base Name of Log File
Specifies the log base-name, whose active log file needs to be archived. 
The base-name is the name of the source of log records. 
Valid base-names are system, privileged-delete and legal-hold. 
Each base-name has its own directory in which log files containing log records generated by base-name are stored. 

  • If at the time of creating log file or archiving log file, SnapLock detects a file with same name exists, it will append sequence number to avoid collision. 
    So in case of collision, name of active log file will be base-name_<start-time>-present-<sequence-number>.log and similarly name of the archive log file will be base-name_<start-time>-<end-time>-<sequence-number>.log.
    Here <start-time> and <end-time> refers to the timestamp in the format YYYYMMDDHHMMSS.
  • Regarding Audit log file names, there are some relative description on Creating an audit log as below.

You can find the SnapLock audit logs in the /snaplock_log directory under the root of the audit log volume, in subdirectories named privdel_log (privileged delete operations) and system_log (everything else). 
Audit log file names contain the timestamp of the first logged operation, making it easy to search for records by the approximate time that operations were executed.
• You can use the snaplock log file show command to view the log files on the audit log volume.
• You can use the snaplock log file archive command to archive the current log file and create a new one, which is useful in cases where you need to record audit log information in a separate file.
For more information, see the man pages for the commands.
Note: A data protection volume cannot be used as a SnapLock audit log volume.

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.