CONTAP-352417: EMS reports daily auditlog.change.detected after fix for CONTAP-82775 (Burt 1524672)
Issue
- After ONTAP upgrade to a version with fix for Bug 1524672, only one node in the cluster reports a daily
auditlog.change.detectedevent at 00:05 (local time) for a previously rotatedaudit.log.xxxormpaudit.log..xxx:Mon Jun 17 00:05:00 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001562" was tampered with.
Mon Jun 18 00:05:36 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001563" was tampered with.
Mon Jun 19 00:05:44 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001564" was tampered with.
...
5/1/2025 00:05:00 Node-01 ERROR auditlog.change.detected: Audit log file "mpaudit.log.0000000001" was tampered with.
4/30/2025 00:05:00 Node-01 ERROR auditlog.change.detected: Audit log file "mpaudit.log.0000000001" was tampered with.
- In
mgwd.log, the following error message is seen for theaudit.log.xxxfile:00000025.000bea70 01e5bc7a Fri Jul 26 2024 00:05:00 -04:00 [kern_mgwd:info:3205] 0x8318d7b00: 8603e9000000012a: ERR: tables::audit: Audit log signature file /mroot/etc/log/mlog/audit_log_sig/audit.log.0000001562.sig is empty.Hence, Signature verification failed for file: audit.log.0000001562. Line: 1398, Function: verify_hashes ...
- The file size of the
audit.log.xxxfiles mentioned in the event all exceed 350 bytes. Listing of the directory using systemshell:% ls -lh /mroot/etc/log/mlog/audit.log*
-rw-r--r-- 2 root wheel 70M Jun 18 10:03 /mroot/etc/log/mlog/audit.log
-rw-r--r-- 1 root wheel 76M May 1 14:17 /mroot/etc/log/mlog/audit.log.0000001562
-rw-r--r-- 1 root wheel 72M May 2 14:17 /mroot/etc/log/mlog/audit.log.0000001563
-rw-r--r-- 1 root wheel 72M May 3 14:17 /mroot/etc/log/mlog/audit.log.0000001564
