Skip to main content
NetApp Knowledge Base

How to create or remove auditing staging (MDV_AUD) volumes

  1. Last updated
  2. Save as PDF
Views:
20,631
Visibility:
Public
Votes:
18
Category:
ontap-9
Specialty:
CORE
Last Updated:

Applies to

  • ONTAP 9
  • MDV_aud (Auditing Staging Volume)

Description

This article describes the procedure to create or remove auditing staging (MDV_aud) volumes.

  • MDV (Metadata Volume) auditing volumes are referenced as MDV_aud_
  • This article does not apply to MDV_CRS* volumes
MDV_aud volumes  enables a storage administrator to monitor user actions such as access and modification of data files.

cluster::> volume show *MDV_aud*
Vserver Volume Aggregate State Type Size Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
cluster1 MDV_aud_1d0131843d4811e296fc123478563412
aggr0 online RW 2GB 1.90GB 5%

MDV_CRS volumes are used for SVM-DR and MetroCluster configuration replication

 

cluster::> volume show *MDV_CRS*
Vserver   Volume       Aggregate    State      Type       Size  Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
cluster2  MDV_CRS_f53ee75db03b11e89a65005056b013db_A
aggr_dp      online     RW         20MB    18.74MB    1%

 

Procedure

1. Check for the presence of auditing volumes.

cluster1::> volume show -volume MDV_aud* -fields aggregate

Note:  Proceed only if auditing volumes are present.

2. Gather the current auditing configuration.

cluster1::> vserver audit show -instance

3. Disable auditing repeating for each configured SVM.

cluster1::> vserver audit disable -vserver <vserver name> 

4. Delete the auditing configuration repeating for each configured SVM.

cluster1::> vserver audit delete -vserver <vserver name>

Note: This will not delete already-created audit logs stored in the log destination path from step 2.

5. Check for the presence of auditing volumes.

cluster1::> volume show -volume MDV_aud* -fields aggregate

Note:  At this point all MDV_aud auditing volumes should be removed.  Before proceeding perform the task that was blocked by the presence of these volumes as described earlier in this article.

6. Recreate the auditing configuration for each SVM using the data collected in step #2.

cluster1::> vserver audit create -vserver <vserver name> -destination /audit_log

7. Enable the auditing configuration for each SVM using the data collected in step #2.

cluster1::> vserver audit enable -vserver <vserver name>

8. Check for the presence of auditing volumes.

cluster1::> volume show -volume MDV_aud* -fields aggregate

  • If the vserver in question is a SVM-DR destination vserver, you will need to quiesce and break the snapmirror relationship before the auditing configuration can be removed.  After collecting the configuration from step 2 above, run the below commands before proceeding with steps 3-5.

::> snapmirror quiesce -destination-path <DR-Vserver>:

::> snapmirror break -destination-path <DR-Vserver>:

The staging volumes will be removed and should be restored when the SVM-DR is resynced:

::> snapmirror resync -destination-path <DR-Vserver>:

Additional Information

Auditing NAS events on SVMs

TR-4569 - Security Hardening Guide for NetApp ONTAP 9  

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.