Getting the ZFSSA Audit Logs via scripts
This article provides a simple means of extracting the Audit Log from a ZFS Storage Appliance using a simple script. The audit log on the ZFS Storage Appliance records user activity events, including login and logout to the BUI and CLI, and administrative actions.
Sample BUI Audit Log
The following table shows example audit log entries as they would appear in the BUI
| Time | User | Host | Summary | Session Annotation |
|---|---|---|---|---|
| 2016-01-12 05:20:24 | root | smurf | Disabled ftp service | |
| 2016-01-12 03:17:05 | root | smurf | User logged in | |
| 2016-01-11 22:38:56 | root | schlumpf | Browser session timed out | |
| 2016-01-11 21:13:35 | root | <console> | Enabled ftp service |
Sample Script
Here is a simple script (show-audit-log.aksh) to extract the audit log from the ZFSSA
//#######################################
//# Show ZFSSA Audit Log
//#######################################
run('cd /');
var zfsNode=run('configuration version get nodename').split(/\s+/)[3];
var pFormat='%-19s %-15s %-15s %-30s %-20s\n';
var tFormat='%Y-%m-%d %H:%M:%S';
print('ZFSSA Audit Log');
print('===============');
print('');
printf('Nodename: %s\n', zfsNode);
print('');
printf(pFormat, 'Time', 'User', 'Host', 'Summary', 'Annotation');
printf(pFormat, '-------------------', '----------------',
'----------------', '----------------------', '----------------');
run('maintenance logs select audit');
alerts = list();
for (i = 0; i < alerts.length; i++)
{
run('select ' + alerts[i]);
printf(pFormat,
get('timestamp').toLocaleFormat(tFormat).toUpperCase(),
get('user'),
get('address'),
get('summary'),
get('annotation')
);
run('cd ..');
}
.
Running the script
To run simple apply the script to an ssh session on your ZFSSA, for example:
# ssh -T root@zfssa1 < show-audit-log.aksh ZFSSA Audit Log =============== Nodename: zfssa1 Time User Host Summary Annotation ------------------- ------------ ------------- -------------------------- ----------------- 2016-01-26 08:23:56 root 192.168.1.101 User logged in 2016-01-26 08:10:37 snapuser 192.168.1.195 User logged in 2016-01-26 08:04:01 root 192.168.1.101 User logged out 2016-01-26 07:38:18 oemagent 192.168.1.210 Browser session timed out 2016-01-26 06:28:48 snapuser 192.168.1.118 User logged out of CLI 2016-01-26 06:04:01 root 192.168.1.117 User logged out 2016-01-26 06:03:49 root 192.168.1.117 User logged in
The script will display the last 100 entries from the audit log
Download
You can download a copy of the script here.