catauditlog

Use the catauditlog command to display the in-memory contents of the audit log.

Syntax

Read syntax diagramSkip visual syntax diagram catauditlog -firstnumber_of_entries_to_return

Parameters

-delim delimiter
(Optional) Specify a delimiter to separate data in the output.
-nohdr
(Optional) Suppress the headings in the output.
-first number_of_entries_to_return
(Optional) Specifies the number of most recent entries to display.

Description

This command displays the in-memory audit log of task commands run on the system by all users. Commands that create or modify configurable objects are logged. Commands that only display information, as well as commands that fail, are not logged.

The in-memory audit log records up to 500 commands. When the log reaches capacity, it is automatically written to a file in the dumps/audit directory on the configuration node, and the in-memory log is cleared. The in-memory audit log can be stored to a file on the boot drive before it is full by using the dumpauditlog command.

Each audit file is assigned a unique filename, allowing multiple audit files to be stored. Use the lsdumps -prefix /dumps/audit command to list audit log files. These files can be copied from the system and are in a readable text format.

The following attribute values can be displayed in the output.
Table 1. catauditlog output
Attribute Possible Values
audit_seq_no Indicates the sequential number that identifies the audited command in the log. This value does not reset when the log is cleared.
timestamp Indicates the date and time when the command was run.
cluster_user Indicates the system user who ran the command, or the IBM Storage Insights user if the command originated from IBM Storage Insights.
challenge Indicates the session from which the command was run. For example, if run by a support engineer using secure remote access, this value is the 10-character random challenge used to authorize the command.
source_panel Indicates the panel name of the node where the command was entered.
target_panel Indicates, for service assistant commands, the panel name of the node where the command was run, or the optional last parameter of an satask command.
ssh_ip_address Indicates the IP address of the host that initiated the secure shell connection when the command was run in an SSH session.
result Indicates the numeric return code generated by the command during execution.
res_obj_id Indicates the ID of the object that was created by the command, if applicable. This field does not apply to the addnode command.
action_cmd Indicates the command line that was run.
origin Indicates whether the command was issued from the GUI, CLI, VASA, or REST interface. SI indicates that the command originated from IBM Storage Insights. This field is blank for service assistant commands.
two_person_integrity_promoted Indicates that the two person integrity (TPI) shown in the audit log was prompoted by the user shown in the audit log while that user had an approved role elevation.
duration_ms Indicates the time taken for CLI command to complete.
partition_name Indicates the name of the partition when the command is run using the partition IP address.
partition_uuid Indicates the universally unique identifier (UUID) of the partition when the command is run using the partition IP address.
timestamp_epoch Indicates the timestamp in milliseconds since the epoch. This field requires the -showhidden parameter.
orch_audit_id Indicates a unique cross-reference identifier generated by IBM Storage Insights for commands that originate from IBM Storage Insights. This field requires the -showhidden parameter.
When using the partition IP address to run this command, consider the following:
  • The user must identify objects using the name or UUID. Short IDs cannot be specified when using the partition IP address.
  • Views will be filtered to display only objects related to the partition associated with the IP address. An error will be displayed if the user requests a detailed view for an object that is not related to the partition.

An invocation example

catauditlog
The resulting output:

audit_seq_no timestamp    cluster_user challenge source_panel target_panel ssh_ip_address result res_obj_id action_cmd                                                        origin two_person_integrity_promoted duration_ms partition_name partition_uuid
0            260416115859 superuser              78E02V8      78E02V8                     0                 satask restartservice -service nginx                                     no                            4479
1            260416120000 superuser                                        9.71.45.179    0      4          svctask mkportset -type replication -porttype fc                  CLI    no                            2
2            260416120006 superuser                                        9.71.45.179    0                 svctask addfcportsetmember -fcioportid 1 -portset portset4        CLI    no                            61
3            260416120233 superuser                                        9.71.45.179    0                 svctask mkfcpartnership -linkbandwidthmbits 1000 000002042B811034 CLI    no                            59
5            260416120335 superuser                                        9.71.45.179    0                 svctask rmpartnership 000002042B811034                            CLI    no                            88