File audit logging logs

The primary log associated with the mmaudit command is the primary log to look at for issues specific to file audit logging. There are some other logs that might contain useful information as well. Because some logs might grow quickly, log rotation is used for all logs. Therefore, it is important to gather logs as soon as an issue is found and to look for logs that are not by default captured with gpfs.snap (no gzip versions of old logs are gathered by default by gpfs.snap). The following list describes the types of logs that are useful for problem determination:

• mmaudit log: This log contains information regarding the setup and configuration operations that affect file audit logging. Information is put into this log on any node running the file audit logging command or location where the subcommand might be run. This log is located at /var/adm/ras/mmaudit.log. This log is collected by gpfs.snap.
• mmfs.log.latest: This is the most current version of the IBM Storage Scale daemon log. It contains entries from when major file audit logging activity occurs. Types of activity within this log file are enable or disable of file audit logging for a given device, or if an error is encountered when attempting to enable or disable file audit logging for a given device. This log file is collected by gpfs.snap.

The gpfs.snap command gathers log files from multiple components including file audit logging. For file audit logging, the following file is collected: /var/adm/ras/mmaudit.log. In addition, one file is held in the CCR and saved when the gpfs.snap command is run: spectrum-scale-file-audit.conf. This CCR file contains the file audit logging configuration for all devices in the local cluster that is being audited.