mmaudit command

Manages setting and viewing the file audit logging configuration in IBM Spectrum Scale.

Synopsis

mmaudit Device enable [--log-fileset FilesetName ] 
                      [--retention Days] [--events {Event1[,Event2...] | ALL}]  
                      [--degraded] [-q]

mmaudit Device disable [-q]

mmaudit Device update --events {Event1[,Event2...] | ALL} [-q]

mmaudit Device list [--events] [-Y]

mmaudit all list [--events] [-Y]

mmaudit all consumerStart -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q]

mmaudit all consumerStop -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q]

mmaudit all consumerStatus -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q] [-Y]

mmaudit all upgradePolicies

Availability

Available with IBM Spectrum Scale Advanced Edition, IBM Spectrum Scale Data Management Edition, Start of change IBM Spectrum Scale Developer Edition, End of change or IBM Spectrum Scale Erasure Code Edition. Available on Linux x86 and Linux PPC LE.

Description

Enables, disables, and lists configuration data for file audit logging in a specified file system. Lists all file audit logging enabled file systems in the cluster. Manages file audit logging consumer daemons. Command messages are written to the /var/adm/ras/mmaudit.log file. The audit records are stored in the audit log fileset in a /Device/.audit_log/audit_topic/Year/Month/Day directory structure. The audit log files are named auditLogFile_hostname_date_time. The audit log files are rotated, compressed, and a retention date is set.

Note: When file audit logging is being enabled on a file system, an IAM mode noncompliant fileset is created. With this type of fileset, the retention of the audit logging files is implemented by setting an expiration date for the individual files containing the audit records. These files cannot be removed until the expiration date is met. However, the root user can change the expiration date if space must be freed up within the fileset. In addition, commands such as mmrestorefs will fail when restoring to a snapshot that would require removal of currently immutable (non-expired) files.

Parameters

Device: Specifies the device name of the file system upon which the audit log configuration change or listing is to occur.
all: Specifies that the command is executed against all devices configured for file audit logging. Currently, the only supported sub-commands are list, consumerStart, consumerStop, consumerStatus, and upgradePolicies.
enable: Enables file audit logging for the given device. Enablement entails setting up configuration and starting the consumer processes.
The --log-fileset FilesetName option specifies the fileset name where the audit log records for the file system will be held. The default is .audit_log. The --retention Days option specifies the number of days to set the expiration date on all audit log record files when they are created. The default is 365 days. The --events option specifies the list of events that will be audited. The default is ALL. The --degraded option allows file audit logging to be enabled without as many default performance enhancements. The --degraded option reduces the amount of local disk space that is required per broker node per file system enabled for file audit logging. The --degraded option should only be used when performance degradation is not a problem, or if there is very limited local disk drive space on the broker nodes.
disable: Disables file audit logging for the given device. Disablement stops the consumer processes and removes message queue configuration that is specific to the device. Existing file audit records are changed to immutable and the retention period remains.
update: Updates the list of events that will be audited. The new event list will replace the existing set of events.
list --events [-Y]: Displays the file audit logging configuration information for the given device. The all option displays the file audit logging configuration information for all devices enabled for file audit logging. The --events option displays the device minor number, audit generation number, and a list of events that are being audited. The -Y option provides output in machine-readable (colon-delimited) format.
consumerStart -N {NodeName[,NodeName...] | NodeFile | NodeClass}: Starts the consumer processes on all consumer nodes within the comma-separated list of nodes for all file systems with file audit logging enabled. The -N option supports a comma-separated list of nodes, a full path name to a file containing node names, or a predefined node class. This should only be performed if the consumer processes were stopped with the consumerStop option. This is not the way to start file audit logging.
consumerStop -N {NodeName[,NodeName...] | NodeFile | NodeClass}: Stops the consumer processes on all consumer nodes within the comma-separated list of nodes for all file systems with file audit logging enabled. The -N option supports a comma-separated list of nodes, a full path name to a file containing node names, or a predefined node class. This should only be performed during node shutdown or upgrade. This is not the way to stop file audit logging.
consumerStatus -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-Y]: Provides the status for the consumer processes on all consumer nodes within the comma-separated list of nodes for all file systems with file audit logging enabled. The -N option supports a comma-separated list of nodes, a full path name to a file containing node names, or a predefined node class. The -Y option provides output in machine-readable (colon-delimited) format.
upgradePolicies: Updates IBM Spectrum Scale policies that are associated with file audit logging enabled file systems to allow remotely mounted file systems to generate file audit logging events.
-q: Suppresses all [I] informational messages.

Exit status

0: Successful completion.
nonzero: A failure has occurred. Errors are written to /var/adm/ras/mmaudit.log and /var/log/messages.

Security

You must have root authority to run the mmaudit command.

The node on which the command is issued must be able to execute remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages.

Examples

To enable a file system with the default settings, issue this command:

# mmaudit fs1 enable
[I] Successfully created File Audit Logging consumer node class kafkaAuditConsumerServers
[I] Verifying MsgQueue nodes meet minimum local space requirements 
    for File Audit Logging to be enabled for device: fs1.
    Depending on cluster size, this may take some time.
[I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements 
    for File Audit Logging to be enabled for device: fs1
[I] Successfully updated File Audit Logging configuration for device: fs1
[I] Successfully created File Audit Logging topic on the MsgQueue for device: fs1
[I] Successfully created/linked File Audit Logging audit fileset .audit_log 
    with link point /gpfs/fs1/.audit_log
[I] Successfully enabled File Audit Logging consumer group to audit device: fs1
[I] Successfully created File Audit Logging policy partition(s) to audit device: fs1
[I] Successfully created File Audit Logging consumer callbacks
[I] Successfully enabled File Audit Logging for device: fs1

To enable a file system for a specific set of events, issue this command:

# mmaudit fs3 enable --events OPEN,CLOSE
[I] Verifying MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs3.
    Depending on cluster size, this may take some time.
[I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements for File Audit Logging to be 
    enabled for device: fs3
[I] Successfully updated File Audit Logging configuration for device: fs3
[I] Successfully created File Audit Logging topic on the MsgQueue for device: fs3
[I] Successfully enabled ACL access to the topic for producers and consumers for device: fs3
[I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /fs3/.audit_log
[I] Successfully enabled File Audit Logging consumer group to audit device: fs3
[I] Successfully created File Audit Logging policy partition(s) to audit device: fs3
[I] Successfully enabled File Audit Logging for device: fs3

To enable a file system with a different retention period, issue this command:

# mmaudit fs1 enable --retention 90
[I] Verifying MsgQueue nodes meet minimum local space requirements 
    for File Audit Logging to be enabled for device: fs1.
    Depending on cluster size, this may take some time.
[I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements 
    for File Audit Logging to be enabled for device: fs1
[I] Successfully updated File Audit Logging configuration for device: fs1
[I] Successfully created File Audit Logging topic on the MsgQueue for device: fs1
[I] Successfully created/linked File Audit Logging audit fileset .audit_log 
    with link point /gpfs/fs1/.audit_log
[I] Successfully enabled File Audit Logging consumer group to audit device: fs1
[I] Successfully created File Audit Logging policy partition(s) to audit device: fs1
[I] Successfully enabled File Audit Logging for device: fs1

To disable a file system that was previously enabled, issue this command:

# mmaudit fs1 disable
[I] Successfully deleted File Audit Logging policy partition(s) for device: fs1
[I] Successfully disabled File Audit Logging consumer group for device: fs1
[I] Successfully deleted File Audit Logging topic from the MsgQueue for device: fs1
[I] Successfully updated File Audit Logging configuration for device: fs1
[I] Successfully removed File Audit Logging consumer callbacks
[I] Successfully removed File Audit Logging consumer node class kafkaAuditConsumerServers
[I] Successfully disabled File Audit Logging for device: fs1

To update the list of events that are being audited for a specific file system to available events, issue this command:
```
# mmaudit fs3 update --events ALL
[I] Successfully updated the File Audit Logging policies for device fs3
```

To see which file systems are currently configured for file audit logging, issue this command:

# mmaudit all list
Audit     Cluster                   Fileset   Fileset             Retention 
Device    ID                        Device    Name                (Days)    
-----------------------------------------------------------------------------------------
demo      6372129557625143312       newfs     sinkfileset         365        
jon       6372129557625143312       jon       auditfset           90

To see which events are currently enabled for a file system, issue this command:

# mmaudit fs3 list --events

Audit       Device    Audit     Event    
Device      Minor     Gen       Types    
-----------------------------------------------------------------------------------------
fs3         152       7         CLOSE,OPEN

To check the status of all file audit logging consumer processes on a specific node, issue this command:

# mmaudit all consumerStatus -N c6f2bc3n10
Dev Name    Cluster ID                Num Nodes  Node Name     Is Consumer?  Status    
demo        6372129557625143312       1          hs22n55       yes           AUDIT_CONS_OK
polRegress  6372129557625143312       1          hs22n55       yes           AUDIT_CONS_OK

To stop all file audit logging consumer processes on a specific node, issue this command:

# mmaudit all consumerStop -N c6f2bc3n10
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: fs1 successfully stopped.
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: demo successfully stopped.
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: jon successfully stopped.

To start all file audit logging consumer processes on a specific node, issue this command:

# mmaudit all consumerStart -N c6f2bc3n10
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: fs1 successfully started.
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: demo successfully started.
[I] Node: c6f2bc3n10 is a consumer node, and consumer for device: jon successfully started.

Location

/usr/lpp/mmfs/bin