mmaudit command
Manages setting and viewing the file audit logging configuration in IBM Spectrum Scale™.
Synopsis
mmaudit Device enable [--log-fileset FilesetName [--log-fileset-device Device]]
[--retention Days] [--events {Event1[,Event2...] | ALL}] [--degraded] [-q]or
mmaudit Device disable [-q]or
mmaudit Device update --events {Event1[,Event2...] | ALL} [-q]or
mmaudit Device list [--events] [-Y]or
mmaudit all list [--events] [-Y]or
mmaudit all consumerStart -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q]or
mmaudit all consumerStop -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q]or
mmaudit all consumerStatus -N {NodeName[,NodeName...] | NodeFile | NodeClass} [-q] [-Y]
or
mmaudit all upgradePoliciesAvailability
Available with IBM Spectrum Scale Advanced Edition or IBM Spectrum Scale Data Management Edition. Available on Linux x86 and Linux PPC LE.
Description
Enables, disables, and lists configuration data for file audit logging in a specified file
system. Lists all file audit logging enabled file systems in the cluster. Manages file audit logging
consumer daemons. Command messages are written to the /var/adm/ras/mmaudit.log
file. The audit records are stored in the audit log fileset in a
/Device/.audit_log/audit_topic/Year/Month/Day directory structure. The audit
log files are named auditLogFile_hostname_date_time. The audit log files are
rotated, compressed, and a retention date is set.
Note: When file audit logging is being enabled on a
file system, an IAM mode noncompliant fileset is created. With this type of fileset, the retention
of the audit logging files is implemented by setting an expiration date for the individual files
containing the audit records. These files cannot be removed until the expiration date is met.
However, the root user can change the expiration date if space must be freed up within the fileset.
In addition, commands such as mmrestorefs will fail when restoring to a snapshot
that would require removal of currently immutable (non-expired) files.
Parameters
- Device
- Specifies the device name of the file system upon which the audit log configuration change or listing is to occur.
- all
- Specifies that the command is executed against all devices configured for file audit logging.
Currently, the only supported sub-commands are list,
consumerStart, consumerStop,
consumerStatus, and
upgradePolicies.
- enable
- Enables file audit logging for the given device. Enablement entails setting up configuration and
starting the consumer processes.
The --log-fileset FilesetName option specifies the fileset name where the audit log records for the file system will be held. The default is .audit_log. The --log-fileset-device Device option specifies the device where the fileset is located. When specifying the --log-fileset-device option, you must also specify the --log-fileset FilesetName option. The default is the device being enabled. The --log-fileset-device option allows the audit log fileset to be located in a different file system than that being audited for file audit logging. The audit log fileset has all auditing events blocked so that the creation and update of the audit logs themselves do not generate their own audit events. The --retention Days option specifies the number of days to set the expiration date on all audit log record files when they are created. The default is 365 days.
The
--events option specifies the list of events that will be audited. The default
is ALL.
The --degraded option allows file audit logging
to be enabled without as many default performance enhancements. The --degraded
option reduces the amount of local disk space that is required per broker node per file system
enabled for file audit logging. The --degraded option should only be used when
performance degradation is not a problem, or if there is very limited local disk drive space on the
broker nodes. - disable
- Disables file audit logging for the given device. Disablement stops the consumer processes and removes message queue configuration that is specific to the device. Existing file audit records are changed to immutable and the retention period remains.
- update
- Updates the list of events that will be audited. The new event list will replace the existing
set of events.
- list --events [-Y]
- Displays the file audit logging configuration information for the given device. The
all option displays the file audit logging configuration information for all
devices enabled for file audit logging. The
--events option displays the device minor number, audit generation number, and
a list of events that are being audited. The -Y option provides output in
machine-readable (colon-delimited) format.
- consumerStart -N {NodeName[,NodeName...] |NodeFile | NodeClass}
- Starts the consumer processes on all consumer nodes within the comma-separated list of nodes for
all file systems with file audit logging enabled. The
-N option supports a comma-separated list of nodes, a full path name to a file
containing node names, or a predefined node class. This should only be performed if the
consumer processes were stopped with the consumerStop option. This is not the way
to start file audit logging.
- consumerStop -N {NodeName[,NodeName...] |NodeFile | NodeClass}
- Stops the consumer processes on all consumer nodes within the comma-separated list of nodes for
all file systems with file audit logging enabled. The
-N option supports a comma-separated list of nodes, a full path name to a file
containing node names, or a predefined node class. This should only be performed during node
shutdown or upgrade. This is not the way to stop file audit logging.
- consumerStatus -N {NodeName[,NodeName...] |NodeFile | NodeClass} [-Y]
- Provides the status for the consumer processes on all consumer nodes within the comma-separated
list of nodes for all file systems with file audit logging enabled. The -N option supports a comma-separated list of nodes, a full path name to a
file containing node names, or a predefined node class. The -Y option
provides output in machine-readable (colon-delimited) format.
- upgradePolicies
- Updates IBM Spectrum
Scale policies that are associated with
file audit logging enabled file systems to allow remotely mounted file systems to generate file
audit logging events.
- -q
- Suppresses all [I] informational messages.
Exit status
- 0
- Successful completion.
- nonzero
- A failure has occurred. Errors are written to /var/adm/ras/mmaudit.log and /var/log/messages.
Security
You must have root authority to run the mmaudit command.
The node on which the command is issued must be able to execute remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages.
Examples
- To enable a file system with the default settings, issue this
command:
# mmaudit fs1 enable [I] Successfully created File Audit Logging consumer node class kafkaAuditConsumerServers [I] Verifying MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs1. Depending on cluster size, this may take some time. [I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs1 [I] Successfully updated File Audit Logging configuration for device: fs1 [I] Successfully created File Audit Logging topic on the MsgQueue for device: fs1 [I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /gpfs/fs1/.audit_log [I] Successfully enabled File Audit Logging consumer group to audit device: fs1 [I] Successfully created File Audit Logging policy partition(s) to audit device: fs1 [I] Successfully created File Audit Logging consumer callbacks [I] Successfully enabled File Audit Logging for device: fs1 - To enable a file system for a specific set of events, issue this
command:
# mmaudit fs3 enable --events OPEN,CLOSE [I] Verifying MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs3. Depending on cluster size, this may take some time. [I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs3 [I] Successfully updated File Audit Logging configuration for device: fs3 [I] Successfully created File Audit Logging topic on the MsgQueue for device: fs3 [I] Successfully enabled ACL access to the topic for producers and consumers for device: fs3 [I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /fs3/.audit_log [I] Successfully enabled File Audit Logging consumer group to audit device: fs3 [I] Successfully created File Audit Logging policy partition(s) to audit device: fs3 [I] Successfully enabled File Audit Logging for device: fs3 - To enable a file system with a different fileset name and the file audit logging device residing
on another file system, issue this
command:
# mmaudit fs0 enable --log-fileset john1 --log-fileset-device fs1 [I] Successfully created File Audit Logging consumer node class kafkaAuditConsumerServers [I] Verifying MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs0. Depending on cluster size, this may take some time. [I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs0 [I] Successfully updated File Audit Logging configuration for device: fs0 [I] Successfully created File Audit Logging topic on the MsgQueue for device: fs0 [I] Successfully created/linked File Audit Logging audit fileset john1 with link point /gpfs/fs1/john1 [I] Successfully enabled File Audit Logging consumer group to audit device: fs0 [I] Successfully created File Audit Logging policy partition(s) to audit device: fs0 [I] Successfully created File Audit Logging consumer callbacks [I] Successfully enabled File Audit Logging for device: fs0 - To enable a file system with a different retention period, issue this
command:
# mmaudit fs1 enable --retention 90 [I] Verifying MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs1. Depending on cluster size, this may take some time. [I] Successfully verified all configured MsgQueue nodes meet minimum local space requirements for File Audit Logging to be enabled for device: fs1 [I] Successfully updated File Audit Logging configuration for device: fs1 [I] Successfully created File Audit Logging topic on the MsgQueue for device: fs1 [I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /gpfs/fs1/.audit_log [I] Successfully enabled File Audit Logging consumer group to audit device: fs1 [I] Successfully created File Audit Logging policy partition(s) to audit device: fs1 [I] Successfully enabled File Audit Logging for device: fs1 - To disable a file system that was previously enabled, issue this
command:
# mmaudit fs1 disable [I] Successfully deleted File Audit Logging policy partition(s) for device: fs1 [I] Successfully disabled File Audit Logging consumer group for device: fs1 [I] Successfully deleted File Audit Logging topic from the MsgQueue for device: fs1 [I] Successfully updated File Audit Logging configuration for device: fs1 [I] Successfully removed File Audit Logging consumer callbacks [I] Successfully removed File Audit Logging consumer node class kafkaAuditConsumerServers [I] Successfully disabled File Audit Logging for device: fs1 - To update the list of events that are being audited for a specific
file system to available events, issue this command:
# mmaudit fs3 update --events ALL [I] Successfully updated the File Audit Logging policies for device fs3 - To see which file systems are currently configured for file audit logging, issue this
command:
# mmaudit all list Audit Cluster Fileset Fileset Retention Device ID Device Name (Days) ----------------------------------------------------------------------------------------- demo 6372129557625143312 newfs sinkfileset 365 jon 6372129557625143312 jon auditfset 90 - To see which events are currently enabled for a file system, issue
this
command:
# mmaudit fs3 list --events Audit Device Audit Event Device Minor Gen Types ----------------------------------------------------------------------------------------- fs3 152 7 CLOSE,OPEN - To check the status of all file audit logging consumer processes on a specific node, issue this
command:
# mmaudit all consumerStatus -N c6f2bc3n10 Dev Name Cluster ID Num Nodes Node Name Is Consumer? Status demo 6372129557625143312 1 hs22n55 yes AUDIT_CONS_OK polRegress 6372129557625143312 1 hs22n55 yes AUDIT_CONS_OK - To stop all file audit logging consumer processes on a specific node, issue this
command:
# mmaudit all consumerStop -N c6f2bc3n10 [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: fs1 successfully stopped. [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: demo successfully stopped. [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: jon successfully stopped. - To start all file audit logging consumer processes on a specific node, issue this
command:
# mmaudit all consumerStart -N c6f2bc3n10 [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: fs1 successfully started. [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: demo successfully started. [I] Node: c6f2bc3n10 is a consumer node, and consumer for device: jon successfully started.