Forward protocol access events to syslog

You can enable or disable forwarding of audited protocol access events to syslog in each access zone. Forwarding is not enabled by default when protocol access auditing is enabled. This procedure is available only through the command-line interface.

Before you begin

To enable forwarding of protocol access events in an access zone, you must first enable protocol access auditing in the access zone.

About this task

The --audit-success and --audit-failure options define the event types that are audited, and the --syslog-audit-events option defines the event types that are forwarded to syslog. Only the audited event types are eligible for forwarding to syslog. If syslog forwarding is enabled, protocol access events are written to the /var/log/audit_protocol.log file.

Procedure

  1. Open a Secure Shell (SSH) connection to any node in the cluster and log in.
  2. Run the isi audit settings modify command with the --syslog-forwarding-enabled option to enable or disable audit syslog.
    The following command enables forwarding of the audited protocol access events in the zone3 access zone and specifies that the only event types forwarded are close, create, and delete events:
    isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=close,create,delete --zone=zone3
    The following command disables forwarding of audited protocol access events from the zone3 access zone:
    isi audit settings modify --syslog-forwarding-enabled=no --zone=zone3