Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > File System Auditing with Dell EMC PowerScale and Dell EMC Common Event Enabler > Configuration of audit syslog forwarding
To configure the audit syslog forwarding, use the following steps:
isi audit settings global modify –config-syslog-enabled=true
2. Run the following command to back up the /etc/mcp/templates/syslog.conf file:
cp /etc/mcp/templates/syslog.conf /etc/mcp/templates/syslog.conf.bku1
3. Open the /etc/mcp/templates/syslog.conf file in a text editor. Add a line to identify which syslog events to forward. Add the line between the cevents.* line and the # ARRAY_MACHINES line. The line you add should be in the following format:
<list of events to forward> @<hostname/IP address>
The following line is an example. The syslog events that are listed here are the default events that you would get if you used Method 1 above. You can add additional filter options.
*.warn;*.notice;kern.*;ifs.info;istat.none @172.16.0.1
Note: A filter of *.* will generate a lot of traffic.
An example of the syslog.conf file showing where to add the line is as follows:
...
ifsidi.* /var/log/idi.log
ifssnap.* /var/log/isi_snapshot_d.log
ifssstore.* /var/log/isi_sstore.log
cevents.* /var/log/isi_celog_events.log
*.warn;*.notice;kern.*;ifs.info;istat.none @172.16.0.1
# ARRAY_MACHINES
security.* /var/log/security
mail.info /var/log/maillog
...
4. To enable remote syslog for configuration or protocol auditing, find the following sections of the /etc/mcp/templates/syslog.conf file:
!audit_config
*.* /var/log/audit_config.log
!audit_protocol
*.* /var/log/audit_protocol.log
5. Add a line for remote syslog servers so that the resulting sections of the file will now look similar to the following. In this example, the IP address we are forwarding to is 172.16.0.1. You need to substitute your remote server IP address.
!audit_config
*.* /var/log/audit_config.log
*.* @172.16.0.1
!audit_protocol
*.* /var/log/audit_protocol.log
*.* @172.16.0.1
In OneFS 8.2.0, there are new PAPI and CLI commands for configuring remote syslog servers:
Save the file and exit the text editor. MCP will push out your changes from the template file into /etc/syslog.conf a short time later.
For more details on how to configure audit syslog forwarding on PowerScale, refer to the OneFS: How to configure remote logging from a cluster to a remote server (syslog forwarding) article.