CONTAP-352417：修复 CONTAP-82775（Burt 1524672）后检测到 EMS 报告每日 auditlog.change.detected

最后更新
另存为PDF

Views:: 5

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: CORE

Last Updated:

问题描述

在 ONTAP 升级到已修复 Bug 1524672（CONTAP-82775）的版本后，集群中只有一个节点在 00:05（当地时间）报告先前旋转的auditlog.change.detected每日事件audit.log.xxx或mpaudit.log..xxx：
Mon Jun 17 00:05:00 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001562" was tampered with. Mon Jun 18 00:05:36 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001563" was tampered with. Mon Jun 19 00:05:44 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001564" was tampered with. ...

5/1/2025 00:05:00 Node-01 ERROR auditlog.change.detected: Audit log file "mpaudit.log.0000000001" was tampered with.
4/30/2025 00:05:00 Node-01 ERROR auditlog.change.detected: Audit log file "mpaudit.log.0000000001" was tampered with.

在 mgwd.log 中，此 audit.log.xxx 文件显示以下错误消息：
00000025.000bea70 01e5bc7a Fri Jul 26 2024 00:05:00 -04:00 [kern_mgwd:info:3205] 0x8318d7b00: 8603e9000000012a: ERR: tables::audit: Audit log signature file /mroot/etc/log/mlog/audit_log_sig/audit.log.0000001562.sig is empty.Hence, Signature verification failed for file: audit.log.0000001562. Line: 1398, Function: verify_hashes ...

事件中提到的 audit.log.xxx 文件的文件大小均超过 350 字节。使用 systemshell 列出目录：
% ls -lh /mroot/etc/log/mlog/audit.log* -rw-r--r-- 2 root wheel 70M Jun 18 10:03 /mroot/etc/log/mlog/audit.log -rw-r--r-- 1 root wheel 76M May 1 14:17 /mroot/etc/log/mlog/audit.log.0000001562 -rw-r--r-- 1 root wheel 72M May 2 14:17 /mroot/etc/log/mlog/audit.log.0000001563 -rw-r--r-- 1 root wheel 72M May 3 14:17 /mroot/etc/log/mlog/audit.log.0000001564