在ONTAP升级之后、EMS会显示auditlog.change.detected并修复错误1524672.
适用场景
- ONTAP升级到9.12.1+、并修复错误1524672/CONTEA-
问题描述
- 在ONTAP升级到修复了 错误1524672.的版本后
- 对于先前轮换的<nnn>、集群中只有一个节点会在00:05 (本地时间)报告每日
auditlog.change.detected
事件:
Mon Jun 17 00:05:00 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001562" was tampered with.
Mon Jun 18 00:05:36 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001563" was tampered with.
Mon Jun 19 00:05:44 +0900 [Node-01: mgwd: auditlog.change.detected:error]: Audit log file "audit.log.0000001564" was tampered with.
...
- 在mgwd.log中、对于audy.log.log <nnn>文件、会显示以下错误消息:
00000025.000bea70 01e5bc7a Fri Jul 26 2024 00:05:00 -04:00 [kern_mgwd:info:3205] 0x8318d7b00: 8603e9000000012a: ERR: tables::audit: Audit log signature file /mroot/etc/log/mlog/audit_log_sig/audit.log.0000001562.sig is empty.Hence, Signature verification failed for file: audit.log.0000001562. Line: 1398, Function: verify_hashes ...
- 事件中提及的audiz.log.xxx文件的文件大小均超过350字节。使用systemshell列出目录:
% ls -lh /mroot/etc/log/mlog/audit.log*
-rw-r--r-- 2 root wheel 70M Jun 18 10:03 /mroot/etc/log/mlog/audit.log
-rw-r--r-- 1 root wheel 76M May 1 14:17 /mroot/etc/log/mlog/audit.log.0000001562
-rw-r--r-- 1 root wheel 72M May 2 14:17 /mroot/etc/log/mlog/audit.log.0000001563
-rw-r--r-- 1 root wheel 72M May 3 14:17 /mroot/etc/log/mlog/audit.log.0000001564