X-Sylpheed-Account-Id:1
S:andy.sharp@onstor.com
SCF:#mh/Mailbox/sent
X-Sylpheed-Sign:0
X-Sylpheed-Encrypt:0
X-Sylpheed-Privacy-System:
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	073e01c8d8ad$fe86fb60$69417e0a@cssltrhollenbeck
X-Sylpheed-End-Special-Headers: 1
Date: Fri, 27 Jun 2008 16:46:11 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Richard Hollenbeck" <rhollenbeck@css.glasshouse.com>
Cc: "'May Ma'" <may.ma@onstor.com>, "'Bob Mortensen (Glasshouse)'"
 <bob.mortensen@onstor.com>, "'Shin Irie'" <shin.irie@onstor.com>, "'Dennis
 Arellano'" <dennis.arellano@onstor.com>, "'dl-cstech'"
 <dl-cstech@onstor.com>
Subject: Re: Clarification needed on Audit Log
Message-ID: <20080627164611.66a89448@ripper.onstor.net>
References: <022f01c8d898$1aa32ff0$664f7e0a@cssltbmortensen>
	<BB375AF679D4A34E9CA8DFA650E2B04E06FB2F96@onstor-exch02.onstor.net>
	<073e01c8d8ad$fe86fb60$69417e0a@cssltrhollenbeck>
Organization: Onstor
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

The audit log always goes to a volume.  It only goes to /tmp (which is
on the CF card) for a brief moment as an invisible (most of the time)
intermediate step in the implementation of sending it to the volume.


 On Fri, 27 Jun 2008 19:31:58 -0400 "Richard Hollenbeck"
<rhollenbeck@css.glasshouse.com> wrote:

> Can I jump in here and ask a quick question regarding May's answer?
> There seems to be one sticky point still. If you send these logs to a
> volume that has autogrow setup (audit set filesize VOLNAME FILESIZE),
> why is there a need for audit export? Is this a relic that shouldn't
> even be there anymore? In the 3.1 SAG, it specifically says to do an
> "audit set filesize VOLNAME FILESIZE" which infers that you can send
> the logs to whatever volume you want to, presumably bypassing /tmp.
> If /tmp is used for processing or whatever and then the logs are sent
> to another volume then audit export is a relic correct?
>  
> Richard B. Hollenbeck | Systems Support Engineer
> Main: 800-328-7739 | Office: 919 767-5811
>  
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager. This message contains confidential information
> and is intended only for the individual named. If you are not the
> named addressee you should not disseminate, distribute or copy this
> e-mail. 
>   _____  
> 
> From: May Ma [mailto:may.ma@onstor.com] 
> Sent: Friday, June 27, 2008 6:24 PM
> To: Bob Mortensen (Glasshouse); Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
>  
> Hi Bob,
>  
> If you use "audit export" with options [-m MINUTE] [-h HOUR] [-d
> DATE] [-M MONTH] [-D DAY], then export will occur at the specified
> time automatically. In EverON 3.2 or earlier, we use /tmp directory
> on the flash to temporarily stored the log before written to volume.
> User does not need to issue command for this. It's been done as part
> of audit export. 
> May.
>  
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Friday, June 27, 2008 1:55 PM
> To: Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
>  
> Irie-san:
>  
> Sorry, I got caught up in another issue last night and didn't have
> time to take action on this.
>  
> There appears to be an inconsistency between what you are saying and
> what is in the System Administrator's Guide documentation.
> Specifically, you talk about the audit logs being saved in the /tmp
> directory and then exporting them at some intervals as estimated by
> the user. This sounds like a manual function, where they would have
> to issue the "audit export" command at the CLI.
>  
> But the text in the SAG implies that this is done automatically: 
>  
> "If the file size is 0 and the file is not circular, it will continue
> to grow until it reaches the maximum disk space minus the amount of
> user data. At this point, the file will no longer accept new audit
> log entries. However, if you have configured AutoGrow on the volume,
> prior to the file reaching the truncation point, the NAS Gateway can
> automatically add more disk space."
>  
> It is my understanding that the /tmp directory is on the FLASH card.
> If this is correct, then I don't believe that the /tmp directory
> contains user data and I don't think that AutoGrow applies to it. So
> the text in the SAG seems to say that the audit records are being
> saved to a storage volume rather than in the /tmp directory. I can
> understand that they may be stored temporarily in the /tmp directory,
> but the real question is whether they are moved to a storage volume
> automatically or if the user needs to issue a command to do this. 
>  
> Given that SGI is trying to automate the process of analyzing the
> logs, I doubt that they will like the idea of periodically issuing
> the "audit export" command. So I really hope that what the SAG says
> is correct and that the logs can be exported automatically.
>  
> Best regards,
> Bob Mortensen
>  
>  
>   _____  
> 
> From: Shin Irie [mailto:shin.irie@onstor.com] 
> Sent: Thursday, June 26, 2008 6:47 PM
> To: Bob Mortensen (Glasshouse); Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
>  
> Bob,
>  
> For the customer case, you need to do in a different way.  From the
> case notes, I don't think he wants to know about this description in
> SAG.  What he wants to achieve is to save audit records so he can use
> them with the audit log analyzer. He doesn't want to lose single
> record, I think.  Looks he tried various things like setting the
> audit file size very large, and got stuck.  We need to tell him the
> right way. 
> EverON 3.2 or earlier uses the /tmp directory on the flash card as a
> temporally storage to export records.  /tmp has about 19 MB capacity,
> so the audit log file should be less than 15 MB considering that
> other daemons may use /tmp as well.  It should be set to the circular
> mode so the audit file doesn't grow.
>  
> Then, he needs to estimate how often he needs to export the audit
> records with this 15 MB capacity.  It depends on events he wants to
> track, number of I/O from the clients, etc.
>  
> Does this make sense? If this doen't work as expected, file a defect.
>  
> I think we will not use /tmp for audit export after Cougar
> (TED00023629), but do not tell this at this moment, because Cougar is
> not out yet. --
> Irie
>  
>  
>  
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Friday, June 27, 2008 9:52 AM
> To: Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> Irie-san:
>  
> Did you get any more feedback on this subject? SGI is still waiting
> for an answer.
>  
> Is there someone specific that we can ask the question of? Asking
> "anyone in Engineering" is not likely to produce results.
>  
> Best regards,
> Bob Mortensen
>  
>  
>   _____  
> 
> From: Shin Irie [mailto:shin.irie@onstor.com] 
> Sent: Tuesday, June 24, 2008 12:19 AM
> To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
>  
> I looked around intranet, but could not find what is expected
> behavior when the audit file size is set to zero (i.e. unlimited) and
> the circular is set to yes, that is:
>  
> cslab1 IRIE diag> audit show config volirie
> Audit Configuration
> -------------------
> Version: 1
> Enabled: no
> Circular file: yes    <============ here, and...
> Fail request on audit failure: no
> Max file size: 0      <============ here
> Current file size: 312
> Access okay privileges:
> Access denied privileges:
>  
> Can anyone in Engineering take a look at the code?  We need to clearly
> describe our behavior so that customers understand what will happen
> with the above settings.
>  
>  
> --
> Irie
>  
>  
>  
>   _____  
> 
> From: Shin Irie 
> Sent: Tuesday, June 24, 2008 1:03 PM
> To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> Bob,
>  
> The Max file size in audit show config should be in byte. I specified
> 100000 in audit set filesize command, the Max file size was shown as
> 102400000. See below.
>  
> cslab1 IRIE diag> audit set filesize volirie
>   FILESIZE  File size in 1024-byte blocks
>  
> cslab1 IRIE diag> audit set filesize volirie 100000
>  
> cslab1 IRIE diag> audit show config volirie
> Audit Configuration
> -------------------
> Version: 1
> Enabled: no
> Circular file: no
> Fail request on audit failure: no
> Max file size: 102400000
> Current file size: 312
> Access okay privileges:
> Access denied privileges:
> --
> Irie
>  
>  
>   _____  
> 
> From: Dennis Arellano 
> Sent: Tuesday, June 24, 2008 10:40 AM
> To: Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> When an answer is given, I would appreciate someone filing a
> documentation defect against the SAG to correct any ambiguous wording.
>  
> Thanks, Dennis
>  
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Monday, June 23, 2008 5:48 PM
> To: dl-cstech
> Subject: Clarification needed on Audit Log 
>  
> Hi:
>  
> Some questions have been raised by SGI Japan (Koichi Inaoka) about
> the Audit function. I have tried to answer his questions by
> referencing the System Administrator's Guide (SAG) but some of the
> text there is unclear and he keeps coming up with more questions.
>  
> The full conversation can be found in the case notes of case 8472,
> but I will summarize below. There are also some files in the Data
> Warehouse. 
> The initial complaint was that new records in the audit log were
> overwriting older ones. They had deliberately set the Maximum File
> Size to a large number (1024000000) to avoid this, but they were
> still overwriting older records. I quoted them some text from the SAG
> (see below) and recommended that they change the Maximum File Size to
> 0. This seems to be working better for them, but they are questioning
> some of the wording. 
> The following is an excerpt from the SAG:
>  
> The default size of the file is 0 for unlimited space. The file
> behaves differently depending on whether the file is configured as a
> circular file:
> *	If the file size is 0 and the file is circular, the file
> will not wrap. 
> *	If the file size is 0 and the file is not circular, it will
> continue to grow until it reaches the maximum disk space minus the
> amount of user data. At this point, the file will no longer accept
> new audit log entries. However, if you have configured AutoGrow on
> the volume, prior to the file reaching the truncation point, the NAS
> Gateway can automatically add more disk space. 
>  
> The confusing part seems to be "If the file size is 0 and the file is
> circular, the file will not wrap." 
>  
> If it doesn't wrap, what happens when the volume is full? 
> *	If it stops accepting new entries, how is this different
> from the case when circular is not enabled? 
> *	If it doesn't stop accepting new entries, where can it put
> them except to overwrite old entries, which is wrapping? 
>  
> The text says that if the file is not circular and you reach the disk
> space limit, AutoGrow can automatically add more disk space. Does
> AutoGrow also apply when the file is circular?
>  
> Additionally, there is a question about the size they had originally
> set. In the SGA it is shown as 1024000000 but it's not clear what
> this means. The SAG says that the value is entered at the CLI in KB,
> so is this number the same as what would be entered (1024000000 KB),
> or does it mean 1024000000 bytes?
>  
> Best regards,
> Bob Mortensen
>  
>  
