X-Sylpheed-Account-Id:1
S:andy.sharp@onstor.com
SCF:#mh/Mailbox/sent
X-Sylpheed-Sign:0
X-Sylpheed-Encrypt:0
X-Sylpheed-Privacy-System:
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	02ec01c8d8b7$aacf8280$664f7e0a@cssltbmortensen
X-Sylpheed-End-Special-Headers: 1
Date: Fri, 27 Jun 2008 18:47:49 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Bob Mortensen" <bmortensen@css.glasshouse.com>
Cc: "'May Ma'" <may.ma@onstor.com>, "'Rick Hollenbeck  (Glasshouse)'"
 <rhollenbeck@css.glasshouse.com>, "'Shin Irie'" <shin.irie@onstor.com>,
 "'Dennis Arellano'" <dennis.arellano@onstor.com>, "'dl-cstech'"
 <dl-cstech@onstor.com>
Subject: Re: Clarification needed on Audit Log
Message-ID: <20080627184749.14a8f61f@ripper.onstor.net>
References: <02d001c8d8b0$b47465f0$664f7e0a@cssltbmortensen>
	<BB375AF679D4A34E9CA8DFA650E2B04E06FB2F99@onstor-exch02.onstor.net>
	<02de01c8d8b5$9c6fc530$664f7e0a@cssltbmortensen>
	<20080627173223.5f3eadd4@ripper.onstor.net>
	<02ec01c8d8b7$aacf8280$664f7e0a@cssltbmortensen>
Organization: Onstor
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


/tmp is not where audit log data is stored as it is generated.

Allow me to re-phrase a bit:

The audit log file and the audit log export file are two different
things.

Audit log data is not accessible until it has been exported to a
regular, user-visible file on the volume's filesystem, where it is just
another user data file.  So if you regularly export the audit log, you
don't have to worry about losing audit log data because the amount of
(unexported log data) became larger than the size of your audit log
file.  It only goes to /tmp (which is on the CF card) for a brief
moment as an invisible intermediate step in the implementation of the
export process.

Sending the data through /tmp was an unexplainable implementation detail
that caused problems if /tmp didn't have enough free space on it to
hold all the data before then copying it to the user-visible part of
the volume.  Hence some log data could be lost because of that, and so
starting in 3.3/4.0 the code no longer does that.  It never should have
in the first place.

On Fri, 27 Jun 2008 17:41:12 -0700 "Bob Mortensen"
<bmortensen@css.glasshouse.com> wrote:

> Andrew:
> 
> Is that true if the audit export command has not been set to
> periodically export the files? I had been told by Shin Irie that the
> customer must carefully select the export interval to avoid
> overfilling the /tmp directory, which implies that the file might
> collect there for quite a while (he mentioned up to 15 MB size), but
> you say that it's a "brief moment" and the parameters of the audit
> export command allow for intervals of months.
> 
> I was under the impression that if the filesize was set small enough
> and the circular file was enabled, it might circle around in /tmp
> indefinitely.
> 
> I can see that VOLNAME is a parameter for the audit set filesize
> command and also for the audit export command. What happens if you
> use a different VOLNAME for each? Or does one override the other?
> 
> Best regards,
> Bob Mortensen
> 
> 
> -----Original Message-----
> From: Andrew Sharp [mailto:andy.sharp@onstor.com] 
> Sent: Friday, June 27, 2008 5:32 PM
> To: Bob Mortensen
> Cc: 'May Ma'; 'Rick Hollenbeck (Glasshouse)'; 'Shin Irie'; 'Dennis
> Arellano'; 'dl-cstech'
> Subject: Re: Clarification needed on Audit Log
> 
> On Fri, 27 Jun 2008 17:26:29 -0700 "Bob Mortensen"
> <bmortensen@css.glasshouse.com> wrote:
> 
> The audit log always goes to a volume.  It only goes to /tmp (which is
> on the CF card) for a brief moment as an invisible (most of the time)
> intermediate step in the implementation of sending it to the volume.
> 
> > May:
> > 
> >  
> > 
> > Do I understand correctly that the VOLNAME parameter is linked to
> > the audit export command to specify the location of the export, but
> > the files still go first to the /tmp directory before they are
> > exported even if you specify a VOLNAME?
> > 
> >  
> > 
> > Best regards,
> > 
> > Bob Mortensen
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: May Ma [mailto:may.ma@onstor.com] 
> > Sent: Friday, June 27, 2008 5:18 PM
> > To: Bob Mortensen (Glasshouse); Rick Hollenbeck (Glasshouse); Shin
> > Irie; Dennis Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Hi Bob,
> > 
> >  
> > 
> > The explanation for "audit set filesize" is correct.  
> > 
> > VOLNAME is the name of the volume that you want to set audit log
> > file size.
> > 
> >  
> > 
> > May.
> > 
> >  
> > 
> >   _____  
> > 
> > From: Bob Mortensen (Glasshouse) 
> > Sent: Friday, June 27, 2008 4:51 PM
> > To: May Ma; Rick Hollenbeck (Glasshouse); Shin Irie; Dennis
> > Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > May:
> > 
> >  
> > 
> > So you are saying that the command "audit set filesize VOLNAME
> > FILESIZE" shown in the System Admin Guide is wrong? If it is only to
> > set the file size, what is the VOLNAME parameter for?
> > 
> >  
> > 
> > Best regards,
> > 
> > Bob Mortensen
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: May Ma [mailto:may.ma@onstor.com] 
> > Sent: Friday, June 27, 2008 4:45 PM
> > To: Rick Hollenbeck (Glasshouse); Bob Mortensen (Glasshouse); Shin
> > Irie; Dennis Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Hi Rick,
> > 
> >  
> > 
> > "Audit export VOL1" will export  the audit log of VOL1 to VOL1
> > itself. You cannot export VOL1 audit log to VOL2.
> > 
> > "audit set filesize VOLNAME FILESIZE"  is to set Max file size of
> > the audit log. 
> > 
> >  
> > 
> > May.
> > 
> >  
> > 
> >   _____  
> > 
> > From: Rick Hollenbeck (Glasshouse) 
> > Sent: Friday, June 27, 2008 4:32 PM
> > To: May Ma; Bob Mortensen (Glasshouse); Shin Irie; Dennis Arellano;
> > dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Can I jump in here and ask a quick question regarding May's answer?
> > There seems to be one sticky point still. If you send these logs to
> > a volume that has autogrow setup (audit set filesize VOLNAME
> > FILESIZE), why is there a need for audit export? Is this a relic
> > that shouldn't even be there anymore? In the 3.1 SAG, it
> > specifically says to do an "audit set filesize VOLNAME FILESIZE"
> > which infers that you can send the logs to whatever volume you want
> > to, presumably bypassing /tmp. If /tmp is used for processing or
> > whatever and then the logs are sent to another volume then audit
> > export is a relic correct?
> > 
> >  
> > 
> > Richard B. Hollenbeck | Systems Support Engineer
> > 
> > Main: 800-328-7739 | Office: 919 767-5811
> > 
> >  
> > 
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. 
> > 
> > If you have received this email in error please notify the system
> > manager. This message contains confidential information and is
> > intended only for 
> > 
> > the individual named. If you are not the named addressee you should
> > not disseminate, distribute or copy this e-mail.
> > 
> >  
> > 
> >   _____  
> > 
> > From: May Ma [mailto:may.ma@onstor.com] 
> > Sent: Friday, June 27, 2008 6:24 PM
> > To: Bob Mortensen (Glasshouse); Shin Irie; Dennis Arellano;
> > dl-cstech Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Hi Bob,
> > 
> >  
> > 
> > If you use "audit export" with options [-m MINUTE] [-h HOUR] [-d
> > DATE] [-M MONTH] [-D DAY], then export will occur at the specified
> > time automatically.
> > 
> > In EverON 3.2 or earlier, we use /tmp directory on the flash to
> > temporarily stored the log before written to volume. User does not
> > need to issue command for this. It's been done as part of audit
> > export.
> > 
> >  
> > 
> > May.
> > 
> >  
> > 
> >   _____  
> > 
> > From: Bob Mortensen (Glasshouse) 
> > Sent: Friday, June 27, 2008 1:55 PM
> > To: Shin Irie; Dennis Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Irie-san:
> > 
> >  
> > 
> > Sorry, I got caught up in another issue last night and didn't have
> > time to take action on this.
> > 
> >  
> > 
> > There appears to be an inconsistency between what you are saying and
> > what is in the System Administrator's Guide documentation.
> > Specifically, you talk about the audit logs being saved in the /tmp
> > directory and then exporting them at some intervals as estimated by
> > the user. This sounds like a manual function, where they would have
> > to issue the "audit export" command at the CLI.
> > 
> >  
> > 
> > But the text in the SAG implies that this is done automatically: 
> > 
> >  
> > 
> > "If the file size is 0 and the file is not circular, it will
> > continue to grow until it reaches the maximum disk space minus the
> > amount of user data. At this point, the file will no longer accept
> > new audit log entries. However, if you have configured AutoGrow on
> > the volume, prior to the file reaching the truncation point, the
> > NAS Gateway can automatically add more disk space."
> > 
> >  
> > 
> > It is my understanding that the /tmp directory is on the FLASH card.
> > If this is correct, then I don't believe that the /tmp directory
> > contains user data and I don't think that AutoGrow applies to it. So
> > the text in the SAG seems to say that the audit records are being
> > saved to a storage volume rather than in the /tmp directory. I can
> > understand that they may be stored temporarily in the /tmp
> > directory, but the real question is whether they are moved to a
> > storage volume automatically or if the user needs to issue a
> > command to do this. 
> > 
> >  
> > 
> > Given that SGI is trying to automate the process of analyzing the
> > logs, I doubt that they will like the idea of periodically issuing
> > the "audit export" command. So I really hope that what the SAG says
> > is correct and that the logs can be exported automatically.
> > 
> >  
> > 
> > Best regards,
> > 
> > Bob Mortensen
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: Shin Irie [mailto:shin.irie@onstor.com] 
> > Sent: Thursday, June 26, 2008 6:47 PM
> > To: Bob Mortensen (Glasshouse); Dennis Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Bob,
> > 
> >  
> > 
> > For the customer case, you need to do in a different way.  From the
> > case notes, I don't think he wants to know about this description in
> > SAG.  What he wants to achieve is to save audit records so he can
> > use them with the audit log analyzer. He doesn't want to lose single
> > record, I think.  Looks he tried various things like setting the
> > audit file size very large, and got stuck.  We need to tell him the
> > right way.
> > 
> >  
> > 
> > EverON 3.2 or earlier uses the /tmp directory on the flash card as a
> > temporally storage to export records.  /tmp has about 19 MB
> > capacity, so the audit log file should be less than 15 MB
> > considering that other daemons may use /tmp as well.  It should be
> > set to the circular mode so the audit file doesn't grow.
> > 
> >  
> > 
> > Then, he needs to estimate how often he needs to export the audit
> > records with this 15 MB capacity.  It depends on events he wants to
> > track, number of I/O from the clients, etc.
> > 
> >  
> > 
> > Does this make sense? If this doen't work as expected, file a
> > defect.
> > 
> >  
> > 
> > I think we will not use /tmp for audit export after Cougar
> > (TED00023629), but do not tell this at this moment, because Cougar
> > is not out yet.
> > 
> > --
> > 
> > Irie
> > 
> >  
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: Bob Mortensen (Glasshouse) 
> > Sent: Friday, June 27, 2008 9:52 AM
> > To: Shin Irie; Dennis Arellano; dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> > Irie-san:
> > 
> >  
> > 
> > Did you get any more feedback on this subject? SGI is still waiting
> > for an answer.
> > 
> >  
> > 
> > Is there someone specific that we can ask the question of? Asking
> > "anyone in Engineering" is not likely to produce results.
> > 
> >  
> > 
> > Best regards,
> > 
> > Bob Mortensen
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: Shin Irie [mailto:shin.irie@onstor.com] 
> > Sent: Tuesday, June 24, 2008 12:19 AM
> > To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> >  
> > 
> > I looked around intranet, but could not find what is expected
> > behavior when the audit file size is set to zero (i.e. unlimited)
> > and the circular is set to yes, that is:
> > 
> >  
> > 
> > cslab1 IRIE diag> audit show config volirie
> > Audit Configuration
> > -------------------
> > Version: 1
> > Enabled: no
> > Circular file: yes    <============ here, and...
> > Fail request on audit failure: no
> > Max file size: 0      <============ here
> > Current file size: 312
> > Access okay privileges:
> > Access denied privileges:
> > 
> >  
> > 
> > Can anyone in Engineering take a look at the code?  We need to
> > clearly describe our behavior so that customers understand what
> > will happen with the above settings.
> > 
> >  
> > 
> >  
> > 
> > --
> > 
> > Irie
> > 
> >  
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: Shin Irie 
> > Sent: Tuesday, June 24, 2008 1:03 PM
> > To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> > Bob,
> > 
> >  
> > 
> > The Max file size in audit show config should be in byte. I
> > specified 100000 in audit set filesize command, the Max file size
> > was shown as 102400000. See below.
> > 
> >  
> > 
> > cslab1 IRIE diag> audit set filesize volirie
> >   FILESIZE  File size in 1024-byte blocks
> > 
> >  
> > 
> > cslab1 IRIE diag> audit set filesize volirie 100000
> > 
> >  
> > 
> > cslab1 IRIE diag> audit show config volirie
> > Audit Configuration
> > -------------------
> > Version: 1
> > Enabled: no
> > Circular file: no
> > Fail request on audit failure: no
> > Max file size: 102400000
> > Current file size: 312
> > Access okay privileges:
> > Access denied privileges:
> > 
> > --
> > 
> > Irie
> > 
> >  
> > 
> >  
> > 
> >   _____  
> > 
> > From: Dennis Arellano 
> > Sent: Tuesday, June 24, 2008 10:40 AM
> > To: Bob Mortensen (Glasshouse); dl-cstech
> > Subject: RE: Clarification needed on Audit Log 
> > 
> > When an answer is given, I would appreciate someone filing a
> > documentation defect against the SAG to correct any ambiguous
> > wording.
> > 
> >  
> > 
> > Thanks, Dennis
> > 
> >  
> > 
> >   _____  
> > 
> > From: Bob Mortensen (Glasshouse) 
> > Sent: Monday, June 23, 2008 5:48 PM
> > To: dl-cstech
> > Subject: Clarification needed on Audit Log 
> > 
> >  
> > 
> > Hi:
> > 
> >  
> > 
> > Some questions have been raised by SGI Japan (Koichi Inaoka) about
> > the Audit function. I have tried to answer his questions by
> > referencing the System Administrator's Guide (SAG) but some of the
> > text there is unclear and he keeps coming up with more questions.
> > 
> >  
> > 
> > The full conversation can be found in the case notes of case 8472,
> > but I will summarize below. There are also some files in the Data
> > Warehouse.
> > 
> >  
> > 
> > The initial complaint was that new records in the audit log were
> > overwriting older ones. They had deliberately set the Maximum File
> > Size to a large number (1024000000) to avoid this, but they were
> > still overwriting older records. I quoted them some text from the
> > SAG (see below) and recommended that they change the Maximum File
> > Size to 0. This seems to be working better for them, but they are
> > questioning some of the wording.
> > 
> >  
> > 
> > The following is an excerpt from the SAG:
> > 
> >  
> > 
> > The default size of the file is 0 for unlimited space. The file
> > behaves differently depending on whether the file is configured as a
> > circular file:
> > 
> > *	If the file size is 0 and the file is circular, the file
> > will not wrap. 
> > *	If the file size is 0 and the file is not circular, it will
> > continue to grow until it reaches the maximum disk space minus the
> > amount of user data. At this point, the file will no longer accept
> > new audit log entries. However, if you have configured AutoGrow on
> > the volume, prior to the file reaching the truncation point, the NAS
> > Gateway can automatically add more disk space. 
> > 
> >  
> > 
> > The confusing part seems to be "If the file size is 0 and the file
> > is circular, the file will not wrap." 
> > 
> >  
> > 
> > If it doesn't wrap, what happens when the volume is full? 
> > 
> > *	If it stops accepting new entries, how is this different
> > from the case when circular is not enabled? 
> > *	If it doesn't stop accepting new entries, where can it put
> > them except to overwrite old entries, which is wrapping? 
> > 
> >  
> > 
> > The text says that if the file is not circular and you reach the
> > disk space limit, AutoGrow can automatically add more disk space.
> > Does AutoGrow also apply when the file is circular?
> > 
> >  
> > 
> > Additionally, there is a question about the size they had originally
> > set. In the SGA it is shown as 1024000000 but it's not clear what
> > this means. The SAG says that the value is entered at the CLI in KB,
> > so is this number the same as what would be entered (1024000000 KB),
> > or does it mean 1024000000 bytes?
> > 
> >  
> > 
> > Best regards,
> > 
> > Bob Mortensen
> > 
> >  
> > 
> >  
> > 
> 
> 
