AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<bmortensen@css.glasshouse.com>,<may.ma@onstor.com>,<rhollenbeck@css.glasshouse.com>,<shin.irie@onstor.com>,<dennis.arellano@onstor.com>,<dl-cstech@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	02de01c8d8b5$9c6fc530$664f7e0a@cssltbmortensen
X-Sylpheed-End-Special-Headers: 1
Date: Fri, 27 Jun 2008 17:32:23 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Bob Mortensen" <bmortensen@css.glasshouse.com>
Cc: "'May Ma'" <may.ma@onstor.com>, "'Rick Hollenbeck  (Glasshouse)'"
 <rhollenbeck@css.glasshouse.com>, "'Shin Irie'" <shin.irie@onstor.com>,
 "'Dennis Arellano'" <dennis.arellano@onstor.com>, "'dl-cstech'"
 <dl-cstech@onstor.com>
Subject: Re: Clarification needed on Audit Log
Message-ID: <20080627173223.5f3eadd4@ripper.onstor.net>
In-Reply-To: <02de01c8d8b5$9c6fc530$664f7e0a@cssltbmortensen>
References: <02d001c8d8b0$b47465f0$664f7e0a@cssltbmortensen>
	<BB375AF679D4A34E9CA8DFA650E2B04E06FB2F99@onstor-exch02.onstor.net>
	<02de01c8d8b5$9c6fc530$664f7e0a@cssltbmortensen>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 27 Jun 2008 17:26:29 -0700 "Bob Mortensen"
<bmortensen@css.glasshouse.com> wrote:

The audit log always goes to a volume.  It only goes to /tmp (which is
on the CF card) for a brief moment as an invisible (most of the time)
intermediate step in the implementation of sending it to the volume.

> May:
> 
>  
> 
> Do I understand correctly that the VOLNAME parameter is linked to the
> audit export command to specify the location of the export, but the
> files still go first to the /tmp directory before they are exported
> even if you specify a VOLNAME?
> 
>  
> 
> Best regards,
> 
> Bob Mortensen
> 
>  
> 
>  
> 
>   _____  
> 
> From: May Ma [mailto:may.ma@onstor.com] 
> Sent: Friday, June 27, 2008 5:18 PM
> To: Bob Mortensen (Glasshouse); Rick Hollenbeck (Glasshouse); Shin
> Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Hi Bob,
> 
>  
> 
> The explanation for "audit set filesize" is correct.  
> 
> VOLNAME is the name of the volume that you want to set audit log file
> size.
> 
>  
> 
> May.
> 
>  
> 
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Friday, June 27, 2008 4:51 PM
> To: May Ma; Rick Hollenbeck (Glasshouse); Shin Irie; Dennis Arellano;
> dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> May:
> 
>  
> 
> So you are saying that the command "audit set filesize VOLNAME
> FILESIZE" shown in the System Admin Guide is wrong? If it is only to
> set the file size, what is the VOLNAME parameter for?
> 
>  
> 
> Best regards,
> 
> Bob Mortensen
> 
>  
> 
>  
> 
>   _____  
> 
> From: May Ma [mailto:may.ma@onstor.com] 
> Sent: Friday, June 27, 2008 4:45 PM
> To: Rick Hollenbeck (Glasshouse); Bob Mortensen (Glasshouse); Shin
> Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Hi Rick,
> 
>  
> 
> "Audit export VOL1" will export  the audit log of VOL1 to VOL1
> itself. You cannot export VOL1 audit log to VOL2.
> 
> "audit set filesize VOLNAME FILESIZE"  is to set Max file size of the
> audit log. 
> 
>  
> 
> May.
> 
>  
> 
>   _____  
> 
> From: Rick Hollenbeck (Glasshouse) 
> Sent: Friday, June 27, 2008 4:32 PM
> To: May Ma; Bob Mortensen (Glasshouse); Shin Irie; Dennis Arellano;
> dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Can I jump in here and ask a quick question regarding May's answer?
> There seems to be one sticky point still. If you send these logs to a
> volume that has autogrow setup (audit set filesize VOLNAME FILESIZE),
> why is there a need for audit export? Is this a relic that shouldn't
> even be there anymore? In the 3.1 SAG, it specifically says to do an
> "audit set filesize VOLNAME FILESIZE" which infers that you can send
> the logs to whatever volume you want to, presumably bypassing /tmp.
> If /tmp is used for processing or whatever and then the logs are sent
> to another volume then audit export is a relic correct?
> 
>  
> 
> Richard B. Hollenbeck | Systems Support Engineer
> 
> Main: 800-328-7739 | Office: 919 767-5811
> 
>  
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. 
> 
> If you have received this email in error please notify the system
> manager. This message contains confidential information and is
> intended only for 
> 
> the individual named. If you are not the named addressee you should
> not disseminate, distribute or copy this e-mail.
> 
>  
> 
>   _____  
> 
> From: May Ma [mailto:may.ma@onstor.com] 
> Sent: Friday, June 27, 2008 6:24 PM
> To: Bob Mortensen (Glasshouse); Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Hi Bob,
> 
>  
> 
> If you use "audit export" with options [-m MINUTE] [-h HOUR] [-d
> DATE] [-M MONTH] [-D DAY], then export will occur at the specified
> time automatically.
> 
> In EverON 3.2 or earlier, we use /tmp directory on the flash to
> temporarily stored the log before written to volume. User does not
> need to issue command for this. It's been done as part of audit
> export.
> 
>  
> 
> May.
> 
>  
> 
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Friday, June 27, 2008 1:55 PM
> To: Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Irie-san:
> 
>  
> 
> Sorry, I got caught up in another issue last night and didn't have
> time to take action on this.
> 
>  
> 
> There appears to be an inconsistency between what you are saying and
> what is in the System Administrator's Guide documentation.
> Specifically, you talk about the audit logs being saved in the /tmp
> directory and then exporting them at some intervals as estimated by
> the user. This sounds like a manual function, where they would have
> to issue the "audit export" command at the CLI.
> 
>  
> 
> But the text in the SAG implies that this is done automatically: 
> 
>  
> 
> "If the file size is 0 and the file is not circular, it will continue
> to grow until it reaches the maximum disk space minus the amount of
> user data. At this point, the file will no longer accept new audit
> log entries. However, if you have configured AutoGrow on the volume,
> prior to the file reaching the truncation point, the NAS Gateway can
> automatically add more disk space."
> 
>  
> 
> It is my understanding that the /tmp directory is on the FLASH card.
> If this is correct, then I don't believe that the /tmp directory
> contains user data and I don't think that AutoGrow applies to it. So
> the text in the SAG seems to say that the audit records are being
> saved to a storage volume rather than in the /tmp directory. I can
> understand that they may be stored temporarily in the /tmp directory,
> but the real question is whether they are moved to a storage volume
> automatically or if the user needs to issue a command to do this. 
> 
>  
> 
> Given that SGI is trying to automate the process of analyzing the
> logs, I doubt that they will like the idea of periodically issuing
> the "audit export" command. So I really hope that what the SAG says
> is correct and that the logs can be exported automatically.
> 
>  
> 
> Best regards,
> 
> Bob Mortensen
> 
>  
> 
>  
> 
>   _____  
> 
> From: Shin Irie [mailto:shin.irie@onstor.com] 
> Sent: Thursday, June 26, 2008 6:47 PM
> To: Bob Mortensen (Glasshouse); Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> Bob,
> 
>  
> 
> For the customer case, you need to do in a different way.  From the
> case notes, I don't think he wants to know about this description in
> SAG.  What he wants to achieve is to save audit records so he can use
> them with the audit log analyzer. He doesn't want to lose single
> record, I think.  Looks he tried various things like setting the
> audit file size very large, and got stuck.  We need to tell him the
> right way.
> 
>  
> 
> EverON 3.2 or earlier uses the /tmp directory on the flash card as a
> temporally storage to export records.  /tmp has about 19 MB capacity,
> so the audit log file should be less than 15 MB considering that
> other daemons may use /tmp as well.  It should be set to the circular
> mode so the audit file doesn't grow.
> 
>  
> 
> Then, he needs to estimate how often he needs to export the audit
> records with this 15 MB capacity.  It depends on events he wants to
> track, number of I/O from the clients, etc.
> 
>  
> 
> Does this make sense? If this doen't work as expected, file a defect.
> 
>  
> 
> I think we will not use /tmp for audit export after Cougar
> (TED00023629), but do not tell this at this moment, because Cougar is
> not out yet.
> 
> --
> 
> Irie
> 
>  
> 
>  
> 
>  
> 
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Friday, June 27, 2008 9:52 AM
> To: Shin Irie; Dennis Arellano; dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
> Irie-san:
> 
>  
> 
> Did you get any more feedback on this subject? SGI is still waiting
> for an answer.
> 
>  
> 
> Is there someone specific that we can ask the question of? Asking
> "anyone in Engineering" is not likely to produce results.
> 
>  
> 
> Best regards,
> 
> Bob Mortensen
> 
>  
> 
>  
> 
>   _____  
> 
> From: Shin Irie [mailto:shin.irie@onstor.com] 
> Sent: Tuesday, June 24, 2008 12:19 AM
> To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
>  
> 
> I looked around intranet, but could not find what is expected
> behavior when the audit file size is set to zero (i.e. unlimited) and
> the circular is set to yes, that is:
> 
>  
> 
> cslab1 IRIE diag> audit show config volirie
> Audit Configuration
> -------------------
> Version: 1
> Enabled: no
> Circular file: yes    <============ here, and...
> Fail request on audit failure: no
> Max file size: 0      <============ here
> Current file size: 312
> Access okay privileges:
> Access denied privileges:
> 
>  
> 
> Can anyone in Engineering take a look at the code?  We need to clearly
> describe our behavior so that customers understand what will happen
> with the above settings.
> 
>  
> 
>  
> 
> --
> 
> Irie
> 
>  
> 
>  
> 
>  
> 
>   _____  
> 
> From: Shin Irie 
> Sent: Tuesday, June 24, 2008 1:03 PM
> To: Dennis Arellano; Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
> Bob,
> 
>  
> 
> The Max file size in audit show config should be in byte. I specified
> 100000 in audit set filesize command, the Max file size was shown as
> 102400000. See below.
> 
>  
> 
> cslab1 IRIE diag> audit set filesize volirie
>   FILESIZE  File size in 1024-byte blocks
> 
>  
> 
> cslab1 IRIE diag> audit set filesize volirie 100000
> 
>  
> 
> cslab1 IRIE diag> audit show config volirie
> Audit Configuration
> -------------------
> Version: 1
> Enabled: no
> Circular file: no
> Fail request on audit failure: no
> Max file size: 102400000
> Current file size: 312
> Access okay privileges:
> Access denied privileges:
> 
> --
> 
> Irie
> 
>  
> 
>  
> 
>   _____  
> 
> From: Dennis Arellano 
> Sent: Tuesday, June 24, 2008 10:40 AM
> To: Bob Mortensen (Glasshouse); dl-cstech
> Subject: RE: Clarification needed on Audit Log 
> 
> When an answer is given, I would appreciate someone filing a
> documentation defect against the SAG to correct any ambiguous wording.
> 
>  
> 
> Thanks, Dennis
> 
>  
> 
>   _____  
> 
> From: Bob Mortensen (Glasshouse) 
> Sent: Monday, June 23, 2008 5:48 PM
> To: dl-cstech
> Subject: Clarification needed on Audit Log 
> 
>  
> 
> Hi:
> 
>  
> 
> Some questions have been raised by SGI Japan (Koichi Inaoka) about
> the Audit function. I have tried to answer his questions by
> referencing the System Administrator's Guide (SAG) but some of the
> text there is unclear and he keeps coming up with more questions.
> 
>  
> 
> The full conversation can be found in the case notes of case 8472,
> but I will summarize below. There are also some files in the Data
> Warehouse.
> 
>  
> 
> The initial complaint was that new records in the audit log were
> overwriting older ones. They had deliberately set the Maximum File
> Size to a large number (1024000000) to avoid this, but they were
> still overwriting older records. I quoted them some text from the SAG
> (see below) and recommended that they change the Maximum File Size to
> 0. This seems to be working better for them, but they are questioning
> some of the wording.
> 
>  
> 
> The following is an excerpt from the SAG:
> 
>  
> 
> The default size of the file is 0 for unlimited space. The file
> behaves differently depending on whether the file is configured as a
> circular file:
> 
> *	If the file size is 0 and the file is circular, the file
> will not wrap. 
> *	If the file size is 0 and the file is not circular, it will
> continue to grow until it reaches the maximum disk space minus the
> amount of user data. At this point, the file will no longer accept
> new audit log entries. However, if you have configured AutoGrow on
> the volume, prior to the file reaching the truncation point, the NAS
> Gateway can automatically add more disk space. 
> 
>  
> 
> The confusing part seems to be "If the file size is 0 and the file is
> circular, the file will not wrap." 
> 
>  
> 
> If it doesn't wrap, what happens when the volume is full? 
> 
> *	If it stops accepting new entries, how is this different
> from the case when circular is not enabled? 
> *	If it doesn't stop accepting new entries, where can it put
> them except to overwrite old entries, which is wrapping? 
> 
>  
> 
> The text says that if the file is not circular and you reach the disk
> space limit, AutoGrow can automatically add more disk space. Does
> AutoGrow also apply when the file is circular?
> 
>  
> 
> Additionally, there is a question about the size they had originally
> set. In the SGA it is shown as 1024000000 but it's not clear what
> this means. The SAG says that the value is entered at the CLI in KB,
> so is this number the same as what would be entered (1024000000 KB),
> or does it mean 1024000000 bytes?
> 
>  
> 
> Best regards,
> 
> Bob Mortensen
> 
>  
> 
>  
> 
