#Audit logs not visible for GET operations in the cluster

Recently, while working with the NetApp cluster, I made an interesting observation that I'd like to clarify with you all.

So while working in the NetApp cluster, I observed that when I run security audit log show command, I only see the logs of non-GET operations performed in the cluster.
This includes operations performed manually by logging into the cluster or through REST API calls. For example, I can see the logs for non-GET requests like createVolume and specific GET requests such as getSnapshotSize (using the endpoint: /api/private/cli/snapshot?fields=vserver,volume,snapshot,size).

However, I am unable to understand why the logs for other GET requests, like getVolumeInfo, which we make through REST api calls regularly in our code are not visible when viewing the audit logs.

My hunch was that it may be due to the fact that in our clusters we have auditing for GET requests as turned off by default(security audit show).

But if this is the case why we are able to see logs of getSnapShotSize command. Can you please provide some info you might have around this? Do you think enabling these will fix the problem and start to fetch GET operations logs too under audit logs.

Another thing I wanted your insight is on perf-object-get-instances command perf (netapp.com). I see it being executed in our cluster every second as indicated in audit logs and it states that its called through ontapi interface but we don’t make any such call. Is it some sort of automatic call which happens on its own. I'm interested in understanding its purpose and any associated details. Can you provide some relevant data on this?

I am not sure why some GET-type operations are logged with the audit state being off, that kind of sounds like a bug, but enabling the auditing of Get Requests, like you showed is currently "off", should allow you to see all of them like you are looking for.

As far as perf-object-get-instances is concerned, that may be for Performance Archives if they are enabled. Our Performance folks may have a better idea.

OCI and CI make this call. if you have other tools in your environment monitoring performance, they may also call this api. it's used to get the perf stats for specific perf counters.

Thanks a lot guys for the input!

Just a follow-up on my question, is there any api or trap or metrics which can get triggered or inform us about maximum concurrent login reached. As there are so many api calls in the cluster through Service account does NetApp has any mechanism to trigger any metrics information around it?

I know there is command to fetch active sessions but obviously we can't hit cluster at such a low granularity of 1s to fetch that data.

Can you please provide any input on this?