Enabling Auditing in NetApp Cifs volume
Enable Auditing
Telnet to filer
NetApp Filer > options cifs.audit.enable on
This will enable auditing on cifs volume. The disadvantage of this we need to save manually to stop the auditing ( i will tell you how we can do it automatically)
Save Cifs auditing
NetApp Filer>cifs audit save -f
Automatically save auditing
NetApp Filer > options cifs.audit.autosave.ontime.enable on
NetApp Filer >cifs.audit.autosave.onsize.enable on
Where we can see the audited logs ?
/etc/log/adtlog.evt
Run –> //filername/etc$
Go to etc folder then log folder. There you can see adtlog.evt
To view in Windows OS:
It’s a event viewer file. Go to Event Viewer –> Right click –> open log file–> show this path
( try to mount this CIFS volume before it shows the path in event viewer). Select security log while selecting open.
You should be able to see similar Windows like Auditing. Object Access, log on/ log off category,...etc
CIFS auditing options on NetApp filer
options cifs.audit
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable on
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable on
cifs.audit.logsize 524288
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /etc/log/adtlog.evt