Subscribe

Audit logs

Hi Team,


I am an Security Analyst and i was assigned to a Storage Project[Netapp] for which i need some information in regard with the logging..,


One more query is the log format same as filer O/P in data ontap.



Log Format for Messages
log format:
<PRI> <TIME> ' ' <MESG> '[' <MDATA> ' ' <SIG> ' ']
<DAY> Event Day
<DATE> Event Date
<TIME>  Event Time
<[EVENT:> Event Name which is Event ID
<:Severity]> Severity is categories like emerg, alert, crit, err, warning, notice, info, debug
<MSG> Details About Message
 
Log Format of adtlog.evt
log format:
DATE | TIME | Event ID | Operation Outcome | Number of seconds of duplicated events | Filer Name | Number of duplicate events detected | Protocol used | User | Object | Access Code 

Sample Log:
  20060801|104748|560|Success|0|DATA|0|CIFS|petemo|DATA|-|\vol\vol0\etc|Read Attributes|

<Date>  Date (20060801)
<Time>  Time (104742)
<Event ID> Event ID (540,538,560) Support Windows Event ID’s
<Operation Outcome>  Operation Details (Success or Failure)
<Number of seconds of duplicated events> Number
<Filer Name> Filer Name (Data)
<Number of duplicate events detected> Number
<Protocol used>  Protocol Used (Unknown, CIFS, NFS,HTTP)
<User>  User Name (administrator, petemo)
<Object>  Object Details e.g.(\vol\vol0\etc\lclgroups.cfg)
<Access Code>  (Read:Read Attributes)

Regards,

Iyyappan.

Audit logs

https://kb.netapp.com/support/index?page=content&id=1011243


Please make sure that the auditing is enabled in the windows. I have copy pasted the section below for your convenience.

===========================================================
To setup additional items that will be audited, you will need to configure specific audit rules for each share or qtree:

  1.     In Computer Manager, go to the qtree or folder that you wish to audit.
  2.     Select the Security tab , then the Advanced tab, and select Auditing.
  3.     Specify the groups and events to be audited.

============================================================