I tried this and it seems OK.

thanx

I'm attempting to set up something similar, and was wondering if there is any overhead associated with turning audting on other than tthe space the log files take up on the disk.  Also, I only want to keep a few hours worth in order to respond to events that just occured.  What command would I use to have audit logs older than a specific age automatically deleted/overwritten?

Thanks!

Phil

We are also working to enable auditing on our CIFS volumes, and then retrieving the audit log from a log management system.

After disabling LiveView, did you correctly see the audit log rotation at the intervals you wanted? (50MB/20 Mins), or did you need to use a different method to 'keep up' with the audit log creation?

Thank you in advance

I'm new to auditing netapps, does anyone have a doc I read on the basics? I've gotten as far as the

adtlog.evt file being created but I can't read the contents of the logs themselves using the windows event log viewer. I receive the error:

The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: rlee, UNITED, (0x0, 0x3b1e5), 3.

Thanks,

Same here,

I have a pair of filers, and want to know the best way of saving the CIFS audit logs. You would think it has neverbeen done before, as my NetApp supplier has never had the issue before.

there has got to be an accepted souloution by NetApp of how to manage the audit logs for CIFS shares on a Filer.

Hi,

see this KB entry for the basic setup of CIFS auditing and the various options that can be set: https://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb44724

A more detailed explanation is availabe in the docs: http://now.netapp.com/NOW/knowledge/docs/ontap/rel732/html/ontap/filesag/GUID-90C286C7-95ED-48A5-ADF9-0DA7C85CF2B8.html

Do you have any specific questions?

Regards

Hendrik

Hi,

the event details differ a lot between different Windows versions. Ontap can't support all these different versions simultanously. When copying the .evt file to your local Windows machine and viewing it in event viewer, Windows will attempt to use the local event description of that Windows version. Depending on the Windows version it will not recognize some events, which leads to the error message you've posted. IIRC Vista should work pretty well.

You can also use the /auxsource parameter when starting the management console to tell Windows to look at the source machine for event descriptions. Basically you would start it like this:

mmc /a /AUXSOURCE=<Filer-IP>

See http://support.microsoft.com/kb/312216/en-us for more details on that parameter.

Hope that helps.

..- Hendrik

I have the auditing configured, Want i want to know, is as the evt files are not "REAL" evt file,

What is the best was of getting them off a NetApp filer, and archiving them to allow compliance with SOX (Specifically J-SOX). The actual audit configuration is complete, I just need to be able to search the logs and use some tool to collect and aggregate the files.

They are "real"evt files. However, you can't query them via RPC as you can with a Windows server. Therefore you need to work with the actual files. Any tool that can read .evt files should work fine.

I guess the easiest way to get the event files off the filer is via CIFS or NFS. Either copy them to whatever location you like via a script or use a backup application if you just want to archive them on tape or something.Then process them with your preferred event log tool (as long as it can open .evt files) or convert them to text and go from there (http://now.netapp.com/NOW/download/tools/evt2text/).

Regards

Hendrik