Subscribe

Auditing netapps

[ Edited ]

 

Hi,

 

 

I configured my netapps to be able to audit access of files with the following commands

 

 

options cifs.audit.enable on

 

options cifs.audit.autosave.ontime.enable on

 

options cifs.audit.autosave.onsize.enable on

 

options cifs.audit.liveview.enable on

 

options cifs.audit.logsize 52428800

 

options cifs.audit.autosave.onsize.threshold 50m

 

options cifs.audit.autosave.ontime.interval 20m

 

 

my aim was to have external log files (.evt) with size of 50 MB or each 20 minuts. i tried many times but always the result is files with size almost 500 KB and it is generated each 11 to 20 seconds.

 

 

as you know if i want to manage number of these log files i have the ability to 999 files only which is not available with this small size of the file becuase in one day i got more than 2000 log files.

 

 

so is there a mistake or missing commands?

 

 

 

 

 

Re: Auditing netapps

I tried out your commands, I found the same behavior - an evt file was getting created every minute. Then I found below piece of info in "Data ONTAP® 7.2

File Access and Protocols Management Guide" :

When Live View is enabled, an Access Logging Facility (ALF) daemon runs once a minute, flushing audit events from memory to the internal log file /etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert ALF records to EVT records that can be viewed by Event Viewer. It does so either once every minute, or when the .alf file becomes 75 percent full.

I used " options cifs.audit.liveview.enable off" to disable live view and the file creation (every minute) stopped.

Re: Auditing netapps

I tried out your commands on my system, the behavior was the same - an evt file was being created every minute. I found this piece of info in "Data ONTAP® 7.2

File Access and Protocols Management Guide" :

When Live View is enabled, an Access Logging Facility (ALF) daemon runs

once a minute, flushing audit events from memory to the internal log file

/etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert

ALF records to EVT records that can be viewed by Event Viewer. It does so

either once every minute, or when the .alf file becomes 75 percent full.

On disabling live view using "options cifs.audit.liveview.enable off" the evt file creation stopped. Try this out !

Re: Auditing netapps

I tried this and it seems OK.

thanx

Re: Auditing netapps

I'm attempting to set up something similar, and was wondering if there is any overhead associated with turning audting on other than tthe space the log files take up on the disk.  Also, I only want to keep a few hours worth in order to respond to events that just occured.  What command would I use to have audit logs older than a specific age automatically deleted/overwritten?

Thanks!

Phil

Re: Auditing netapps

We are also working to enable auditing on our CIFS volumes, and then retrieving the audit log from a log management system.

After disabling LiveView, did you correctly see the audit log rotation at the intervals you wanted? (50MB/20 Mins), or did you need to use a different method to 'keep up' with the audit log creation?

Thank you in advance

Re: Auditing netapps

I'm new to auditing netapps, does anyone have a doc I read on the basics? I've gotten as far as the

adtlog.evt file being created but I can't read the contents of the logs themselves using the windows event log viewer. I receive the error:

The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: rlee, UNITED, (0x0, 0x3b1e5), 3.

Thanks,

Re: Auditing netapps

Same here,

I have a pair of filers, and want to know the best way of saving the CIFS audit logs. You would think it has neverbeen done before, as my NetApp supplier has never had the issue before.

there has got to be an accepted souloution by NetApp of how to manage the audit logs for CIFS shares on a Filer.

Re: Auditing netapps

Hi,

see this KB entry for the basic setup of CIFS auditing and the various options that can be set: https://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb44724

A more detailed explanation is availabe in the docs: http://now.netapp.com/NOW/knowledge/docs/ontap/rel732/html/ontap/filesag/GUID-90C286C7-95ED-48A5-ADF9-0DA7C85CF2B8.html

Do you have any specific questions?

Regards

Hendrik

Re: Auditing netapps

Hi,

the event details differ a lot between different Windows versions. Ontap can't support all these different versions simultanously. When copying the .evt file to your local Windows machine and viewing it in event viewer, Windows will attempt to use the local event description of that Windows version. Depending on the Windows version it will not recognize some events, which leads to the error message you've posted. IIRC Vista should work pretty well.

You can also use the /auxsource parameter when starting the management console to tell Windows to look at the source machine for event descriptions. Basically you would start it like this:

mmc /a /AUXSOURCE=<Filer-IP>

See http://support.microsoft.com/kb/312216/en-us for more details on that parameter.

Hope that helps.

..- Hendrik