Subscribe

Monitoring SMB_OPEN for file delete.

We are trying to trace the Delete event for a file in Cluster mode NeetApp when file is deleting through Enterprise vault (EV)’s archiving feature, but we are not getting SMB_DEL event in that case.

 

We discussed the issue with EV team we came to know that they are not using ‘DeleteFile’ API in EV for archiving feature instead Opening the file with some delete flags or access modes.

 

Now, in our fpolicy server we are not monitoring SMB_OPEN events hence we are planning to trace such delete file events through file operation ‘open’ and filter ‘open-with-delete-intent’.

 

So, after configuring fpolicy’s event with file operation ‘open’ and filter ‘open-with-delete-intent’ we are receiving the SMB_OPEN events when we are deleting/achieving the file through EV.

 

Our concern here is do we need to check any other value in XML event when we want to treat the SMB_OPEN event as delete event. Also, in SMB_OPEN event we are getting following values

 

<OpenAccmode>1114240</OpenAccmode>

<OpenOptions>4128</OpenOptions>

 

So, what are the possible values of OpenAccmode or OpenOptions when this event is for file delete i.e. how to check delete flag in these values?