Subscribe
Accepted Solution

Access type missing in CIFS audit logs ?

Hi all,

We want to monitor file access events for CIFS and NFS like read, write, delete ....We want to know who did what for each file access.

What we call "access type" is the action operated by the user like READ, WRITE, DELETE etc...

We use Data ONTAP 7.3.4

I activated audit function, and it works well, but I see a difference between NFS and CIFS audit  logs. One important informations which is present in NFS audit logs  is not present in CIFS audit logs

An example is better to understand :

NFS audit log  :

Security
File
NFS access = READ
Vol ID = 0x2300fd0b
Snap ID = 0x0
Inode = 0x975e05
IP = 1.2.3.4
UID = 0x3da
Full Path = /vol/vol3/home/share/script.ksh
NetApp Data ONTAP
(0x0, 0x3e7)
%%4416
0x1

All informations needed are present : Access type (read in this example) - IP Address - UID - Path  and some others informations like inode etc...

Now take a CIFS audit log :

Security
File
\vol\vol0\data\procedure_SLAG
3011
2048
NetApp Data ONTAP
toto
NetApp Data ONTAP
(0x0, 0x1006)
1.2.3.4
%%4416
%%4423
%%1538
0x20081

IP Address - UID - Path are well present  but access type is missing . So with this audit log, we can' t know what the user did : read ? write ? delete ? We just know that he accessed a certain file but that's all...

Do you know if it comes from a misconfiguation ? Or does CIFS audit logs can't provide the access type ?

Thx for your feedback :-)

Re: Access type missing in CIFS audit logs ?

I anwer to myself because nobody seems to know ....

The too I was using  (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)

Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ...