Accepted Solution

Access type missing in CIFS audit logs ?

Hi all,

We want to monitor file access events for CIFS and NFS like read, write, delete ....We want to know who did what for each file access.

What we call "access type" is the action operated by the user like READ, WRITE, DELETE etc...

We use Data ONTAP 7.3.4

I activated audit function, and it works well, but I see a difference between NFS and CIFS audit  logs. One important informations which is present in NFS audit logs  is not present in CIFS audit logs

An example is better to understand :

NFS audit log  :

NFS access = READ
Vol ID = 0x2300fd0b
Snap ID = 0x0
Inode = 0x975e05
IP =
UID = 0x3da
Full Path = /vol/vol3/home/share/script.ksh
NetApp Data ONTAP
(0x0, 0x3e7)

All informations needed are present : Access type (read in this example) - IP Address - UID - Path  and some others informations like inode etc...

Now take a CIFS audit log :

NetApp Data ONTAP
NetApp Data ONTAP
(0x0, 0x1006)

IP Address - UID - Path are well present  but access type is missing . So with this audit log, we can' t know what the user did : read ? write ? delete ? We just know that he accessed a certain file but that's all...

Do you know if it comes from a misconfiguation ? Or does CIFS audit logs can't provide the access type ?

Thx for your feedback :-)

Re: Access type missing in CIFS audit logs ?

I anwer to myself because nobody seems to know ....

The too I was using  (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)

Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ...