CIFS Auditing! Need Help and Recommendations!

Hi Guys,

Can some one help us in CIFS Audit logs configuration?

1.Currently we have configured the logs in our NAS but this does not give us any audit details like Deletion/Modification/Accessed/Access  Failures by User.

We are looking for a way to retrieve details which  will give us these details and it is of utmost importance to us

2. The current .evt file is storing in the file, we are looking for a  script which will automatically copy this file to a windows share before  truncation
3. We have integrated NAS with SCOM but we are not able to configure the  alerts in file/Folder level where we intend to have an alert when  unauthorized access of files/folders happen
4. We have certain files in the NAS which cannot be deleted as they are  already opened by another user, in reality it is not. Now we cannot kill  the session as possible in windows.
Please recommend if any thirdparty app can help in this regard.

Re: CIFS Auditing! Need Help and Recommendations!

Xzearik -

For file access event auditing you need to configure 'options cifs.audit.file_access_events.enable on'.

You'll also need to set the system security ACLs on the files/folders that you wish to have auditing on.

This can be done with Storage-Level Access Guard security, or Windows Properties/Security, or by applying a GPO to propogate the SACLs down through a directory heirarchy.

The internal audit log file is stored as /etc/log/auditlog.alf. The .evt files can be saved off to another location with 'options cifs.audit.saveas <fullpath>'.

You can create a secure share for this path.

You can kill individual cifs sessions with 'cifs terminate'. See the man pages.

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff
Fastlane NetApp Instructor and Independent Consultant

(P.S. I appreciate points for helpful or correct answers.)

Re: CIFS Auditing! Need Help and Recommendations!

Hello everybody,

I'm searching any third application which generate audit reports for a CIFS resource in a Netapp using a domain controller.

Do you know any third party aplication who reads the evt file generated for audit Netapp service? Can I generate any report with acces audit integratred with Active Directory for a domain in Windows like system?

Another workaround is read I/O acces from NetApp API instead of EVT File.

Somebody can you help me?

Thanks in advance, best,

Marc Cortinas Val