topic Re: Auditing netapps in ONTAP Discussions

Auditing netapps

CCIC4EPSO — Thu, 05 Jun 2025 07:34:30 GMT

Hi,

I configured my netapps to be able to audit access of files with the following commands

options cifs.audit.enable on

options cifs.audit.autosave.ontime.enable on

options cifs.audit.autosave.onsize.enable on

options cifs.audit.liveview.enable on

options cifs.audit.logsize 52428800

options cifs.audit.autosave.onsize.threshold 50m

options cifs.audit.autosave.ontime.interval 20m

my aim was to have external log files (.evt) with size of 50 MB or each 20 minuts. i tried many times but always the result is files with size almost 500 KB and it is generated each 11 to 20 seconds.

as you know if i want to manage number of these log files i have the ability to 999 files only which is not available with this small size of the file becuase in one day i got more than 2000 log files.

so is there a mistake or missing commands?

Re: Auditing netapps

nagendrk — Thu, 08 May 2008 11:56:47 GMT

I tried out your commands, I found the same behavior - an evt file was getting created every minute. Then I found below piece of info in "Data ONTAP® 7.2

File Access and Protocols Management Guide" :

When Live View is enabled, an Access Logging Facility (ALF) daemon runs once a minute, flushing audit events from memory to the internal log file /etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert ALF records to EVT records that can be viewed by Event Viewer. It does so either once every minute, or when the .alf file becomes 75 percent full.

I used " options cifs.audit.liveview.enable off" to disable live view and the file creation (every minute) stopped.

Re: Auditing netapps

nagendrk — Thu, 08 May 2008 16:51:37 GMT

I tried out your commands on my system, the behavior was the same - an evt file was being created every minute. I found this piece of info in "Data ONTAP® 7.2

File Access and Protocols Management Guide" :

When Live View is enabled, an Access Logging Facility (ALF) daemon runs

once a minute, flushing audit events from memory to the internal log file

/etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert

ALF records to EVT records that can be viewed by Event Viewer. It does so

either once every minute, or when the .alf file becomes 75 percent full.

On disabling live view using "options cifs.audit.liveview.enable off" the evt file creation stopped. Try this out !

Re: Auditing netapps

CCIC4EPSO — Mon, 19 May 2008 06:21:03 GMT

I tried this and it seems OK.

thanx

Re: Auditing netapps

philmcneill — Fri, 17 Apr 2009 16:08:04 GMT

I'm attempting to set up something similar, and was wondering if there is any overhead associated with turning audting on other than tthe space the log files take up on the disk. Also, I only want to keep a few hours worth in order to respond to events that just occured. What command would I use to have audit logs older than a specific age automatically deleted/overwritten?

Thanks!

Phil

Re: Auditing netapps

jmcreynolds — Thu, 07 Jan 2010 14:27:42 GMT

We are also working to enable auditing on our CIFS volumes, and then retrieving the audit log from a log management system.

After disabling LiveView, did you correctly see the audit log rotation at the intervals you wanted? (50MB/20 Mins), or did you need to use a different method to 'keep up' with the audit log creation?

Thank you in advance

Re: Auditing netapps

dwutke — Thu, 14 Jan 2010 01:38:54 GMT

I'm new to auditing netapps, does anyone have a doc I read on the basics? I've gotten as far as the

adtlog.evt file being created but I can't read the contents of the logs themselves using the windows event log viewer. I receive the error:

The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: rlee, UNITED, (0x0, 0x3b1e5), 3.

Thanks,

Re: Auditing netapps

miststech — Mon, 22 Feb 2010 13:59:40 GMT

Same here,

I have a pair of filers, and want to know the best way of saving the CIFS audit logs. You would think it has neverbeen done before, as my NetApp supplier has never had the issue before.

there has got to be an accepted souloution by NetApp of how to manage the audit logs for CIFS shares on a Filer.

Re: Auditing netapps

hland — Tue, 23 Feb 2010 22:10:45 GMT

Hi,

see this KB entry for the basic setup of CIFS auditing and the various options that can be set: https://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb44724

A more detailed explanation is availabe in the docs: http://now.netapp.com/NOW/knowledge/docs/ontap/rel732/html/ontap/filesag/GUID-90C286C7-95ED-48A5-ADF9-0DA7C85CF2B8.html

Do you have any specific questions?

Regards

Hendrik

Re: Auditing netapps

hland — Tue, 23 Feb 2010 22:33:00 GMT

Hi,

the event details differ a lot between different Windows versions. Ontap can't support all these different versions simultanously. When copying the .evt file to your local Windows machine and viewing it in event viewer, Windows will attempt to use the local event description of that Windows version. Depending on the Windows version it will not recognize some events, which leads to the error message you've posted. IIRC Vista should work pretty well.

You can also use the /auxsource parameter when starting the management console to tell Windows to look at the source machine for event descriptions. Basically you would start it like this:

mmc /a /AUXSOURCE=<Filer-IP>

See http://support.microsoft.com/kb/312216/en-us for more details on that parameter.

Hope that helps.

..- Hendrik

Re: Auditing netapps

miststech — Wed, 24 Feb 2010 08:15:29 GMT

I have the auditing configured, Want i want to know, is as the evt files are not "REAL" evt file,

What is the best was of getting them off a NetApp filer, and archiving them to allow compliance with SOX (Specifically J-SOX). The actual audit configuration is complete, I just need to be able to search the logs and use some tool to collect and aggregate the files.

Re: Auditing netapps

hland — Wed, 24 Feb 2010 14:08:59 GMT

They are "real"evt files. However, you can't query them via RPC as you can with a Windows server. Therefore you need to work with the actual files. Any tool that can read .evt files should work fine.

I guess the easiest way to get the event files off the filer is via CIFS or NFS. Either copy them to whatever location you like via a script or use a backup application if you just want to archive them on tape or something.Then process them with your preferred event log tool (as long as it can open .evt files) or convert them to text and go from there (http://now.netapp.com/NOW/download/tools/evt2text/).

Regards

Hendrik