https://community.netapp.com/t5/Network-and-Storage-Protocols/Access-type-missing-in-CIFS-audit-logs/m-p/69035#M6287 <HTML><HEAD></HEAD><BODY><P>I anwer to myself because nobody seems to know ....<SPAN __jive_emoticon_name="plain" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon jive_emote" src="https://community.netapp.com/5.0.1/images/emoticons/plain.gif"></SPAN></P><P></P><P>The too I was using&nbsp; (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)</P><P></P><P>Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ... <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon jive_emote" height="1" src="https://community.netapp.com/5.0.1/images/emoticons/happy.gif" width="1"></SPAN></P></BODY></HTML> Wed, 05 Mar 2014 08:23:26 GMT XFRSQUAD42 2014-03-05T08:23:26Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Access-type-missing-in-CIFS-audit-logs/m-p/69029#M6285 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>We want to monitor file access events for CIFS and NFS like read, write, delete ....We want to know who did what for each file access.</P><P></P><P>What we call "access type" is the action operated by the user like READ, WRITE, DELETE etc...</P><P></P><P>We use Data ONTAP 7.3.4</P><P></P><P>I activated audit function, and it works well, but I see a difference between NFS and CIFS audit&nbsp; logs. One important informations which is present in NFS audit logs&nbsp; is not present in CIFS audit logs</P><P></P><P>An example is better to understand :</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>NFS audit log&nbsp; : </STRONG></SPAN></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 448px;"><TBODY><TR><TD class="xl65" height="19" width="88">Security</TD></TR><TR><TD class="xl65" height="19">File</TD></TR><TR><TD class="xl65" colspan="2">NFS access = <STRONG>READ</STRONG></TD></TR><TR><TD class="xl65" colspan="2">Vol ID = 0x2300fd0b</TD></TR><TR><TD class="xl65" colspan="2">Snap ID = 0x0</TD></TR><TR><TD class="xl65" colspan="2">Inode = 0x975e05</TD></TR><TR><TD class="xl65" colspan="2">IP = 1.2.3.4</TD></TR><TR><TD class="xl65">UID = 0x3da</TD></TR><TR><TD class="xl65" colspan="3">Full Path = /vol/vol3/home/share/script.ksh</TD></TR><TR><TD class="xl65" colspan="2" height="19">NetApp Data ONTAP</TD></TR><TR><TD class="xl65" height="19">(0x0, 0x3e7)</TD></TR><TR><TD class="xl65" height="19">%%4416</TD></TR><TR><TD class="xl65" height="19">0x1</TD></TR></TBODY></TABLE><P></P><P>All informations needed are present : Access type (read in this example) - IP Address - UID - Path&nbsp; and some others informations like inode etc...</P><P></P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Now take a CIFS audit log : </STRONG></SPAN></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 446px;"><TBODY><TR><TD class="xl65" height="19" width="94">Security</TD></TR></TBODY></TABLE><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 446px;"><TBODY><TR><TD class="xl66" height="19">File</TD><TD class="xl66"></TD><TD class="xl66"></TD><TD class="xl66"></TD></TR><TR><TD class="xl66" colspan="4" height="19">\vol\vol0\data\procedure_SLAG</TD></TR><TR><TD align="right" class="xl65" height="19">3011</TD></TR><TR><TD align="right" class="xl65" height="19">2048</TD></TR><TR><TD class="xl65" colspan="2" height="19">NetApp Data ONTAP</TD></TR><TR><TD class="xl65" height="19">toto</TD></TR><TR><TD class="xl65" height="19">NetApp Data ONTAP</TD></TR><TR><TD class="xl65" height="19">(0x0, 0x1006)</TD></TR><TR><TD class="xl65" colspan="2" height="19">1.2.3.4</TD></TR><TR><TD class="xl65" height="19">%%4416</TD></TR><TR><TD class="xl65">%%4423</TD></TR><TR><TD class="xl65">%%1538</TD></TR></TBODY></TABLE><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 446px;"><TBODY><TR><TD class="xl65" height="19">0x20081</TD></TR></TBODY></TABLE><P></P><P></P><P>IP Address - UID - Path are well present&nbsp; <SPAN style="color: #575757; text-decoration: underline;"><STRONG>but access type is missing </STRONG></SPAN><SPAN style="color: #575757;">. So with this audit log, we can' t know what the user did : read ? write ? delete ? We just know that he accessed a certain file but that's all...</SPAN></P><P></P><P></P><P><SPAN style="color: #575757;">Do you know if it comes from a misconfiguation ? </SPAN><SPAN style="color: #575757;">Or does CIFS audit logs can't provide the access type ? </SPAN></P><P></P><P><SPAN style="color: #575757;">Thx for your feedback <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P></BODY></HTML> Thu, 05 Jun 2025 05:42:08 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Access-type-missing-in-CIFS-audit-logs/m-p/69029#M6285 XFRSQUAD42 2025-06-05T05:42:08Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Access-type-missing-in-CIFS-audit-logs/m-p/69035#M6287 <HTML><HEAD></HEAD><BODY><P>I anwer to myself because nobody seems to know ....<SPAN __jive_emoticon_name="plain" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon jive_emote" src="https://community.netapp.com/5.0.1/images/emoticons/plain.gif"></SPAN></P><P></P><P>The too I was using&nbsp; (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)</P><P></P><P>Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ... <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon jive_emote" height="1" src="https://community.netapp.com/5.0.1/images/emoticons/happy.gif" width="1"></SPAN></P></BODY></HTML> Wed, 05 Mar 2014 08:23:26 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Access-type-missing-in-CIFS-audit-logs/m-p/69035#M6287 XFRSQUAD42 2014-03-05T08:23:26Z