Ask The Experts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ask The Experts

Ask a Question

Unable to create Audit configuration on volumes

lmario
‎2019-07-19 06:30 AM
5,063 Views

Hi,

 

I'm new on NetApp and I would like to enable audit configuration on two volume.

My namespaces is DATA and HOME and I created on each a dir called "Alog".

 

When I type the command to create config the output message is this:

 

netapp01::> vserver audit create -vserver SVM02_CIFS_DATI -destination /Data/Alog -format evtx -events file-ops,cifs-logon-logoff -rotate-size 5MB -rotate-limit 5

Error: command failed: The specified path "/Data/Alog/" does not exist in the namespace belonging to Vserver "SVM02_CIFS_DATI".

 

What's I don't understand?

 

Thanks a lot

 

 

Mario

 

0 Kudos
4 REPLIES 4

SpindleNinja
A-Team Tech Advisor A-Team Tech Advisor
‎2019-07-19 11:36 AM
5,020 Views

I don't think you need the /xyz/abc 

 

here's an example of how I ususually do it.  

 

CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /AUDITLOG -security-style ntfs -type RW -snapshot-policy none


CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4

0 Kudos

lmario
‎2019-07-19 01:32 PM
In response to SpindleNinja
4,999 Views

Hi and thanks....WORKS!

 

But, I don't understand, now I see the EVTX file and I can open them but all with Event ID 4634 and the description is:

 

"The description for Event ID 4634 from source NetApp-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

 

Why?

Thanks

 

0 Kudos

SpindleNinja
A-Team Tech Advisor A-Team Tech Advisor
‎2019-07-19 02:18 PM
In response to lmario
4,989 Views

I would use XML: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=906536    

EVTX can get weird.   

 

 

Have also you aplied to SACLs yet?  i.e. told the file shares what events you want audited.     This can be done via CLI in ONTAP or the Windows GUI.    

 

 

  

0 Kudos

lmario
‎2019-07-19 02:40 PM
In response to SpindleNinja
4,980 Views

Yes, this is the following enabled

 

Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
SVM01_CIFS_HOME
true file-ops, evtx /home
cifs-logon-logoff,
user-account,
audit-policy-
change

 

Unfortunately I cannot visit the link posted 'cos I don't have the login ID with me.

I must to wait Monday 'cos in office sorry.

 

For now thanks a lot, you gave me a good and big help!

 

 

0 Kudos
Announcements
All Community Forums
Public