Ask The Experts

Unable to create Audit configuration on volumes

Hi,

 

I'm new on NetApp and I would like to enable audit configuration on two volume.

My namespaces is DATA and HOME and I created on each a dir called "Alog".

 

When I type the command to create config the output message is this:

 

netapp01::> vserver audit create -vserver SVM02_CIFS_DATI -destination /Data/Alog -format evtx -events file-ops,cifs-logon-logoff -rotate-size 5MB -rotate-limit 5

Error: command failed: The specified path "/Data/Alog/" does not exist in the namespace belonging to Vserver "SVM02_CIFS_DATI".

 

What's I don't understand?

 

Thanks a lot

 

 

Mario

 

4 REPLIES 4

Re: Unable to create Audit configuration on volumes

I don't think you need the /xyz/abc 

 

here's an example of how I ususually do it.  

 

CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /AUDITLOG -security-style ntfs -type RW -snapshot-policy none


CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4

Re: Unable to create Audit configuration on volumes

Hi and thanks....WORKS!

 

But, I don't understand, now I see the EVTX file and I can open them but all with Event ID 4634 and the description is:

 

"The description for Event ID 4634 from source NetApp-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

 

Why?

Thanks

 

Highlighted

Re: Unable to create Audit configuration on volumes

I would use XML: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=906536    

EVTX can get weird.   

 

 

Have also you aplied to SACLs yet?  i.e. told the file shares what events you want audited.     This can be done via CLI in ONTAP or the Windows GUI.    

 

 

  

Re: Unable to create Audit configuration on volumes

Yes, this is the following enabled

 

Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
SVM01_CIFS_HOME
true file-ops, evtx /home
cifs-logon-logoff,
user-account,
audit-policy-
change

 

Unfortunately I cannot visit the link posted 'cos I don't have the login ID with me.

I must to wait Monday 'cos in office sorry.

 

For now thanks a lot, you gave me a good and big help!

 

 

Forums