I configured my netapps to be able to audit access of files with the following commands
options cifs.audit.enable on
options cifs.audit.autosave.ontime.enable on
options cifs.audit.autosave.onsize.enable on
options cifs.audit.liveview.enable on
options cifs.audit.logsize 52428800
options cifs.audit.autosave.onsize.threshold 50m
options cifs.audit.autosave.ontime.interval 20m
my aim was to have external log files (.evt) with size of 50 MB or each 20 minuts. i tried many times but always the result is files with size almost 500 KB and it is generated each 11 to 20 seconds.
as you know if i want to manage number of these log files i have the ability to 999 files only which is not available with this small size of the file becuase in one day i got more than 2000 log files.
so is there a mistake or missing commands?
I tried out your commands, I found the same behavior - an evt file was getting created every minute. Then I found below piece of info in "Data ONTAP® 7.2
File Access and Protocols Management Guide" :
When Live View is enabled, an Access Logging Facility (ALF) daemon runs once a minute, flushing audit events from memory to the internal log file /etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert ALF records to EVT records that can be viewed by Event Viewer. It does so either once every minute, or when the .alf file becomes 75 percent full.
I used " options cifs.audit.liveview.enable off" to disable live view and the file creation (every minute) stopped.
I tried out your commands on my system, the behavior was the same - an evt file was being created every minute. I found this piece of info in "Data ONTAP® 7.2
File Access and Protocols Management Guide" :
When Live View is enabled, an Access Logging Facility (ALF) daemon runs
once a minute, flushing audit events from memory to the internal log file
/etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert
ALF records to EVT records that can be viewed by Event Viewer. It does so
either once every minute, or when the .alf file becomes 75 percent full.
On disabling live view using "options cifs.audit.liveview.enable off" the evt file creation stopped. Try this out !
I'm attempting to set up something similar, and was wondering if there is any overhead associated with turning audting on other than tthe space the log files take up on the disk. Also, I only want to keep a few hours worth in order to respond to events that just occured. What command would I use to have audit logs older than a specific age automatically deleted/overwritten?
We are also working to enable auditing on our CIFS volumes, and then retrieving the audit log from a log management system.
After disabling LiveView, did you correctly see the audit log rotation at the intervals you wanted? (50MB/20 Mins), or did you need to use a different method to 'keep up' with the audit log creation?
Thank you in advance
I'm new to auditing netapps, does anyone have a doc I read on the basics? I've gotten as far as the
adtlog.evt file being created but I can't read the contents of the logs themselves using the windows event log viewer. I receive the error:
The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: rlee, UNITED, (0x0, 0x3b1e5), 3.
I have a pair of filers, and want to know the best way of saving the CIFS audit logs. You would think it has neverbeen done before, as my NetApp supplier has never had the issue before.
there has got to be an accepted souloution by NetApp of how to manage the audit logs for CIFS shares on a Filer.
see this KB entry for the basic setup of CIFS auditing and the various options that can be set: https://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb44724
A more detailed explanation is availabe in the docs: http://now.netapp.com/NOW/knowledge/docs/ontap/rel732/html/ontap/filesag/GUID-90C286C7-95ED-48A5-ADF9-0DA7C85CF2B8.html
Do you have any specific questions?
the event details differ a lot between different Windows versions. Ontap can't support all these different versions simultanously. When copying the .evt file to your local Windows machine and viewing it in event viewer, Windows will attempt to use the local event description of that Windows version. Depending on the Windows version it will not recognize some events, which leads to the error message you've posted. IIRC Vista should work pretty well.
You can also use the /auxsource parameter when starting the management console to tell Windows to look at the source machine for event descriptions. Basically you would start it like this:
mmc /a /AUXSOURCE=<Filer-IP>
See http://support.microsoft.com/kb/312216/en-us for more details on that parameter.
Hope that helps.