General Discussion

Many reads on a same file with ADAuditPlus

yb_benjamin
2,767 Views

Hello guys, 

 

Just wanted to know if one of you have already faced this problem. We're doing audit on CIFS shares and our tool ADAuditPlus is reporting the following issues :

 

- The file that we've read is showing as read many times in the same time. In ADAuditPlus, we can see multiple reads for the same file in the same second.

- ADAuditPlus is also reporting files in the same time that we didn't read at all. All files that we didn't read belong to the same directory.

 

I was just wondering when we access a file throught the windows explorer, how reacts the filer ?

 

The following configuration is pushed on the SVM.

 

XXX ::> vserver audit show -vserver XXX -instance

 

                           Vserver: XXX

                    Auditing State: true

              Log Destination Path: /cifs_audit_log

     Categories of Events to Audit: file-ops, audit-policy-change

                        Log Format: evtx

               Log File Size Limit: 200MB

      Log Rotation Schedule: Month: -

Log Rotation Schedule: Day of Week: -

        Log Rotation Schedule: Day: -

       Log Rotation Schedule: Hour: -

     Log Rotation Schedule: Minute: -

                Rotation Schedules: -

          Log Files Rotation Limit: 10

 

If you have any ideas, would be interesting ! Thanks !

 

See ya !

1 ACCEPTED SOLUTION

Ontapforrum
2,725 Views

Hi,

 

I haven't really come across or given any thought to it, but even if the file had many read operations it could happen.

 

Looking at the SVM auditing configuration you have shared : You have basically 2 event-type configured, one is audit-policy-change and other file-ops. Audit-policy-change will record any breach of altering the currently configured policy, that is understood. Other is file-ops which generally includes operations such as - 'open/close/read/write'. I am not surprised if a single file has had so many requests, it could happen. I will be interested to know what file was it.

 

Whether using \\unc\share or Windows explorer, system/user access the file/foler directly on the NetApp volume using 'SMB/CIFS' protocol, and depending upon the configured audit event, ONTAP records the action performed on the file/folder These events are first recorded in memory as binary logs and later ONTAP converts them to EVTX file format. This format can easily be used with Windows native Event viewer application for friendly viewing.


Some explanation on NAS audit logs can be found here:
https://kb.netapp.com/app/answers/answer_view/a_id/1030506
http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-976B35AF-844A-4A8E-95F6-60EC45EEFD58.html

 

Thanks!

View solution in original post

3 REPLIES 3

Ontapforrum
2,726 Views

Hi,

 

I haven't really come across or given any thought to it, but even if the file had many read operations it could happen.

 

Looking at the SVM auditing configuration you have shared : You have basically 2 event-type configured, one is audit-policy-change and other file-ops. Audit-policy-change will record any breach of altering the currently configured policy, that is understood. Other is file-ops which generally includes operations such as - 'open/close/read/write'. I am not surprised if a single file has had so many requests, it could happen. I will be interested to know what file was it.

 

Whether using \\unc\share or Windows explorer, system/user access the file/foler directly on the NetApp volume using 'SMB/CIFS' protocol, and depending upon the configured audit event, ONTAP records the action performed on the file/folder These events are first recorded in memory as binary logs and later ONTAP converts them to EVTX file format. This format can easily be used with Windows native Event viewer application for friendly viewing.


Some explanation on NAS audit logs can be found here:
https://kb.netapp.com/app/answers/answer_view/a_id/1030506
http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-976B35AF-844A-4A8E-95F6-60EC45EEFD58.html

 

Thanks!

yb_benjamin
2,695 Views

Hello, 

 

Thanks a lot for your answer, much clear for me. 

I had a look on the NetApp document that you provided and it says : 

 

OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).

Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.
 
Which could corresponds to our issue.
 
Is that normal we still have many reads ? 
 
 

Ontapforrum
2,686 Views

You're welcome. Interesting, I am also reading those event details for the first time 🙂 I think the one you mentioned Event_ID:567/4663 should be part of the file-ops, but it says "This prevents ONTAP from creating excessive log entries when a single client opens an object". So I guess this will apply to 'single-client', which means the logging will continue for the same event if it is attempted by different clients. Sometimes, testing is needed to really get the concepts.

Thanks!

Public