Just wanted to know if one of you have already faced this problem. We're doing audit on CIFS shares and our tool ADAuditPlus is reporting the following issues :
- The file that we've read is showing as read many times in the same time. In ADAuditPlus, we can see multiple reads for the same file in the same second.
- ADAuditPlus is also reporting files in the same time that we didn't read at all. All files that we didn't read belong to the same directory.
I was just wondering when we access a file throught the windows explorer, how reacts the filer ?
The following configuration is pushed on the SVM.
XXX ::> vserver audit show -vserver XXX -instance
Auditing State: true
Log Destination Path: /cifs_audit_log
Categories of Events to Audit: file-ops, audit-policy-change
Log Format: evtx
Log File Size Limit: 200MB
Log Rotation Schedule: Month: -
Log Rotation Schedule: Day of Week: -
Log Rotation Schedule: Day: -
Log Rotation Schedule: Hour: -
Log Rotation Schedule: Minute: -
Rotation Schedules: -
Log Files Rotation Limit: 10
If you have any ideas, would be interesting ! Thanks !
See ya !