I haven't really come across or given any thought to it, but even if the file had many read operations it could happen.
Looking at the SVM auditing configuration you have shared : You have basically 2 event-type configured, one is audit-policy-change and other file-ops. Audit-policy-change will record any breach of altering the currently configured policy, that is understood. Other is file-ops which generally includes operations such as - 'open/close/read/write'. I am not surprised if a single file has had so many requests, it could happen. I will be interested to know what file was it.
Whether using \\unc\share or Windows explorer, system/user access the file/foler directly on the NetApp volume using 'SMB/CIFS' protocol, and depending upon the configured audit event, ONTAP records the action performed on the file/folder These events are first recorded in memory as binary logs and later ONTAP converts them to EVTX file format. This format can easily be used with Windows native Event viewer application for friendly viewing.
I had a look on the NetApp document that you provided and it says :
OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).
Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.
You're welcome. Interesting, I am also reading those event details for the first time 🙂 I think the one you mentioned Event_ID:567/4663 should be part of the file-ops, but it says "This prevents ONTAP from creating excessive log entries when a single client opens an object". So I guess this will apply to 'single-client', which means the logging will continue for the same event if it is attempted by different clients. Sometimes, testing is needed to really get the concepts.