The best way to capture this audit log is by using a Log Management product like LogLogic. LogLogic appliances support collecting logs using file pulls (as well as receiving syslog and other "push" log data.)
With LogLogic, you can define a cifs share, and the LogLogic appliance can pull the log on a schedule. The LogLogic system can then analyze and parse the file for reporting. The configuration is done through a simple gui and is well documented in the LogLogic Administrator Guide. You can find more information on this at the LogLogic web site, http://www.loglogic.com
we are actually currently implementing TriGeo and we're trying to find the best way to get the CIFS audit logs from the Netapp to TriGeo. Still examining this. But judging from this thread it looks like "push" is out of the question
Do you have any experience with TriGeo or is it something you're looking into?
We can configure syslog.conf to push syslog information to remote host but CIFS audit logging is a completely different frame work and used for altogether different purpose. Currently there is no way to push CIFS native auditing logs to remote host. Instead remote host can configure cron job to periodically pull logs from the ONTAP box either through ftp/sftp or scp.
Are you looking to just collect the logs? There is a tool that collects, analyzes, archives and reports on all sorts of access called Varonis. I have been using Varonis DatAdvantage with Netapp for about 4 years now. The best thing about it is that you can get alerts on access when an unauthorized but allowed user accesses a sensitive file/folder. For instance, if a Domain Admin were to browse around HR/Payroll, I would get an email alert. There is obviously a lot more you can do with the data collected, if so inclined.