Network Storage Protocols Discussions

Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD

HI All,

Sorry, I can't help feeling I should know this, but I just can't find what I'm looking for.  We have a number of vfilers providing CIFS file sharing.  We have a team of 1st line support people who have rights to create, remove and modify shares via the Windows MMC.  I'd like to be able to keep a log of these changes, but I can't seem to find out how/where to do this.  I've turned on CIFS audit logging, but only seem to see login/logout events.  I've turned on the option cifs.audit.account_mgmt_events.enable, but it doesn't seem to have changed what is logged in the event logs.

Anyone have any clues on this?

Thanks,

Craig

5 REPLIES 5

scottgelb

Since an ontap command or API, do you see it on the auditlog file?

GARDINEC_EBRD

Hi Scott,

Thanks for your reply.  Do you mean /etc/log/auditlog?  If so, yeah, I checked in there, but didn't see anything relating to the change to the CIFS share either. 

Craig

scottgelb

Yes… thank you. Does it show in the vfiler /etc/log/auditlog root volume or are you checking vfiler0? I’ll have to test it out too

GARDINEC_EBRD

Ah...yes, should have been more specific, sorry.  This is in the /etc/log dir of the physical filer (vfiler0).  The vfiler's /etc/log dir only contains the *.alf and *.evt files

sgrant

Hi Craig, a bit late to the party and hope you've already found the answer, if not then I believe your problem maybe that you need to enable the events to be logged...

This can be completed either via:

  • The Auditing feature under the Windows Explorer Security tab being enabled within the Windows file system.
  • Or, using the fsecurity command, but this is at a storage level outside of Windows that can also be applied to the volume or qtree.

Just remember: "Be sure to select only the events that must be audited because selecting too many audit options might affect system performance."

A good TR on the subject is TR-3595 (http://www.netapp.com/us/media/tr-3595.pdf)

Hope that helps.

Cheers,
Grant.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public