Network Storage Protocols Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network Storage Protocols Discussions

Start a New Post

Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD
‎2012-09-27 04:10 AM

HI All,

Sorry, I can't help feeling I should know this, but I just can't find what I'm looking for.  We have a number of vfilers providing CIFS file sharing.  We have a team of 1st line support people who have rights to create, remove and modify shares via the Windows MMC.  I'd like to be able to keep a log of these changes, but I can't seem to find out how/where to do this.  I've turned on CIFS audit logging, but only seem to see login/logout events.  I've turned on the option cifs.audit.account_mgmt_events.enable, but it doesn't seem to have changed what is logged in the event logs.

Anyone have any clues on this?

Thanks,

Craig

0 Kudos
View By:
5 REPLIES 5

scottgelb
NetApp A-Team
‎2012-09-27 06:31 AM

Since an ontap command or API, do you see it on the auditlog file?

0 Kudos

GARDINEC_EBRD
‎2012-09-27 07:46 AM
In response to scottgelb

Hi Scott,

Thanks for your reply.  Do you mean /etc/log/auditlog?  If so, yeah, I checked in there, but didn't see anything relating to the change to the CIFS share either. 

Craig

0 Kudos

scottgelb
NetApp A-Team
‎2012-09-27 07:50 AM
In response to GARDINEC_EBRD

Yes… thank you. Does it show in the vfiler /etc/log/auditlog root volume or are you checking vfiler0? I’ll have to test it out too

0 Kudos

GARDINEC_EBRD
‎2012-09-27 07:55 AM
In response to scottgelb

Ah...yes, should have been more specific, sorry.  This is in the /etc/log dir of the physical filer (vfiler0).  The vfiler's /etc/log dir only contains the *.alf and *.evt files

0 Kudos

sgrant
NetApp
‎2013-12-20 05:13 AM

Hi Craig, a bit late to the party and hope you've already found the answer, if not then I believe your problem maybe that you need to enable the events to be logged...

This can be completed either via:

  • The Auditing feature under the Windows Explorer Security tab being enabled within the Windows file system.
  • Or, using the fsecurity command, but this is at a storage level outside of Windows that can also be applied to the volume or qtree.

Just remember: "Be sure to select only the events that must be audited because selecting too many audit options might affect system performance."

A good TR on the subject is TR-3595 (http://www.netapp.com/us/media/tr-3595.pdf)

Hope that helps.

Cheers,
Grant.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public