Network Storage Protocols Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network Storage Protocols Discussions

Highlighted

Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD
‎2012-09-27 04:10 AM

HI All,

Sorry, I can't help feeling I should know this, but I just can't find what I'm looking for.  We have a number of vfilers providing CIFS file sharing.  We have a team of 1st line support people who have rights to create, remove and modify shares via the Windows MMC.  I'd like to be able to keep a log of these changes, but I can't seem to find out how/where to do this.  I've turned on CIFS audit logging, but only seem to see login/logout events.  I've turned on the option cifs.audit.account_mgmt_events.enable, but it doesn't seem to have changed what is logged in the event logs.

Anyone have any clues on this?

Thanks,

Craig

View By:
5 Replies
0 Likes
5 REPLIES 5
Highlighted

Re: Logging/Auditing changes to CIFS shares (add, del, modify, etc)

scottgelb
NetApp A-Team
‎2012-09-27 06:31 AM

Since an ontap command or API, do you see it on the auditlog file?

5 Replies
0 Likes
Highlighted

Re: Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD
‎2012-09-27 07:46 AM

Hi Scott,

Thanks for your reply.  Do you mean /etc/log/auditlog?  If so, yeah, I checked in there, but didn't see anything relating to the change to the CIFS share either. 

Craig

5 Replies
0 Likes
Highlighted

Re: Logging/Auditing changes to CIFS shares (add, del, modify, etc)

scottgelb
NetApp A-Team
‎2012-09-27 07:50 AM

Yes… thank you. Does it show in the vfiler /etc/log/auditlog root volume or are you checking vfiler0? I’ll have to test it out too

5 Replies
0 Likes
Highlighted

Re: Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD
‎2012-09-27 07:55 AM

Ah...yes, should have been more specific, sorry.  This is in the /etc/log dir of the physical filer (vfiler0).  The vfiler's /etc/log dir only contains the *.alf and *.evt files

5 Replies
0 Likes
Highlighted

Re: Logging/Auditing changes to CIFS shares (add, del, modify, etc)

sgrant
NetApp
‎2013-12-20 05:13 AM

Hi Craig, a bit late to the party and hope you've already found the answer, if not then I believe your problem maybe that you need to enable the events to be logged...

This can be completed either via:

  • The Auditing feature under the Windows Explorer Security tab being enabled within the Windows file system.
  • Or, using the fsecurity command, but this is at a storage level outside of Windows that can also be applied to the volume or qtree.

Just remember: "Be sure to select only the events that must be audited because selecting too many audit options might affect system performance."

A good TR on the subject is TR-3595 (http://www.netapp.com/us/media/tr-3595.pdf)

Hope that helps.

Cheers,
Grant.

5 Replies
Start a New Post
Check out the KB!
Knowledge Base
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2020 NetApp
Let us know