Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
We want to monitor file access events for CIFS and NFS like read, write, delete ....We want to know who did what for each file access.
What we call "access type" is the action operated by the user like READ, WRITE, DELETE etc...
We use Data ONTAP 7.3.4
I activated audit function, and it works well, but I see a difference between NFS and CIFS audit logs. One important informations which is present in NFS audit logs is not present in CIFS audit logs
An example is better to understand :
NFS audit log :
Security | ||
File | ||
NFS access = READ | ||
Vol ID = 0x2300fd0b | ||
Snap ID = 0x0 | ||
Inode = 0x975e05 | ||
IP = 1.2.3.4 | ||
UID = 0x3da | ||
Full Path = /vol/vol3/home/share/script.ksh | ||
NetApp Data ONTAP | ||
(0x0, 0x3e7) | ||
%%4416 | ||
0x1 |
All informations needed are present : Access type (read in this example) - IP Address - UID - Path and some others informations like inode etc...
Now take a CIFS audit log :
Security |
File | |||
\vol\vol0\data\procedure_SLAG | |||
3011 | |||
2048 | |||
NetApp Data ONTAP | |||
toto | |||
NetApp Data ONTAP | |||
(0x0, 0x1006) | |||
1.2.3.4 | |||
%%4416 | |||
%%4423 | |||
%%1538 |
0x20081 |
IP Address - UID - Path are well present but access type is missing . So with this audit log, we can' t know what the user did : read ? write ? delete ? We just know that he accessed a certain file but that's all...
Do you know if it comes from a misconfiguation ? Or does CIFS audit logs can't provide the access type ?
Thx for your feedback 🙂
Solved! See The Solution
1 ACCEPTED SOLUTION
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I anwer to myself because nobody seems to know ....
The too I was using (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)
Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ...
1 REPLY 1
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I anwer to myself because nobody seems to know ....
The too I was using (psloglist) wasn't able to extract cifs access type from evt but logparser tool from Microsoft can extract this type of information (evt have to be converted in evtx format otherwise it will not work)
Nevertheless, cifs and nfs format logs are really different and we have to do a huge work to be able to parse them. If you have a feedback on how to parse cifs and nfs audit logs ...
