Hi all,
We want to monitor file access events for CIFS and NFS like read, write, delete ....We want to know who did what for each file access.
What we call "access type" is the action operated by the user like READ, WRITE, DELETE etc...
We use Data ONTAP 7.3.4
I activated audit function, and it works well, but I see a difference between NFS and CIFS audit logs. One important informations which is present in NFS audit logs is not present in CIFS audit logs
An example is better to understand :
NFS audit log :
| Security |
| File |
| NFS access = READ |
| Vol ID = 0x2300fd0b |
| Snap ID = 0x0 |
| Inode = 0x975e05 |
| IP = 1.2.3.4 |
| UID = 0x3da |
| Full Path = /vol/vol3/home/share/script.ksh |
| NetApp Data ONTAP |
| (0x0, 0x3e7) |
| %%4416 |
| 0x1 |
All informations needed are present : Access type (read in this example) - IP Address - UID - Path and some others informations like inode etc...
Now take a CIFS audit log :
| File | | | |
| \vol\vol0\data\procedure_SLAG |
| 3011 |
| 2048 |
| NetApp Data ONTAP |
| toto |
| NetApp Data ONTAP |
| (0x0, 0x1006) |
| 1.2.3.4 |
| %%4416 |
| %%4423 |
| %%1538 |
IP Address - UID - Path are well present but access type is missing . So with this audit log, we can' t know what the user did : read ? write ? delete ? We just know that he accessed a certain file but that's all...
Do you know if it comes from a misconfiguation ? Or does CIFS audit logs can't provide the access type ?
Thx for your feedback 🙂
