Network and Storage Protocols

Logging/Auditing changes to CIFS shares (add, del, modify, etc)

GARDINEC_EBRD
10,668 Views

HI All,

Sorry, I can't help feeling I should know this, but I just can't find what I'm looking for.  We have a number of vfilers providing CIFS file sharing.  We have a team of 1st line support people who have rights to create, remove and modify shares via the Windows MMC.  I'd like to be able to keep a log of these changes, but I can't seem to find out how/where to do this.  I've turned on CIFS audit logging, but only seem to see login/logout events.  I've turned on the option cifs.audit.account_mgmt_events.enable, but it doesn't seem to have changed what is logged in the event logs.

Anyone have any clues on this?

Thanks,

Craig

5 REPLIES 5

scottgelb
10,668 Views

Since an ontap command or API, do you see it on the auditlog file?

GARDINEC_EBRD
10,668 Views

Hi Scott,

Thanks for your reply.  Do you mean /etc/log/auditlog?  If so, yeah, I checked in there, but didn't see anything relating to the change to the CIFS share either. 

Craig

scottgelb
10,668 Views

Yes… thank you. Does it show in the vfiler /etc/log/auditlog root volume or are you checking vfiler0? I’ll have to test it out too

GARDINEC_EBRD
10,668 Views

Ah...yes, should have been more specific, sorry.  This is in the /etc/log dir of the physical filer (vfiler0).  The vfiler's /etc/log dir only contains the *.alf and *.evt files

sgrant
10,668 Views

Hi Craig, a bit late to the party and hope you've already found the answer, if not then I believe your problem maybe that you need to enable the events to be logged...

This can be completed either via:

  • The Auditing feature under the Windows Explorer Security tab being enabled within the Windows file system.
  • Or, using the fsecurity command, but this is at a storage level outside of Windows that can also be applied to the volume or qtree.

Just remember: "Be sure to select only the events that must be audited because selecting too many audit options might affect system performance."

A good TR on the subject is TR-3595 (http://www.netapp.com/us/media/tr-3595.pdf)

Hope that helps.

Cheers,
Grant.

Public