Network and Storage Protocols

Logging/Auditing changes to CIFS shares (add, del, modify, etc)


HI All,

Sorry, I can't help feeling I should know this, but I just can't find what I'm looking for.  We have a number of vfilers providing CIFS file sharing.  We have a team of 1st line support people who have rights to create, remove and modify shares via the Windows MMC.  I'd like to be able to keep a log of these changes, but I can't seem to find out how/where to do this.  I've turned on CIFS audit logging, but only seem to see login/logout events.  I've turned on the option cifs.audit.account_mgmt_events.enable, but it doesn't seem to have changed what is logged in the event logs.

Anyone have any clues on this?





Since an ontap command or API, do you see it on the auditlog file?


Hi Scott,

Thanks for your reply.  Do you mean /etc/log/auditlog?  If so, yeah, I checked in there, but didn't see anything relating to the change to the CIFS share either. 



Yes… thank you. Does it show in the vfiler /etc/log/auditlog root volume or are you checking vfiler0? I’ll have to test it out too


Ah...yes, should have been more specific, sorry.  This is in the /etc/log dir of the physical filer (vfiler0).  The vfiler's /etc/log dir only contains the *.alf and *.evt files


Hi Craig, a bit late to the party and hope you've already found the answer, if not then I believe your problem maybe that you need to enable the events to be logged...

This can be completed either via:

  • The Auditing feature under the Windows Explorer Security tab being enabled within the Windows file system.
  • Or, using the fsecurity command, but this is at a storage level outside of Windows that can also be applied to the volume or qtree.

Just remember: "Be sure to select only the events that must be audited because selecting too many audit options might affect system performance."

A good TR on the subject is TR-3595 (

Hope that helps.