Network and Storage Protocols

Searching through Audit log CIFS folder/file permissions

robmichel2854
5,605 Views

We want to be able to look quickly look through windows logs to see folder permission changes. We've turned on logging where the logs goto a user directory, but they are all "evtx" logs. We can see everything if we use MS Eventviewer, but there are so many, doing a quick search on them for a user, etc. is just about impossible. Since its in the evtx format, I don't seem to be able to text greps on the data. 

 

Does anyone else have this same problem and tackled it with someone besides a SIEM? 

 

Is there a way to simply have the logs sent over in XML verse evtx ? And only with the File/Folder Permission changes instead of every read/write event to them ? 

6 REPLIES 6

Vijay_ramamurthy
5,495 Views

Hi ,

You can also configure CIFS auditing to create audit logs in XML format.
The audit logs can be generated only in either XML or EVTX format and not both.
Please refer the TR below for more details :
https://www.netapp.com/us/media/tr-4189.pdf

 

If the audit logs are in XML and want to convert it to EVTX then you can use the link below to get the tool which converts Audit Logs From XML To EVTX Format.
https://community.netapp.com/t5/Network-Storage-Protocols-Articles-and-Resources/Tool-to-convert-Audit-Logs-from-XML-to-EVTX-Format/ta-p/84735

 

Also if you want only the permission changes to a file/folder be audited then you can modify SACL accordingly to only audit only those events. “Change Permissions" and/or "Take Ownership” should be able to track it.

scott_f
5,476 Views

You can configure the vserver cifs audit logs to be in either evtx or xml format. That audit SACLs have a lot of options, you wouldd be best to read the auditing documentation to decide what you want to audit.  

 

We read the audit logs (in XML format) and then forward them to Splunk so they are indexed and searchable.  You could do similar with the ELK stack or just save them off somewhere.

teddg
2,800 Views

Hey Scott, I realize this is a super old thread, but I was curious how you went about "reading the audit logs (in XML format) and then forwarding them to Splunk".  Just a high level overview would be very helpful.  I'm fairly new to Splunk and haven't found much guidance from NetApp or Splunk.  I have CIFS audit logging enabled in ONTAP/Windows, just not sure the best way to get it to Splunk.  Thanks. 

scott_f
2,792 Views

Hey Ted,

 

So what we did is enable auditing on the CIFS vserver, which writes audit data out to files (we used XML format instead of EVTX).  Then we made a CIFS share on the audit volume.

 

Then we used a VM that could access the audit CIFS share, and locked down permissions to that machine and the user splunk runs as only.


After that it was a matter of installing the Splunk Universal Forwarder on the VM and configuring it to watch the directory the Netapp vservers write the audit logs in. We did have to work with our Splunk team to help parse the XML.  But hope that helps get you started.

teddg
2,656 Views

Hey Scott, 

 

Thanks so much for your reply.  That is a huge help and definitely points me in the right direction.  I had considered something similar and it's good to know that I wasn't completely off base.  

 

When it came to parsing the XML, did you use/need any tools/guidance from Splunk and/or NetApp, or did you just work it out with your team's Splunk admins?  Thanks again.  

scott_f
2,652 Views

@teddgYeah the Splunk admins set that up. I gave them a sample audit log xml file and asked them to help parse all of the fields. I don't have their splunk props file so not sure exactly what they did. I do remember we had issues when tailing the live audit file, so we ended up blacklisting the audit file that is currently being written and waiting until the log file is rotated to ingest it.

 

This is the inputs.conf file we use on the AV server if that helps:

 

[monitor://\\netapp-filer-cifs-svm\audit$\logs]
blacklist = (?:partial\.xml|\_last\.xml|\.evtx)$
index = <your splunk index>
disabled = false
ignoreOlderThan = 1d
followTail = 0
sourcetype = netapp_audit
crcSalt=<SOURCE>
Public