Solved: Re: About vserver audit function

Wencheng · ‎2020-09-21

HI All

I build a OnTAP simulator lab server and want to collect audit log...

so I create a CIFS volume to let user place their data (eningeering), the root mount (/) I name is nsroot

I also

create a volume which name is audit...

I create audit role and enable it

(1).vserver audit create -vserver netapp-svm1 -destination "/nsroot/audit" -events file-ops -format xml -rotate-size 10MB -rotate-limit 10

(2).vserver audit enable -vserver netapp-svm1

I try to create a testing on engineer volume and audit volume , and add some content to these files...but the audit xml file seem no detect any change event....

Could I ask when I create such audit role....for my SVM...what scope that audit log could monitor ?? ( root mount / engineering & audit) or only audit volume ??

about file-ops parameter....does it could monitor any file action (create/modity/rename/delete&permission change )??

Thanks!!

Wencheng

scottgelb · ‎2020-09-22

For the scope of what is audited, that is set by the host SACL or file-directory command...I prefer setting from the host side especially windows where the multiple select saves time. Here is an end-to-end NAS audit setup in a blog I posted on this that should answer your question.. The goal was to show all steps for both CIFS and NFS auditing. The NetApp docs are great but I wanted to demo every step in one guide. https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/

View solution in original post

tahmad · ‎2020-09-21

For more information about auditing, please refer to the below document:

How auditing works

ttran · ‎2020-09-21

Hi Wencheng,

NAS auditing is first stored in a staging volume and then moved to the actual audit log. The log location directory (/nsroot/audit) specified in the configuration command must be created prior to running the command or the operation will fail. In addition, you must configure an auditing policy for files and folders on the Windows side for NTFS volumes by using the Windows Security tab in the Windows Properties window.

After enabling auditing you will see a staging volume created with the prefix "MDV"; did you see one get created?

You can also check the auditing configuration status via the following command:

::> vserver audit show -instance -vserver netapp-svm1

Below are several documentation that explains auditing in more detail:

SMB/CIFS and NFS Auditing and Security Tracing Guide

Clustered Data ONTAP CIFS Auditing Quick Start Guide

Regards,

Team NetApp

Wencheng · ‎2020-09-23

Hi

Thanks your reply

I run the show command...my setting indeed set well and generate a xml file on destination location.

as this screenshot ....I add cifs-logon-logoff and file-share & audit-policy-change....but now the audit file seem only been trigger by logon-logoff event ...no matter of folder/file action...the audit file still no event been generated to audit xml file.

Wencheng

scottgelb · ‎2020-09-22

For the scope of what is audited, that is set by the host SACL or file-directory command...I prefer setting from the host side especially windows where the multiple select saves time. Here is an end-to-end NAS audit setup in a blog I posted on this that should answer your question.. The goal was to show all steps for both CIFS and NFS auditing. The NetApp docs are great but I wanted to demo every step in one guide. https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/

Wencheng · ‎2020-09-25

HI Thanks ALL

Base on scottgelb's weblink....I find a step that I need to do ..

after xml been generated...I "must be set" SACLs to folder's security .

so now my auditing xml has capture these file operation.

Wencheng

About vserver audit function

Latest video from NetApp KBTV

Join us on Discord