ONTAP Discussions

Highlighted

About vserver audit function

HI All

    I build a OnTAP simulator lab server and want to collect audit log...

so I create a CIFS volume to let user place their data (eningeering), the root mount  (/) I name is nsroot

I also 

 create a volume which name is audit...

002.png

I create audit role and enable it 

(1).vserver audit create -vserver netapp-svm1 -destination "/nsroot/audit" -events file-ops -format xml -rotate-size 10MB -rotate-limit 10

(2).vserver audit enable -vserver netapp-svm1

I try to create a testing on engineer volume and audit volume , and add some content to these files...but the audit xml file seem no detect any change event....

 

Could I ask when I create such audit role....for my SVM...what scope that audit log could monitor ?? ( root mount / engineering & audit) or only audit volume ??

about file-ops parameter....does it could monitor any file action (create/modity/rename/delete&permission change )??

 

Thanks!!

 

Wencheng

5 REPLIES 5
Highlighted

Re: About vserver audit function

For more information about auditing, please refer to the below document:

How auditing works 

Highlighted

Re: About vserver audit function

Hi Wencheng,

 

NAS auditing is first stored in a staging volume and then moved to the actual audit log. The log location directory (/nsroot/audit) specified in the configuration command must be created prior to running the command or the operation will fail. In addition, you must configure an auditing policy for files and folders on the Windows side for NTFS volumes by using the Windows Security tab in the Windows Properties window.

 

After enabling auditing you will see a staging volume created with the prefix "MDV"; did you see one get created?

 

You can also check the auditing configuration status via the following command:

::> vserver audit show -instance -vserver netapp-svm1

 

Below are several documentation that explains auditing in more detail:

SMB/CIFS and NFS Auditing and Security Tracing Guide 

Clustered Data ONTAP CIFS Auditing Quick Start Guide 

 

Regards,

 

Team NetApp

 

 

 

Team NetApp
Highlighted

Re: About vserver audit function

For the scope of what is audited, that is set by the host SACL or file-directory command...I prefer setting from the host side especially windows where the multiple select saves time.  Here is an end-to-end NAS audit setup in a blog I posted on this that should answer your question..  The goal was to show all steps for both CIFS and NFS auditing.  The NetApp docs are great but I wanted to demo every step in one guide.  https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ 

View solution in original post

Highlighted

Re: About vserver audit function

Hi

  Thanks your reply

I run the show command...my setting indeed set well and generate a xml file on destination location.

AuditPolicyShow.png

as this screenshot ....I add cifs-logon-logoff and file-share & audit-policy-change....but now the audit file seem only been trigger by logon-logoff event ...no matter of folder/file action...the audit file still no event been generated to audit xml file.

 

Wencheng

Highlighted

Re: About vserver audit function

HI Thanks ALL

   Base on scottgelb's weblink....I find a step that I need to do ..

after xml been generated...I "must be set" SACLs to folder's security .

so now my auditing xml has capture these file operation.

 

Wencheng

Check out the KB!
Knowledge Base
All Community Forums