NAS auditing is first stored in a staging volume and then moved to the actual audit log. The log location directory (/nsroot/audit) specified in the configuration command must be created prior to running the command or the operation will fail. In addition, you must configure an auditing policy for files and folders on the Windows side for NTFS volumes by using the Windows Security tab in the Windows Properties window.
After enabling auditing you will see a staging volume created with the prefix "MDV"; did you see one get created?
You can also check the auditing configuration status via the following command:
::> vserver audit show -instance -vserver netapp-svm1
Below are several documentation that explains auditing in more detail:
For the scope of what is audited, that is set by the host SACL or file-directory command...I prefer setting from the host side especially windows where the multiple select saves time. Here is an end-to-end NAS audit setup in a blog I posted on this that should answer your question.. The goal was to show all steps for both CIFS and NFS auditing. The NetApp docs are great but I wanted to demo every step in one guide. https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/
I run the show command...my setting indeed set well and generate a xml file on destination location.
as this screenshot ....I add cifs-logon-logoff and file-share & audit-policy-change....but now the audit file seem only been trigger by logon-logoff event ...no matter of folder/file action...the audit file still no event been generated to audit xml file.