ONTAP Discussions

About vserver audit function


HI All

    I build a OnTAP simulator lab server and want to collect audit log...

so I create a CIFS volume to let user place their data (eningeering), the root mount  (/) I name is nsroot

I also 

 create a volume which name is audit...


I create audit role and enable it 

(1).vserver audit create -vserver netapp-svm1 -destination "/nsroot/audit" -events file-ops -format xml -rotate-size 10MB -rotate-limit 10

(2).vserver audit enable -vserver netapp-svm1

I try to create a testing on engineer volume and audit volume , and add some content to these files...but the audit xml file seem no detect any change event....


Could I ask when I create such audit role....for my SVM...what scope that audit log could monitor ?? ( root mount / engineering & audit) or only audit volume ??

about file-ops parameter....does it could monitor any file action (create/modity/rename/delete&permission change )??






Re: About vserver audit function


For more information about auditing, please refer to the below document:

How auditing works 

Re: About vserver audit function


Hi Wencheng,


NAS auditing is first stored in a staging volume and then moved to the actual audit log. The log location directory (/nsroot/audit) specified in the configuration command must be created prior to running the command or the operation will fail. In addition, you must configure an auditing policy for files and folders on the Windows side for NTFS volumes by using the Windows Security tab in the Windows Properties window.


After enabling auditing you will see a staging volume created with the prefix "MDV"; did you see one get created?


You can also check the auditing configuration status via the following command:

::> vserver audit show -instance -vserver netapp-svm1


Below are several documentation that explains auditing in more detail:

SMB/CIFS and NFS Auditing and Security Tracing Guide 

Clustered Data ONTAP CIFS Auditing Quick Start Guide 




Team NetApp




Team NetApp

Re: About vserver audit function


For the scope of what is audited, that is set by the host SACL or file-directory command...I prefer setting from the host side especially windows where the multiple select saves time.  Here is an end-to-end NAS audit setup in a blog I posted on this that should answer your question..  The goal was to show all steps for both CIFS and NFS auditing.  The NetApp docs are great but I wanted to demo every step in one guide.  https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ 

View solution in original post

Re: About vserver audit function



  Thanks your reply

I run the show command...my setting indeed set well and generate a xml file on destination location.


as this screenshot ....I add cifs-logon-logoff and file-share & audit-policy-change....but now the audit file seem only been trigger by logon-logoff event ...no matter of folder/file action...the audit file still no event been generated to audit xml file.



Re: About vserver audit function


HI Thanks ALL

   Base on scottgelb's weblink....I find a step that I need to do ..

after xml been generated...I "must be set" SACLs to folder's security .

so now my auditing xml has capture these file operation.



Earn Rewards for Your Review!
GPI Review Banner
All Community Forums