Solved: CIFS Audit log forwarding to Splunk Server

StorageIT · ‎2022-03-21

Hello Community We want to check which client IPs access a Cifs share and map/check the whole stuff in Splunk. Is a CIFS audit log forward to a Splunk server possible? If yes how? Any Documentation available how to configure? I find in the NetApp documentation only general information about the "audit" log forwarding but not explicitly about the CIFS audit. If it is not possible via Splunk, what solution does NetApp offer here? Many Thanks in advance. Juergen

aladd · ‎2022-03-22

Correct. CIFS audit logs cannot be pushed to another server, only accessed through a CIFS share.

Reference from documentation:

https://www.netapp.com/pdf.html?item=/media/16330-tr-4189pdf.pdf

Pg. 12

View solution in original post

aladd · ‎2022-03-21

You can forward CIFS audit logs to a syslog server. The following may be helpful in the needed configuration:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_manage_administrative_Vserver_audit_logs_in_ONTAP_9

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_set_up_CIFS_auditing_with_clustered_Data_ONTAP

https://docs.netapp.com/us-en/ontap/system-admin/changes-audit-logging-ontap-9-concept.html

https://docs.netapp.com/us-en/ontap/system-admin/forward-command-history-log-file-destination-task.html

STORAGE_CIT · ‎2022-03-22

Thanks. Yes for the normal "audit" log its clear. it will use the syslog framework.

My Question was regarding "cifs audit" logs and forward directly into Splunk for parsing.

aladd · ‎2022-03-22

Correct. CIFS audit logs cannot be pushed to another server, only accessed through a CIFS share.

Reference from documentation:

https://www.netapp.com/pdf.html?item=/media/16330-tr-4189pdf.pdf

Pg. 12