ONTAP Discussions

CIFS share auditing

FelixZhou
6,956 Views

we are looking for CIFS auditing on tracing of any shared folder or file deletions.

we enabled audit on SVM and directed the log file, also set up the deletion auditing on shares. But didn't see events on event log for these deletion events.

are there any steps missing here?

Please share your experience. thanks.

1 ACCEPTED SOLUTION

scottgelb
6,945 Views

The documentation is very good but there are SACL steps needed and it is hard to find the end-to-end procedure in one place, so I wrote a blog on it for both CIFS and NFS 🙂 Please see the blog and let me know if you have any questions or comments.

 

https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ 

View solution in original post

10 REPLIES 10

JGPSHNTAP
6,947 Views

That is not an enterprise solution what you are doing.

 

You should be looking at third policy fpolicy tools 

 

The way you are talking is you would need to re-acl the ntfs permissions with auditing and that's not scalable.  

scottgelb
6,946 Views

The documentation is very good but there are SACL steps needed and it is hard to find the end-to-end procedure in one place, so I wrote a blog on it for both CIFS and NFS 🙂 Please see the blog and let me know if you have any questions or comments.

 

https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ 

JGPSHNTAP
6,941 Views

Scott,

 

Very well written blog.  However, not scalable to large enterprises.  This works good if you are looking for something quick.

 

The correct answer in my opinion would be fpolicy 

scottgelb
6,938 Views

Thank you... agreed you get what you pay for ;)... but lot of customers use the native, free tools.  I do also recommend 3rd party for scaling, enterprise features and management, but this blog was the result of so many that needed to get the free stuff working.  All of my customers are enterprise so more than I thought that would use this.

JGPSHNTAP
6,931 Views

I just think it was important to set the proper expectations

paul_stejskal
6,828 Views

CIFS auditing can be useful for large environments, but there is an overhead that must be accounted for. To say it is a bad solution for enterprise customers is not a fair assumption to make without all the details.


We definitely recommend any major config changes and NetApp guidance needed to consult your account team. They don't sell stuff and that's it, but they are also responsible to help consult, set up, and identify ways to help you use your NetApp resources or possibly more NetApp resources to better optimize your storage footprint.

 

I will note, the missing link here is that the results show up in a special file, not the event log. Then you have to download the file and open in Windows Event Viewer. It takes a bit of understanding the format to know how it works.

 

That blog honestly is really good. I'd like to see if that could be incorporated into official documentation possibly. Is that ok @scottgelb? Tagging a few NetApp folks: @DrewC  @jtownsen @ODinulos

scottgelb
6,825 Views

Thank you and YES! All good and happy sharing on any NetApp Docs or blog site.. for A-Team, we already blog to the NetApp site.  A lot of customers are using native auditing and after a lot of repeated troubleshooting, I created this blog post for the end-to-end setup.

scottgelb
6,821 Views

We have had discussions with customers about taking the xml/evtx then import into Splunk..with formatting and filtering to transform before loading in.  A native ONTAP push of NAS auditing to syslog would be really good if feasible to add to the roadmap.

paul_stejskal
6,820 Views
Scott, I'd talk to your account team if you are a customer/partner.

teddg
1,990 Views

Hey Scott, was curious if you had any luck "taking the xml/evtx files then importing them into Splunk with formatting and filtering."  My organization is looking at moving from DellEMC to NetApp, and CIFS auditing to a central logging server is a key requirement.  We bought a test cluster and I've got CIFS auditing configured and dropping logs in a share, but I haven't found much guidance on how to get the logs into Splunk in a meaningful fashion.  DellEMC storage requires a separate, dated application to format the logs, and I am hoping NetApp has a more native solution.  Thanks.  

Public