Scott,

Very well written blog.  However, not scalable to large enterprises.  This works good if you are looking for something quick.

The correct answer in my opinion would be fpolicy 

Thank you... agreed you get what you pay for ;)... but lot of customers use the native, free tools.  I do also recommend 3rd party for scaling, enterprise features and management, but this blog was the result of so many that needed to get the free stuff working.  All of my customers are enterprise so more than I thought that would use this.

I just think it was important to set the proper expectations

CIFS auditing can be useful for large environments, but there is an overhead that must be accounted for. To say it is a bad solution for enterprise customers is not a fair assumption to make without all the details.

We definitely recommend any major config changes and NetApp guidance needed to consult your account team. They don't sell stuff and that's it, but they are also responsible to help consult, set up, and identify ways to help you use your NetApp resources or possibly more NetApp resources to better optimize your storage footprint.

I will note, the missing link here is that the results show up in a special file, not the event log. Then you have to download the file and open in Windows Event Viewer. It takes a bit of understanding the format to know how it works.

That blog honestly is really good. I'd like to see if that could be incorporated into official documentation possibly. Is that ok @scottgelb? Tagging a few NetApp folks: @DrewC  @jtownsen @ODinulos

Thank you and YES! All good and happy sharing on any NetApp Docs or blog site.. for A-Team, we already blog to the NetApp site.  A lot of customers are using native auditing and after a lot of repeated troubleshooting, I created this blog post for the end-to-end setup.

We have had discussions with customers about taking the xml/evtx then import into Splunk..with formatting and filtering to transform before loading in.  A native ONTAP push of NAS auditing to syslog would be really good if feasible to add to the roadmap.

Hey Scott, was curious if you had any luck "taking the xml/evtx files then importing them into Splunk with formatting and filtering."  My organization is looking at moving from DellEMC to NetApp, and CIFS auditing to a central logging server is a key requirement.  We bought a test cluster and I've got CIFS auditing configured and dropping logs in a share, but I haven't found much guidance on how to get the logs into Splunk in a meaningful fashion.  DellEMC storage requires a separate, dated application to format the logs, and I am hoping NetApp has a more native solution.  Thanks.