The documentation is very good but there are SACL steps needed and it is hard to find the end-to-end procedure in one place, so I wrote a blog on it for both CIFS and NFS 🙂 Please see the blog and let me know if you have any questions or comments.
Thank you... agreed you get what you pay for ;)... but lot of customers use the native, free tools. I do also recommend 3rd party for scaling, enterprise features and management, but this blog was the result of so many that needed to get the free stuff working. All of my customers are enterprise so more than I thought that would use this.
CIFS auditing can be useful for large environments, but there is an overhead that must be accounted for. To say it is a bad solution for enterprise customers is not a fair assumption to make without all the details.
We definitely recommend any major config changes and NetApp guidance needed to consult your account team. They don't sell stuff and that's it, but they are also responsible to help consult, set up, and identify ways to help you use your NetApp resources or possibly more NetApp resources to better optimize your storage footprint.
I will note, the missing link here is that the results show up in a special file, not the event log. Then you have to download the file and open in Windows Event Viewer. It takes a bit of understanding the format to know how it works.
That blog honestly is really good. I'd like to see if that could be incorporated into official documentation possibly. Is that ok @scottgelb? Tagging a few NetApp folks: @DrewC@jtownsen@ODinulos
Thank you and YES! All good and happy sharing on any NetApp Docs or blog site.. for A-Team, we already blog to the NetApp site. A lot of customers are using native auditing and after a lot of repeated troubleshooting, I created this blog post for the end-to-end setup.
We have had discussions with customers about taking the xml/evtx then import into Splunk..with formatting and filtering to transform before loading in. A native ONTAP push of NAS auditing to syslog would be really good if feasible to add to the roadmap.