ONTAP Discussions

Can CIFS Auditing know who delete or modify file?

AllenChang
672 Views

I create an audit using this command

vserver audit create -vserver fpsvm1 -destination /vol1/audit_log -events file-ops,cifs-logon-logoff -format evtx -rotate-size 100MB -rotate-limit 0

vserver audit enable -vserver fpsvm1

 

but when I try to modify and delete the file in share,

I can't see any record

Is the auditing full that I want?

1 REPLY 1

ChLokesh
535 Views

Hello Allen,

Please make sure the following prerequisites are met for the auditing to function smooth.

 

  CIFS must be licensed and enabled on the storage system before enabling auditing.
 The file or directory to be audited must be in a MIXED or NTFS volume or qtree.
 You cannot audit CIFS events for a file or directory in a UNIX volume or qtree unless Storage-Level Access Guard is enabled.
 You must specify access events to record from windows end (Sacls)
 Event auditing is turned off by default.

 

Related KB: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_set_up_NAS_auditing_in_ONTAP_9 

Public