Can CIFS Auditing know who delete or modify file?

AllenChang · ‎2024-07-03

I create an audit using this command

vserver audit create -vserver fpsvm1 -destination /vol1/audit_log -events file-ops,cifs-logon-logoff -format evtx -rotate-size 100MB -rotate-limit 0

vserver audit enable -vserver fpsvm1

but when I try to modify and delete the file in share,

I can't see any record

Is the auditing full that I want?

ChLokesh · ‎2024-07-05

Hello Allen,

Please make sure the following prerequisites are met for the auditing to function smooth.

 CIFS must be licensed and enabled on the storage system before enabling auditing.
 The file or directory to be audited must be in a MIXED or NTFS volume or qtree.
 You cannot audit CIFS events for a file or directory in a UNIX volume or qtree unless Storage-Level Access Guard is enabled.
 You must specify access events to record from windows end (Sacls)
 Event auditing is turned off by default.

Related KB: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_set_up_NAS_auditing_in_ONTAP_9

Can CIFS Auditing know who delete or modify file?

NetApp's KB Wins Again!

unable to delete the file named thumb.db from the file share - tried with async, cifs mount , delete

Cifs share periodic file deletion script

Enable auditing

7MODE - CIFS audit Netapp - User Sessions

Audit log