ONTAP Discussions

Does Netapp track deletions inside a CIFS share



Does Netapp audit file/folder deletions inside a cifs share. We have instance when user would either accidentally move/remove a folder/file and although we can restore using snapshot, we want to know who did it.







I'am Loic, i have a metrocluster FAS8200 and i activated audit on CIFS Share Volume.


We lose a directory and we found in event log:



  - Provider

   [ Name]  NetApp-Security-Auditing
   [ Guid]  {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
   EventID 9998
   EventName Unlink Object
   Version 101.2
   Source CIFS
   Level 0


Do you know what is this event: Unlink Object ? Do you know what that means ?


That is what I found in documentation .. 


I would suggest integrating ManageEngine + NetApp native auditing can give all the reports and details what your looking for.



NA/NA Data ONTAP Event ID 9998 Unlink Object OBJECT ACCESS: Object unlinked. This is a Data ONTAP event. It is not currently supported by Windows as a single event. File Access


Someone correct me if anything has changed, but cifs auditing (off by default) doesn't audit a file deletion.  Some of our customers who have required this have tested Varonis (3rd party product that supports NetApp via fpolicy api).


I'm pretty sure you can audit file deletions, as stated in this KB you specify groups and events to be audited in the security tab. I seem to remember setting this up in a previous job as important data had been deleted by unknown users a number of times.


I have used cifs auditing but don’t remember it tracking delete and don’t see it in the kb. It might though… need to test it out and see but I remember something about it logging changes not deletes.


I don't remember exactly how as I configured the filer and a Windows admin configured the events to be logged in the security tab, but as I remember once it's configured on the filer there are a number of possible event choices in the security tab, and deletions are one of them.

If I'm wrong I'll put my hand up but I'm pretty sure I remember the Windows guy deleting a test file and it showing up in the .evt audit file


Per this KB you are right... but I remember seeing an issue with it not logging... I will test later in a VSIM if I get a chance.   https://kb.netapp.com/support/index?page=content&id=1010191



I had setup auditing for file, add/write/deletion on cifs shares. It does log deletions of files. As deletion comes under "Object-Access", you have to enable it first on filer through,

filer> options cifs.audit.file_access_events.enable on

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

I have used it and it works fine


Yasir Irfat


Hi Yasir,


Although I have enabled the audit options and completed all configuration parameters but still I am unable to see the audit tab enabled for me in windows.

could you please help on this.


Thanks in advance.


This is pretty straightforward for NTFS auditing on Netapp.  Also, unless you are looking for a small sample, native auditing is essentially useless b/c of log rolling.... 


Hi Yasir.

When I setup as you describe above and select the cifs share/volume I get tons of access denied messages from inside the ~snapshot folder. Which surprises me since folks are taking abourt successfull auditing of the ~snapshot folder in this thread.

When I choose a folder inside the share it allows me to audit that folder. This will be a show stopper for us since the customer has a lot of folders Do you have any thoughts? Am I missing something obvious here..



You cannot audit anything within ~snapshot...that space is 100% read only and auditing requires bits to be flipped by Windows.  You can audit Windows files outside ~snapshot, but not within.

- Scott

Thank you for replying Scott!

I solved this by setting the cifs.show_snapshot option to off then from Window:

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

Auditing is now "on" for the share and all subfolders. cifs.show_snapshot option is again enabeled after all the "bits flipping"





I know this is an old post, but can someone point me to steps for auditing : NFS export, without CIFS auditing enabled ?




NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner