Created a SACL for "Authenticated Users", logging all events.
Entered the following commands:
options cifs.audit.nfs.enable on options cifs.audit.file_access_events.enable on options cifs.audit.enable on cifs audit save
Then I loaded the log file in Event Viewer. Basically I can see the information I want now, but there are just too many events created for the info to be usefull. Everytime I save the events after a couple of minutes
and look at the result in Event Viewer, the last event tells me, that 500000 or so events have been discarded due to lack of resources.
Ideally, the report should only show each user once and the logging should run for several days, so I can find out, which users are accesing the filer via NFS. Can this be achieved?