NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

Netapp audit how to diferentiate a rename of folder or file without extension

AlbertoGonzalez
3,004 Views

I have enabled audit on netapp but when there is a rename, i cant differentiate if the rename is in a file without extension or a folder.

 

In other operations like created there is an attributed objecttype that can be directory or archive/file but in rename there is now

 

In this case how do i know if the rename from object customer1 to  customer2 is a folder or a file without any extension? or there can be also folder with extenstion like folder.123

 

<Event>
<System>
<Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
<EventID>9999</EventID>
<EventName>Rename Object</EventName>
<Version>101.2</Version>
<Source>CIFS</Source>
<Level>0</Level>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<Result>Audit Success</Result>
<TimeCreated SystemTime="2021-03-11T10:33:54.380446000Z"/>
<Correlation/>
<Channel>Security</Channel>
<Computer>xxxx</Computer>
<ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
<Security/>
</System>
<EventData>
<Data Name="SubjectIP" IPVersion="4">10xxxx</Data>
<Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data>
<Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-1154</Data>
<Data Name="SubjectUserIsLocal">false</Data>
<Data Name="SubjectDomainName">xxx</Data>
<Data Name="SubjectUserName">xxx</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="OldDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="NewDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="OldPath">(vol1);/qa/customer1</Data>
<Data Name="NewPath">(vol1);/qa/customer2</Data>
<Data Name="Attributes"></Data>
</EventData>
</Event>

2 REPLIES 2

paul_stejskal
2,969 Views

Dir handle didn't change. That should be an indication it's a file if my brain is working... I could be wrong. If not, you may have to browse out there unfortunately.

AlbertoGonzalez
2,881 Views

That didnt work i renamed a folder and dirhandle also the same, I think DirHandle is the parent dir containing the file or folder. Why dont you add ObjectType to all these events so we can filter?  I dont understand that an Open event include ObjectType Directory or Archive to differentiate but a de  rename or delete no.

 

any other idea to differentiate?

 

 

 

<Event>
  <System>
    <Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
    <EventID>9999</EventID>
    <EventName>Rename Object</EventName>
    <Version>101.2</Version>
    <Source>CIFS</Source>
    <Level>0</Level>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <Result>Audit Success</Result>
    <TimeCreated SystemTime="2021-03-18T18:54:43.006820000Z"/>
    <Correlation/>
    <Channel>Security</Channel>
    <Computer>xxxxx</Computer>
    <ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
    <Security/>
  </System>
  <EventData>
    <Data Name="SubjectIP" IPVersion="4">xxx</Data>
    <Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"/>
    <Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-500</Data>
    <Data Name="SubjectUserIsLocal">false</Data>
    <Data Name="SubjectDomainName">xxxx</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="OldDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="NewDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="OldPath">(vol1);/qa/folder/customer_123</Data>
    <Data Name="NewPath">(vol1);/qa/folder/customer_1234</Data>
    <Data Name="Attributes"/>
  </EventData>
</Event>

 

 

 

Public