I want to use auditing to detect if anyone has accessed /~snapshot. We are using cluster mode 8.x.
When testing this my results are eratic. Sometimes accessing a prevous version of a file is captured in the audit log but usually not.
there's command "volume snapshot event-config modify" on 8.3. but enabling this might cause excessive logging into /mroot.