SMB logs forwarding to syslog server

Ankit15 · ‎2023-06-13

Hi,

One of my customers has multiple shares and needs SMB file share logs to get forwarded to the Syslog server. They need this to identify unauthorized access as well as if someone changes permission to everyone for the shares.

Is it possible in ONTAP? What I understand is ONTAP holds failure authentication logs with server name and not with share information.

Is it possible to match the ask?

Ontapforrum · ‎2023-06-13

Unfortunately, not. Yes, ems events can be pushed to syslog such as authentication failure etc, but not share/file access audit information.

NAS audit logs are not integrated with the syslog framework and must be saved to a local path to the system. A pull mechanism can be used to retrieved them using CIFS or NFS.

https://kb.netapp.com/onprem/ontap/da/NAS/Can_NAS_audit_logs_be_forwarded_to_a_syslog_server_or_an_external_path

ONTAP only supports remote logging of EMS messages:
https://kb.netapp.com/onprem/ontap/hardware/What_ONTAP_logs_can_be_exported_to_syslog

Related:
https://docs.netapp.com/us-en/ontap/nas-audit/auditing-events-concept.html#smb-events
https://www.netapp.com/pdf.html?item=/media/16330-tr-4189pdf.pdf

SMB logs forwarding to syslog server

NetApp's KB Wins Again!

Syslogging: Cluster log-forwarding vs event destination

VSCAN events forwarding to syslog server

Syslog forwarding - which LIF is the source

Forwarding CIFS Audit logs to splunk server

CIFS Audit log forwarding to Splunk Server