ONTAP Discussions
ONTAP Discussions
Hello,
Release 9.4P1
server::> set diag
server::> vserver audit show -fields audit-guarantee
vserver audit-guarantee
-------------- ---------------
svm01 true
server::> vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee false
server::> vserver audit show -fields audit-guarantee
vserver audit-guarantee
-------------- ---------------
svm01 false
server::> set admin
What does "audit-guarantee" buy me, or what does it do? By default it is set to True when audit logging is enabled. However, we were having issues with the volume running out space (resolved now) but audit-guarantee was preventing CIFs files from being accessed when the volume ran out of space. So it was disabled. What I cannot find is what exactly is does or does not do when it is disabled.
Thank you in advance.
Solved! See The Solution
audit-guarantee does exactly what it says. It ensures that the SMB operation is successfully audited before the ACK is returned to the client. It eliminates the need for the EventID 516/4612 (Audit events lost). If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied. When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log. This is only for evtx/xml auditing.
@CAPPPER12 Let me know if you are still looking for the solution, i will help you find an expert who can answer to your query
@RajeshPanda Yes. Thank you.
audit-guarantee does exactly what it says. It ensures that the SMB operation is successfully audited before the ACK is returned to the client. It eliminates the need for the EventID 516/4612 (Audit events lost). If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied. When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log. This is only for evtx/xml auditing.
Do you know if it is possible to control what is logged? For example, we do not need every read event logged. This takes a tremendous amount of log data. Is there a way to not log Read Events?
Thank you.