ONTAP Discussions

audit-guarantee True or False

CAPPPER12
4,752 Views

Hello,

Release 9.4P1

 

server::> set diag
server::> vserver audit show -fields audit-guarantee


vserver                      audit-guarantee
--------------               ---------------
svm01                       true

 

server::> vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee false
server::> vserver audit show -fields audit-guarantee


vserver                      audit-guarantee
--------------               ---------------
svm01                       false

 

server::> set admin

 

What does "audit-guarantee" buy me, or what does it do? By default it is set to True when audit logging is enabled. However, we were having issues with the volume running out space (resolved now) but audit-guarantee was preventing CIFs files from being accessed when the volume ran out of space. So it was disabled. What I cannot find is what exactly is does or does not do when it is disabled.

Thank you in advance.

 

1 ACCEPTED SOLUTION

chris_hurley
4,556 Views

audit-guarantee does exactly what it says.   It ensures that the SMB operation is successfully audited before the ACK is returned to the client.  It eliminates the need for the EventID 516/4612 (Audit events lost).  If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied.  When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log.  This is only for evtx/xml auditing.

 

View solution in original post

4 REPLIES 4

RajeshPanda
4,590 Views

@CAPPPER12  Let me know if you are still looking for the solution, i will help you find an expert who can answer to your query

CAPPPER12
4,569 Views

@RajeshPanda Yes.  Thank you.

chris_hurley
4,557 Views

audit-guarantee does exactly what it says.   It ensures that the SMB operation is successfully audited before the ACK is returned to the client.  It eliminates the need for the EventID 516/4612 (Audit events lost).  If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied.  When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log.  This is only for evtx/xml auditing.

 

CAPPPER12
4,498 Views

@chris_hurley,

Do you know if it is possible to control what is logged?  For example, we do not need every read event logged.  This takes a tremendous amount of log data.  Is there a way to not log Read Events?

 

Thank you.

Public