ONTAP Discussions

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

audit-guarantee True or False

CAPPPER12
‎2019-03-07 03:34 PM
5,140 Views

Hello,

Release 9.4P1

 

server::> set diag
server::> vserver audit show -fields audit-guarantee


vserver                      audit-guarantee
--------------               ---------------
svm01                       true

 

server::> vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee false
server::> vserver audit show -fields audit-guarantee


vserver                      audit-guarantee
--------------               ---------------
svm01                       false

 

server::> set admin

 

What does "audit-guarantee" buy me, or what does it do? By default it is set to True when audit logging is enabled. However, we were having issues with the volume running out space (resolved now) but audit-guarantee was preventing CIFs files from being accessed when the volume ran out of space. So it was disabled. What I cannot find is what exactly is does or does not do when it is disabled.

Thank you in advance.

 

0 Kudos
1 ACCEPTED SOLUTION
CAPPPER12 has accepted the solution

chris_hurley
A-Team Tech Advisor A-Team Tech Advisor
‎2019-04-02 09:07 AM
4,944 Views

audit-guarantee does exactly what it says.   It ensures that the SMB operation is successfully audited before the ACK is returned to the client.  It eliminates the need for the EventID 516/4612 (Audit events lost).  If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied.  When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log.  This is only for evtx/xml auditing.

 

View solution in original post

0 Kudos
4 REPLIES 4

RajeshPanda
Community Manager
‎2019-04-02 12:57 AM
4,978 Views

@CAPPPER12  Let me know if you are still looking for the solution, i will help you find an expert who can answer to your query

0 Kudos

CAPPPER12
‎2019-04-02 08:19 AM
In response to RajeshPanda
4,957 Views

@RajeshPanda Yes.  Thank you.

0 Kudos
CAPPPER12 has accepted the solution

chris_hurley
A-Team Tech Advisor A-Team Tech Advisor
‎2019-04-02 09:07 AM
4,945 Views

audit-guarantee does exactly what it says.   It ensures that the SMB operation is successfully audited before the ACK is returned to the client.  It eliminates the need for the EventID 516/4612 (Audit events lost).  If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied.  When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log.  This is only for evtx/xml auditing.

 

0 Kudos

CAPPPER12
‎2019-04-08 04:00 PM
In response to chris_hurley
4,886 Views

@chris_hurley,

Do you know if it is possible to control what is logged?  For example, we do not need every read event logged.  This takes a tremendous amount of log data.  Is there a way to not log Read Events?

 

Thank you.

0 Kudos
Announcements
All Community Forums
Public