What does "audit-guarantee" buy me, or what does it do? By default it is set to True when audit logging is enabled. However, we were having issues with the volume running out space (resolved now) but audit-guarantee was preventing CIFs files from being accessed when the volume ran out of space. So it was disabled. What I cannot find is what exactly is does or does not do when it is disabled.
audit-guarantee does exactly what it says. It ensures that the SMB operation is successfully audited before the ACK is returned to the client. It eliminates the need for the EventID 516/4612 (Audit events lost). If the audit log entry cannot be recorded while audit-guarantee is on, then the CIFS operations either gets delayed or denied. When audit-guarantee is off, then the CIFS operation can be completed without sucessfully creating an entry in the audit log. This is only for evtx/xml auditing.