Skip to main content

NetApp wins prestigious Coveo Relevance Pinnacle Award. Learn more!

INSIGHT Japan :2023年 1月25日(水)ANAインターコンチネンタルホテル開催 へ参加・申込を行う

NetApp Knowledge Base

Why event 4565 appears in CIFS Auditing when SACL is not configured for Write/Read ?

Views:
144
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Auditing

Answer

  • Event 4656 is related to file open request, it is the prior step of renaming a file which triggers event 9999
  • Events 4565 and 9999 are recorded together when SACL auditing delete is set with success auditing
  • Event 4565 could be recorded alone without 9999 when SACL auditing delete is set with failure auditing

Additional Information

You can notice in packet trace the recorded events :
 
Event 4656 :

2022-01-20 20:44:22.679142    192.168.0.5    192.168.0.201    SMB2    Create Request File: folder\OldName.txt
2022-01-20 20:44:22.680527    192.168.0.201    192.168.0.5    SMB2    Create Response File: folder\OldName.txt


Event 9999 :

2022-01-20 20:44:22.680869    192.168.0.5   192.168.0.201    SMB2    SetInfo Request FILE_INFO/SMB2_FILE_RENAME_INFO File: folder\OldName.txt NewName:folder\NewName.txt
2022-01-20 20:44:22.682172    192.168.0.201    192.168.0.5    SMB2    SetInfo Response
 
In Event Viewer :
 
Event 4565.jpg
Scan to view the article on your device