Skip to main content
NetApp Knowledge Base

Search

  • Filter results by:
    • View attachments
    Searching in
    About 13 results
    • Cannot create modify or delete CIFS shares with auditing enabled
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Cannot_create_modify_or_delete_CIFS_shares_with_auditing_enabled
      Applies to ONTAP 9 CIFS CIFS Auditing Issue CIFS share management operations receive the following error when the "allow-unencrypted-access" share property is involved and "file-share" auditing is ena...Applies to ONTAP 9 CIFS CIFS Auditing Issue CIFS share management operations receive the following error when the "allow-unencrypted-access" share property is involved and "file-share" auditing is enabled [Error: command failed: Failed to generate security audit record for the config change for Vserver "". Reason invalid field]
    • Is there any way to find out the user responsible for changes to SMB shares attributes whether is from ONTAP or Windows File Explorer side
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Is_there_any_way_to_find_out_the_user_responsible_for_changes_to_SMB_shares_attributes_whether_is_from_ONTAP_or_Windows_File_Explorer_side
      Yes, there are multiple locations to check depending on how the change was made: From the ONTAP CLI of via an application leveraging ZAPI or RESTAPI, you can check the AUDIT-MLOG-TXT.GZ section in asu...Yes, there are multiple locations to check depending on how the change was made: From the ONTAP CLI of via an application leveraging ZAPI or RESTAPI, you can check the AUDIT-MLOG-TXT.GZ section in asup This should provide the IP address that sent the request and user used as well as some details about the details of the command used. For SMB or MSRPC(Microsoft Management Console) Cifs auditing would have needed to be setup prior, specifically for the file-share and file-ops event types.
    • Will my audit files get deleted if MDV volumes are removed?
      https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Will_my_audit_files_get_deleted_if_MDV_volumes_are_removed
      Applies to ONTAP 9 Metadata Volume (MDV) Answer Removing MDV staging volumes does not mean that audit logs will be deleted. ONTAP will only delete the metadata inside those volumes. There is a consoli...Applies to ONTAP 9 Metadata Volume (MDV) Answer Removing MDV staging volumes does not mean that audit logs will be deleted. ONTAP will only delete the metadata inside those volumes. There is a consolidation task that runs and makes sure that all current audit files are processed and moved to the destination before the metadata volume is deleted. Additional Information How to create or remove auditing staging (MDV_AUD) volumes
    • Unable to setup CIFS audit for Unix security style volume on Windows server
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Unable_to_setup_CIFS_audit_for_Unix_security_style_volume_on_Windows_server
      Applies to ONTAP 9 Auditing Security style Issue Unable to setup CIFS audit for Unix security style volume on Windows server NTFS permission setting is not allowed
    • CIFS audit logs are generating high amount of space usage in Splunk
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/CIFS_audit_logs_are_generating_high_amount_of_space_usage_in_Splunk
      Applies to Splunk ONTAP 9 CIFS auditing Issue Splunk appears to be using more space than usual in Splunk
    • Splunk CIFS audit log is growing much bigger than ONTAP CIFS audit log
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Splunk_CIFS_audit_log_is_growing_much_bigger_than_ONTAP_CIFS_audit_log
      Applies to ONTAP 9 CIFS Splunk Issue Splunk log file size is growing much larger than ONTAP CIFS auditing file size.
    • MDV staging volume is full due to continual panic of Consolidation process
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/MDV_staging_volume_is_full_due_to_continual_panic_of_Consolidation_process
      Applies to MDV staging volume is full and EMS log records error: [node01: AuditWorkerThread01: adt.stgvol.nospace:EMERGENCY]: Audit subsystem internal error: Staging volume MDV_aud_0add1c65984e43ad70c...Applies to MDV staging volume is full and EMS log records error: [node01: AuditWorkerThread01: adt.stgvol.nospace:EMERGENCY]: Audit subsystem internal error: Staging volume MDV_aud_0add1c65984e43ad70ca122eff76b1ac is full. EMS log records amount of Consolidation process panic: Thu Jul 01 00:23:53 JST [xxxx: adtconsolidation: ucore.panicString:error]: 'adtconsolidation: Received SIGSEGV (Signal 11) at RIP 0x703c2135c accessing address 0x7e4534dd0 (pid 23838, uid 0, timestamp 1625066633)'
    • Does CIFS auditing capture file and folder restore from the Previous Versions
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Does_CIFS_auditing_capture_file_and_folder_restore_from_the_Previous_Versions
      Applies to ONTAP 9+ Answer Yes, if SACLs are configured on the folder or file prior the snapshot being taken, the restore from previous versions should capture multiple events. These events should be ...Applies to ONTAP 9+ Answer Yes, if SACLs are configured on the folder or file prior the snapshot being taken, the restore from previous versions should capture multiple events. These events should be one or more Open, GetInfo, and Read. Example paths for events should reference "~snapshot/<snapshot_name>" locations. If the restore location is also SACLed you would also see events ther for the Create, Write, and Close, at least. Additional Information additionalInformation_text
    • Can CIFS auditing be enabled to capture past events?
      https://kb.netapp.com/on-prem/ontap/OHW/OHW-KBs/Can_CIFS_auditing_be_enabled_to_capture_past_events
      Applies to CIFS ONTAP 9 Answer No, CIFS Auditing can only capture events after it was enabled. CIFS events that occurred before enabling CIFS Auditing are not captured. Additional Information How to s...Applies to CIFS ONTAP 9 Answer No, CIFS Auditing can only capture events after it was enabled. CIFS events that occurred before enabling CIFS Auditing are not captured. Additional Information How to set up CIFS auditing in ONTAP 9
    • How to set up CIFS auditing retention duration
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_set_up_CIFS_auditing_retention_duration
      Applies to ONTAP 9 CIFS auditing Description The CIFS Auditing rotation size and retention duration can be modified to retain auditing logs to meet your needs This article describes how to set CIFS Au...Applies to ONTAP 9 CIFS auditing Description The CIFS Auditing rotation size and retention duration can be modified to retain auditing logs to meet your needs This article describes how to set CIFS Auditing log retention duration By default CIFS auditing retention is 0 seconds, which indicates that all the log files are retained
    • CIFS auditing does not work as expected due to missing SACLs
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/CIFS_auditing_does_not_work_as_expected_due_to_missing_SACLs
      CIFS auditing No file access auditing events are generated logon and logoff events may be seen Filename is not shown in audit events vserver security file-directory shows no SACL on the volume or CIFS...CIFS auditing No file access auditing events are generated logon and logoff events may be seen Filename is not shown in audit events vserver security file-directory shows no SACL on the volume or CIFS shares ::> vserver security file-directory show -vserver svm_netapp -path /vol_netapp -instance Vserver: svm_netapp DOS Attributes in Text: ----D--- UNIX Mode Bits in Text: rwxrwxrwx Auditing is correctly setup: ::*> vserver audit show -vserver svm1 -fields events vserver events