Native NAS Auditing : ONTAP vs 7Mode
Applies to
- ONTAP 9
- Auditing
Answer
- Can we configure Auditing in ONTAP to capture CIFS events with path in “\” backslash format like 7Mode?
- No, ONTAP captures all NAS audit events with '/' forward slash by design and it is not configurable
- There is a field in the Audit event named "Source" which differentiates the protocol of access like CIFS, NFSV3 etc.
Example:
7Mode Event log for CIFS
Object Name: \vol\volume_name\dir1\dir2\file.txt
ONTAP Event Log
<Event>
<System>
.
<Source>CIFS</Source>
.
</System>
<EventData>
.
<Data Name="ObjectName"> (volume_name);/dir1/dir2/file.txt</Data>
.
</EventData>
</Event>
- Can we capture audit logs in .evt format like in 7Mode ?
- No, ONTAP can only capture Audit logs in XML or EVTX format
Additional Information
- vserver audit create
[-format {xml|evtx}] - Log Format
This parameter specifies the output format of the audit logs. The output format can be either Data ONTAP-specific XML or Microsoft Windows EVTX log format. By default, the output format is EVTX.