Skip to main content
NetApp Knowledge Base

Why are Event IDs 4656 and 4663 reported simultaneously in Audit logs

  1. Last updated
    Oct 14, 2024
  2. Save as PDF
Views:
202
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:
10/14/2024, 7:49:27 AM

Applies to

  • ONTAP 9
  • CIFS
  • Auditing
  • AD AuditPlus

Answer

  • In Audit logs, Event IDs 4656 and 4663 getting reported simultaneously and corresponding to a third party auditing tool (AD AuditPlus) indicates that the same user has created  and deleted the same file path at the same time stamp

Example:

User1Domain.com User 'User1' Deleted file/folder '\\file123. KYC\2024\3. Review of Document.pdf'.
User1Domain.com User 'User1' Created file/folder '\\file123. KYC\2024\3. Review of Document.pdf'.

  • The above behavior is specific to files with the extensions .docx and .xls. Simultaneous deletion and creation operations in audit logs can occur when an object is being replaced or updated/modified. It never results in deletion of actual file/folder

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.