7-mode How to set up CIFS auditing on the controller
Applies to
- Clustered Data ONTAP 8
- Data ONTAP 7 and earlier
Description
- This article describes the procedure to set up the Common Internet File System Protocol (CIFS) auditing work on the controller.
- It also describes the reason why there are lots of small audit files when the log size is set to a larger number.
Procedure
- CIFS auditing does not function like traditional event auditing on a Windows client.
- The controller stores audit events in temporary memory until the log reaches a preset or user defined threshold.
- Once this threshold has been exceeded, the temporary file is written in a standard EVT format file that can be viewed using an auditing tool.
- Due to the nature of this format, EVT generation events cannot be seen in real time.
- For a closer view of the real time event, LiveView must be used. Before Data ONTAP 7.2.2 / Data ONTAP 7.3RC1, LiveView will only be able to display 1000 events per EVT log and each EVT log is written once a minute.
- This setting is hard-coded into LiveView and cannot be changed.
- For more information, see BUG 217215
- Note:
- Before Data ONTAP 7.2.2 / Data ONTAP 7.3RC1, LiveView supersedes custom save triggers.
- You can either have a custom save log, or you can use LiveView. You cannot use a custom save log and LiveView at the same time.
- If LiveView is used, a log file will be written every minute.
- LiveView will only retain 1000 audit entries per one minute file.
- Starting with Data ONTAP 7.2.2, the number of entries was raised to 5000, and LiveView can be enabled together with
cifs.audit.autosave
options, which control the size of the internal audit file and how it is saved.
See File Access and Protocols Management Guide for more information.
- For more information to run CIFS auditing on clustered Data ONTAP, see article: How to set up CIFS auditing with clustered Data ONTAP
- To enable CIFS auditing on the controller, run one of the following commands:
Filer> cifs audit start
OR Filer> options cifs.audit.enable on
- These commands control how often the audit log will be written.
- When enabled for the first time, the audit log will be written once a day, or when it becomes 75% full (384 MB).
- This is the default setting.
- Several options can be used to control how often the log files are written.
- To set an option, use the following syntax:
options.cifs.audit.[option] [variable]
- To set up additional items that will be audited, you need to configure specific audit rules for each share or qtree:
- In Computer Manager, go to qtree or the folder that you need to audit.
- Select the Security tab, then the Advanced tab, and select Auditing.
- Specify the groups and events to be audited.
- The options are outlined as follows:
cifs.audit.autosave.onsize.enable [on/off]
Determines if the log will be saved when a certain size threshold is reached.cifs.audit.autosave.onsize.threshold [%,k,m]
Sets the size threshold for the save onsize. This can be a percentage of the entire log size, or a prefixed size that is smaller then the total log size. It is recommended to give the log at least 20% overhead to handle any events that occur during the write.cifs.audit.autosave.ontime.enable [on/off]
Sets how often the log will be saved. Be aware that if this command is used without the onsize setting, then log wrapping can occur if the log file is set to be too small.cifs.audit.autosave.ontime.interval [m,h,d]
Sets how often the log is saved with on time. The maximum time that can be set is 7 days.
- To configure the attributes of the log file, use the following options:
cifs.audit.logsize 524288 - 68719476736
- Sets the total size of the log file in bytes.
- Warning: be cautious of setting the log file size high and then setting
cifs.audit.liveview.enable
to on. -
The conversion process of the log file to .evt format can cause CIFS performance penalty.
cifs.audit.autosave.file.limit
0-255- Sets how many EVT files will be kept on the controller.
- Changing this option to 0 will disable this feature, allowing to keep as many EVT files as storage allows.
cifs.audit.autosave.file.extension [counter/timestamp]
Setting this option will save each log file with either a timestamp of the time the log was written or with a series number.
cifs.audit.saveas [path]
Sets a default location for a manually triggered log save, along with the file name.
- To configure the log to be viewed in real-time, use the following options:
options cifs.audit.liveview.enable [onoff]
- Note:
- LiveView supercedes custom save triggers. Either have a custom save log, or use LiveView.
- You cannot use a custom save log and LiveView at the same time.
- If LiveView is used, a log file will be written every minute.
- LiveView will only retain 1000 audit entries per 1-minute file.
- The following options customize what is recorded in the audit log:
cifs.audit.account_mgmt_events.enable [on/off]
Sets whether the audit log will record changes to user or share account management on the controller.cifs.audit.file_access_events.enable [on/off]
Sets whether the audit log will record file access events on the controller through CIFS.
- Acess events WILL NOT be logged unless SACLs for auditing are configured on the files/folders.
- Setting up SACL's on Windows 10
Please consult Microsoft documentation for further details or if above page is removed.
cifs.audit.logon_events.enable [on/off]
Sets whether the audit log will record user, machine or domain login events through CIFS.
cifs.audit.nfs.enable [on/off]
Sets whether the audit log will record NFS events. Only those events that are specified by the Windows SACLs will be recorded.
cifs.audit.nfs.filter.filename [name]
- Location on the controller that contains the list of NFS filters.
- The NFS filters determine which files will be written to the log.
- Why do I have lots of small audit files when I set the log size to a larger number?
- LiveView is enabled for auditing and it is hard coded to save every minute, up to the maximum number of allowed files as set by
cifs.audit.autosave.file.limit
. - In order to view events over the course of several minutes, you need to use a third party auditing viewer.
- By default, the Windows event viewer is only able to view single log entry files.
- If you require to have only one log file of a certain size, or only one log file over a span of time, disable LiveView:
Filer> cifs.audit.liveview.enable off
- LiveView is enabled for auditing and it is hard coded to save every minute, up to the maximum number of allowed files as set by
- Why is the CIFS Audit Log Empty? Follow these steps to troubleshoot:
- Confirm that CIFS auditing is enabled:
Filer> options cifs.audit.enable on
- Confirm that the audit log is being saved to a volume or qtree that is setup for the NTFS security style. Also, confirm that the proper ACLs have been applied to the directory where the audit log is being saved (BUILTIN/Administrator/ Full Control).
Note: options cifs.audit.autosave.file.limit
value is a number from 0 to 999.
Additional Information