Just imagine if you have a situation that a user is coming and saying i cannot see my files in network storage. Haahhh
That’s it….. and he don’t no how it got deleted and he want to know who done this…. here you need to answer two questions .
1) When you will give back my file ( since i am the admin i have to give back)
2) Who deleted this….?
Deleted file i restored it from recent backup ( If you have snap shot enabled in NetApp volume you can retrive very easily)
The second one i don’t have answer because i didn’t enable the auditing in filer. Then i find out how we can enable auditing in Netapp filer and thought to share with you all
Telnet to filer
Filer > options cifs.audit.enable on
This will enable to auditing in cifs volume. The disadvantage of this we need to save manually to stop the auditing ( i will tell you how we can do it automatically)
Save Cifs auditing
filer>cifs audit save -f
Automatically save auditing
Filer > options cifs.audit.autosave.ontime.enable on
Filer >cifs.audit.autosave.onsize.enable on
Where we can see the audited logs ?
Run –> //filername/etc$
Give the credentials. Go to etc folder then log folder. There you can see adtlog.evt
It’s a event viewer file. Go to Event Viewer –> Right click –> open log file–> show this path
( try to mount this CIFS volume before it show the path in event viewer). Select security log while selecting open.
Could able to see similar like Windows Auditing. Object Access, log on/ log off category etc
Below command will give the real status of CIFS auditing in NetApp filer
Hope it helpful for all and thanks for being here