IT Infrastructure blog

November 27, 2010

Enabling Auditing in NetApp Cifs volume

Filed under: NetApp — Akther @ 8:12 pm

Just imagine if you have a situation that a user is coming and saying i cannot see my files in network storage. Haahhh

That’s it….. and he don’t no how it got deleted and he want to know who done this…. here you need to answer two questions .

1) When you will give back my file ( since i am the admin i have to give back)

2) Who deleted this….?

Deleted file i restored it from recent backup ( If you have snap shot enabled in NetApp volume you can retrive very easily)

The second one i don’t have answer because i didn’t enable the auditing in filer. Then i find out how we can enable auditing in Netapp filer and thought to share with you all

Enable Auditing

Telnet to filer

Filer > options cifs.audit.enable on

This will enable to auditing in cifs volume. The disadvantage of this we need to save manually to stop the auditing ( i will tell you how we can do it automatically)

Save Cifs auditing

filer>cifs audit save -f

Automatically save auditing

Filer > options cifs.audit.autosave.ontime.enable on

Filer >cifs.audit.autosave.onsize.enable on

Where we can see the audited logs ?

/etc/log/adtlog.evt

Run –> //filername/etc$

Give the credentials. Go to etc folder then log folder. There you can see adtlog.evt

It’s a event viewer file. Go to Event Viewer –> Right click –> open log file–> show this path

( try to mount this CIFS volume before it show the path in event viewer). Select security log while selecting open.

Could able to see similar like Windows Auditing. Object Access, log on/ log off category etc

Below command will give the real status of CIFS auditing in NetApp filer

options cifs.audit

cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable on
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable            on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.enable   off
cifs.audit.logon_events.enable on
cifs.audit.logsize           524288
cifs.audit.nfs.enable        off
cifs.audit.nfs.filter.filename
cifs.audit.saveas            /etc/log/adtlog.evt

Hope it helpful for all and thanks for being here

Regards

Akther

Advertisements

2 Comments »

  1. My question continioussss..

    2) Who deleted this….?

    I have the same problem every day =(

    Comment by Denis Ozorio — August 20, 2012 @ 10:35 pm | Reply

    • Hi
      Check the logs from below location and import in to event viewer in windows. Check the security logs. All this can do if you enable the auditing in netapp filer.

      /etc/log/adtlog.evt

      Comment by Akther — August 21, 2012 @ 6:30 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: