Enable file access auditing for Windows clients on NetApp FAS (cifs auditing)

What:

NetApp FAS270, FAS2020, FAS2040, FAS2240, FAS2050

Problem:

Client needs to audit access to files and directories on network shares.

Solution:

Before we enable auditing we need to make sure that:
- CIFS are licensed and enabled on the storage system
- The file or directory to be audited must be in a mixed, qtree or NTFS volume

SSH onto the NetApp box and logon.

Take a note of a current settings with

options cifs.audit

Set events that you would like to audit, in these case I need to audit only file access, so set to "on" only this one option.

Audit file access events

options cifs.audit.file_access_events.enable {on | off}

Audit log-on/log-off events

options cifs.audit.logon_events.enable {on | off}

Audit account management events

options cifs.audit.account_mgmt_events.enable {on | off}

Now enable CIFS audit (it's disabled as default)

cifs audit {start | stop}

or command which does the same thing

options cifs.audit.enable {on | off}

Compare old settings with a new ones

options cifs.audit

That's all you need to change on NetApp box to have auditing enabled, but custom settings are highly recommended.

=======================================================================

Custom settings

Change external event log location

Create a folder in your shared directory called "Auditing_logs", list shares

cifs shares *

Path to the folder should look as follows

"/vol/vol0/Share/Auditing_logs"

Store events in a new location

options cifs.audit.saveas "/vol/vol0/Share/Auditing_logs"

To save audit events manually issue following command:

cifs audit save [-f]

*-f option allows you to overwrite the existing event log. If the event log does not exist, you can omit the -f option.


Saving audit events

Audit event information is stored in /etc/log/cifsaudit.alf file. I do not use Live View, so I need to periodically save the contents of this file to an external EVT file, which by default is located at /etc/log/adtlog.evt
*You can access files located in /etc directory from windows pc using unc path \\netappbox\c$

You can specify that audit events are automatically saved to the event log based on a time interval or the size of the internal log file - that is, how full the cifsaudit.alf file is, default value is 75% which I will leave.

Specify the maximum size of the cifsaudit.alf file

options cifs.audit.logsize 10485760

*size is in bytes - default value is 524,288 bytes (512K), maximal value is 68,719,476,736 bytes (64 GB)

 Specifying the maximum number of automatically saved files

options cifs.audit.autosave.file.limit 0

*value can be set from 0 (unlimited) to 999,  oldest file will be overwritten

Enable auto-save

options cifs.audit.autosave.onsize.enable on

To clear the internal cifsaudit.alf file and start over use

 cifs audit clear

=======================================================================

Enable auditing for selected folders

To enable auditing access on individual files and directories, complete the following steps on the Windows administration host.

1. Create new security group called "File access audit" and add all users that you need to collect informations about.
2. Select the file or directory for which you want to enable auditing access.
3. Right-click on the file or directory, and select Properties.
4. Select the Security tab.
5. Click Advanced.
6. Select the Auditing tab.
7. Add, edit, or remove the auditing options you want for "File access audit" group

=======================================================================

Opening and analysing logs

You can use Windows event viewer

Start > Run type in eventvwr

Going through all that logs is almost impossible task, I decided to use Log Parser Lizard which is a free application. I added separate post about it called

Analyze evt log files with Log Parser Lizard - NetApp auditing