HowTo Enable and Disable Audit Events Netapp Cluster Mode

If you would like to Audit CIFS shares like who is accessing, reading, modifying, deleting and Etc. Which is useful to keep an eye on sensitive data like Finance information, Legal Information and company confidential document store path. Would like to use any auditing tool for this you compulsory enable auditing and configure it properly otherwise it will grow root volume like anything and it leads to trouble. In this Article we are going to see HowTo Enable Disable Audit Events Netapp Cluster Mode.

Enable and Disable Audit Events Netapp 7-Mode

In 7-mode Netapp Filers simple run one or two commands as mentioned below, which automatically enable disable audit events netapp

Ark-Netapp> cifs audit start
Ark-Netapp> Wed Sep 27 03:14:38 CST [Ark-Netapp: cifs.auditfile.enable.on:info]: ALF: CIFS auditing started.
Wed Sep 29 03:14:38 CST [Ark-Netapp: cifs.auditfile.autosaved.onsize:info]: Autosaving the CIFS audit log file (/etc/log/adtlog.evt)
Wed Sep 28 03:14:38 CST [Ark-Netapp: cifs.auditfile.logFile.IOInfo:info]: ALF I/O information for file /etc/log/adtlog.evt: saved 30309 records to audit file.

Ark-Netapp> options cifs.audit.enable on
Ark-Netapp> options cifs.audit.enable
cifs.audit.enable on

when we enable auditing on Netapp 7-Mode Filer it automatically writes the logs to /etc/log/adtlog.evt file which is stored in vol0 volume

cifs audit stop
options cifs.audit.enable off

HowTo Enable Disable Audit Events Netapp Cluster Mode 8.x/9.x Versions

To avoid confusion in running commands, set context and run commands directly on particular Storage Virtual Machine (SVM) in command line it’s called as Vserver.

SNY-NA::> vserver context -vserver CIFS-SVM

Info: Use 'exit' command to return.

CIFS-SVM::> vserver audit create -destination /Auditlogs

CIFS-SVM::> exit

shown above is the example to create audit events /AuditLogs volume, which means volume AuditLogs already created and mounted to /AuditLogs

ArkIT-Clu::> vserver audit modify -vserver CIFS-SVM -destination /AuditLogs -events file-ops -format evtx -rotate-size 200MB -rotate-limit 10

ArkIT-Clu::> vserver audit modify -vserver CIFS-SVM -destination /AuditLogs

ArkIT-Clu::> vserver audit show -instance

Vserver: CIFS-SVM
 Auditing State: false
 Log Destination Path: /AuditLogs
 Categories of Events to Audit: file-ops cifs-logon-logoff
 Log Format: evtx
 Log File Size Limit: 200MB
 LogRotation Schedule: Month: -
LogRotate Schedule: Day of Week: -
 Log Rotation Schedule: Day: -
 Log Rotate Schedule: Hour: -
 LogRotation Schedule: Minute: -
 Rotation Schedules: -
 Log Files Rotation Limit: 10

At any point of time if you would like to change the audit log path from old volume to new volume, you can change it by using modify option. enable disable audit events Netapp Cluster Mode.

Note: you can’t enable multiple audits for same SVM. 

We have created audit log path but audit is not running

ArkIT-Clu::> vserver audit show
Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS-SVM false file-ops evtx /AuditLogs

Enable auditing by running below command

ArkIT-Clu::> vserver audit enable -vserver CIFS-SVM

Error: command failed: Cannot enable auditing for Vserver "CIFS-SVM". Reason: Final consolidation is in progress. Retry after sometime.

ArkIT-Clu::> vserver audit enable -vserver CIFS-SVM

ArkIT-Clu::> vserver audit show
Vserver State Event Types Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS-SVM true file-ops evtx /AuditLogs

Log Rotate options in Netapp Cluster mode

Rotating the log files can be done based on event file size, event file count and also by time. > vserver audit modify

  • -rotate-schedule-month  (January February March April May June July August September October November December)
  • -rotate-size ({<integer>[KB|MB|GB|TB|PB]} Log File Size Limit)
  • -rotate-schedule-dayofweek (Sunday Monday Tuesday Wednesday Thursday Friday Saturday)
  • -rotate-schedule-day ( Particular Day)
  • -rotate-schedule-minute ##based on minutes
  • -rotate-limit (Log file count)

Disabling and Deleting Audit Configuration

::> vserver audit disable -vserver CIFS-SVM
::> vserver audit delete -vserver CIFS-SVM

That’s it about enable disable audit events Netapp Cluster Mode 8.x and 9.x versions

Conclusion

Enabling wrong audit log events will grow your volume un-wanted and leads to problems. Configure audit size, log file count and log rotation properly.

Related Articles

ClusterMode Monitoring Using Nagios Monitoring Tool

ClusterMode Commands Cheat Sheet

Basic Netapp Commands

Netapp Notes

Thanks for your wonderful Support and Encouragement

Ravi Kumar Ankam

My Name is ARK. Expert in grasping any new technology, Interested in Sharing the knowledge. Learn more & Earn More

Leave a Reply

Your email address will not be published. Required fields are marked *