We ran into a similar problem. Our Wintel teams are currently testing a product by Varonis that will provide this detail via fpolicy. I'm not sure of the pricing model myself since I just handle the NetApp integration, but it provides an enormous amount of customizable reporting.
Internet JHill@jennison.com
Sent by: owner-toasters@mathworks.com 06/14/2007 05:22 PM
To toasters cc
Subject Cifs audit logs
We've just switched from a Windows file server to a 3020c and are experiencing significant issues with cifs auditing.
We have several directories that need to be monitored and we have turned on auditing via NTFS (right-click | properties | security | advanced | auditing). On the old file server we used a third-party tool (ScriptLogic) to monitor CIFS access but it only works on Windows servers.
The problem we have is if a user opens up one of the monitored folders, the filer spits out about 300 events for each file. There are three or maybe four slight differences between the 300 events (some might refer to SMBRead and others SMBReadEA, for example), but at least 50 events are completely identical to each other in every way. We've been auditing about 19,000 files (<4GB) for a week and we already have 10GB of .evt files.
We tried limiting the audits to List Folder / Read Data, Create Files / Write Data, Create Folders / Append Data, Delete, Change Permissions and Take Ownership, and we applied only to files. It didn't improve things from what we could see.
NetApp support told us to contact MS but that didn't get us anywhere so now we're looking for third-party alternatives. Can anyone suggest a good tool that can gather .evt files from a specified directory, weed out duplicates and store the end result in either a database or another ..evt file?
This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified.
---------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie.