We've just switched from a Windows file server to a 3020c and are experiencing significant issues with cifs auditing.

We have several directories that need to be monitored and we have turned on auditing via NTFS (right-click | properties | security | advanced | auditing).  On the old file server we used a third-party tool (ScriptLogic) to monitor CIFS access but it only works on Windows servers.

The problem we have is if a user opens up one of the monitored folders, the filer spits out about 300 events for each file.  There are three or maybe four slight differences between the 300 events (some might refer to SMBRead and others SMBReadEA, for example), but at least 50 events are completely identical to each other in every way.  We've been auditing about 19,000 files (<4GB) for a week and we already have 10GB of .evt files.

We tried limiting the audits to List Folder / Read Data, Create Files / Write Data, Create Folders / Append Data, Delete, Change Permissions and Take Ownership, and we applied only to files.  It didn't improve things from what we could see.

NetApp support told us to contact MS but that didn't get us anywhere so now we're looking for third-party alternatives.  Can anyone suggest a good tool that can gather .evt files from a specified directory, weed out duplicates and store the end result in either a database or another .evt file?