I have F820 running DOT 6.4.2P6 with CIFS only. I noticed the cifs audit log does not log all events. The audit log is dump and saved every night at midnight via a rsh script. Looking through several log file, there are only a few entries in each of the file. All of the entries are within 16 minutes after midnight when the audit file is dump. These are the settings. I compare it with two other Filers, F880c DOT 6.4.2P12, with the same settings the audit log worked fine.
cifs.audit.enable on cifs.audit.file_access_events.enable on cifs.audit.logon_events.enable on cifs.audit.logsize 204800000 cifs.audit.saveas /etc/log/adtlog.evt
Any ideas?
thanks,
Marcus Bui
----------------------------------------- Confidentiality Note: The information contained in this message, and any attachments, may contain confidential and/or privileged material. It is intended solely for the person or entity to which it is addressed. Any review, retransmission, dissemination, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
MessageWhat are you attempting to audit? Is it the CIFS file system .. such as read's, delete's, permission changes etc? If so, CIFS still needs to be set to audit like that of the native NTFS structure. You will need to do this via explorer by:
- right clicking the directory or file - security tab - advanced - auditing - adding a common group or suspected user - selecting what you are attempting to audit
-Jon
"Bui, Marcus" Marcus.Bui@aiminvestments.com wrote in message news:0D1B378426DB3B4DB200AF4738F3E9E7090FD101@USHOUXML04...
I have F820 running DOT 6.4.2P6 with CIFS only. I noticed the cifs audit log does not log all events. The audit log is dump and saved every night at midnight via a rsh script. Looking through several log file, there are only a few entries in each of the file. All of the entries are within 16 minutes after midnight when the audit file is dump. These are the settings. I compare it with two other Filers, F880c DOT 6.4.2P12, with the same settings the audit log worked fine.
cifs.audit.enable on cifs.audit.file_access_events.enable on cifs.audit.logon_events.enable on cifs.audit.logsize 204800000 cifs.audit.saveas /etc/log/adtlog.evt
Any ideas?
thanks,
Marcus Bui
------------------------------------------------------------------------------
Confidentiality Note: The information contained in this message, and any attachments, may contain confidential and/or privileged material. It is intended solely for the person or entity to which it is addressed. Any review, retransmission, dissemination, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
-
Bui, Marcus -
Jon Michael Gimpel