Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892


Configuring audit options

On the Review Summary page of the Add Servers pop-up, you can configure your preferred audit options. Start by choosing your CIFS server type—in this case, Cluster Mode/Vserver.

Configuring audit options

Configure the settings below.

Configuring the management IP and the account

Provide the details below as discussed in the Prerequisites section:

  • Management IP
  • Username and password
  • Port number

Configuring audit policies

The audit policies required for effective NetApp cluster auditing can be configured either automatically or manually.

2.1 Automatic audit policy configuration

If you want to allow ADAudit Plus to configure the required audit settings automatically, select the NetApp Audit Options Enabled Automatically check box while adding the target NetApp server.

When this option is enabled, ADAudit Plus will configure a default audit policy and the below parameters in the NetApp CIFS server:

  • Rotation Based On: Size
  • Maximum Log File Count: 10
  • Log File Size: 200MB
  • Log Path: Select either Create or Exist based on whether you want to provide a new aggregate name or an existing path with 3GB space as explained in the Prerequisites page. If you choose Create, a new volume named cifs_audit_log will be created and mounted on the /cifs_audit_log path. If you choose Exist, provide an existing path with a minimum of 3GB for log storage.
Note For the Exist option, ensure that you provide the junction path and not the share path. For example, /root/logs/cifs is a valid path.>
Configuring audit options

If you wish to configure the audit policies manually, follow the directions in the next section.

2.2 Manual audit policy configuration

The target NetApp cluster devices can be accessed through an SSH or Telnet connection using the required cluster or Vserver administrative credentials.

Use the command below to configure the audit settings for the respective CIFS servers:

Vserver audit create -<Vserver_Name> -destination <Log_Destination_Path> -format <Log_Format_in_XML/evtx> -rotate-size <Log_File_Size_Limit_in_KB/MB/GB/TB/PB> -rotate-limit <Log_Files_Rotation_Limit>

Configuring audit options

Here, the parameters to be defined are:

  • <Vserver_Name>: The name of the Vserver that the audit configuration will be created on.
  • <Log_Destination_Path>: The audit log destination path where consolidated audit logs are stored. The command will fail if the path is not valid. The path can be up to 864 characters in length and must have read-write permissions.
  • <Log_Format_in_XML/evtx>: The output format of the audit logs. ADAudit Plus only supports Microsoft Windows EVTX log format.
  • <Log_File_Size_Limit_in_KB/MB/GB/TB/PB>: The audit log file size limit, represented as an integer, along with the unit (e.g., 200MB).
  • <Log_Files_Rotation_Limit>: The audit log files rotation limit. A value of “0” indicates that all the log files are retained, and a value of “5” indicates that the last five audit logs are retained.

Example: Vserver audit create -Vserver vs1 -destination /cifs_audit_log -format evtx -rotate-size 200MB -rotate-limit 10

  1. When you enable an audit policy in the NetApp CIFS server through the product console or manually, the Audit-Guarantee setting in the NetApp server is set to True. This setting prevents users from performing NetApp file operations when events aren’t being logged, which can happen due to insufficient disk space (learn more here). To continue to perform file operations, you can set Audit-Guarantee=False in the NetApp server. However, if you do this, file operations will not get logged.
  2. We recommend disabling the snapshot policy in the volume where audit logs will be stored.

3. Configuring SACLs in the shares

System access-control lists (SACLs) decide which files and folders will be audited and ensure that the system generates audit events when files are accessed. The required SACLs for NetApp CMode CIFS auditing can be configured either automatically or manually.

3.1 Automatic SACL configuration

If you want ADAudit Plus to auto-configure the required SACLs in the target cluster shares, ensure that the Necessary object level auditing will be set on selected shares check box is selected. Click OK.

Configuring audit options

If you wish to configure SACLs manually, deselect the Necessary object level auditing will be set on selected shares check box and proceed to the next step.

3.2 Manual SACL configuration

For steps to manually configure object-level auditing in your NetApp cluster servers, refer to this page.


a. Bad username or password
Configuring audit options

Check whether the provided username and password are correct.

b. Unable to connect to the NetApp Server through mentioned port and protocol
Configuring audit options

Perform these checks:

  1. Check if the management IP is correct and that you have selected the correct management IP type (i.e., either cluster or Vserver management IP).
  2. Ensure that the credentials entered belong to the provided management IP and are correct.
    Note: To check the items above, use a PuTTy or SSH client and connect to the provided NetApp management IP with the credentials. You should be able to log in without any errors.
  3. Ensure that the port number and protocol (HTTP/HTTPS) for the web console are correct.

Try connecting to the NetApp OnCommand center with the provided port and protocol. You should be able to access the web console.

c. Unable to find API: volume create (errno-13005)
Configuring audit options

This error occurs when the configured user does not have sufficient permission to execute certain operations on the NetApp server. Refer to the image below for the required roles and permissions.

Configuring audit options
d. Aggregate does not exist (errno-14420)
Configuring audit options

Check whether the aggregate name (provided for storing audit logs) is valid and has storage provisions for the configured CIFS Vserver.

e. The specified path does not exist in the namespace (errno-13001)
Configuring audit options

Check whether the junction path provided for the log path is valid and mounted and that it belongs to the configured CIFS Vserver.

ADAudit Plus Trusted By