Configuring audit options

On the Review Summary page of the Add Servers pop-up, you can configure your preferred audit options. Start by choosing your CIFS server type—in this case, Cluster Mode/Vserver.

Configure the settings below.

Configuring the management IP and the account

Provide the details below as discussed in the Prerequisites section:

• Management IP
• Username and password
• Port number

Configuring audit policies

The audit policies required for effective NetApp cluster auditing can be configured either automatically or manually.

Automatic audit policy configuration

If you want to allow ADAudit Plus to configure the required audit settings automatically, select the NetApp Audit Options Enabled Automatically check box while adding the target NetApp server.

When this option is enabled, ADAudit Plus will configure a default audit policy and the below parameters in the NetApp CIFS server:

• Rotation Based On: Size
• Maximum Log File Count: 10
• Log File Size: 200MB
• Log Path: Select either Create or Exist based on whether you want to provide a new aggregate name or an existing path with 3GB space as explained in the Prerequisites page. If you choose Create, a new volume named cifs_audit_log will be created and mounted on the /cifs_audit_log path. If you choose Exist, provide an existing path with a minimum of 3GB for log storage.

Note For the Exist option, ensure that you provide the junction path and not the share path. For example, /root/logs/cifs is a valid path.>

If you wish to configure the audit policies manually, follow the directions in the next section.

Manual audit policy configuration

The target NetApp cluster devices can be accessed through an SSH or Telnet connection using the required cluster or Vserver administrative credentials.

Use the command below to configure the audit settings for the respective CIFS servers:

Vserver audit create -<Vserver_Name> -destination <Log_Destination_Path> -format <Log_Format_in_XML/evtx> -rotate-size <Log_File_Size_Limit_in_KB/MB/GB/TB/PB> -rotate-limit <Log_Files_Rotation_Limit>

Here, the parameters to be defined are:

• <Vserver_Name>: The name of the Vserver that the audit configuration will be created on.
• <Log_Destination_Path>: The audit log destination path where consolidated audit logs are stored. The command will fail if the path is not valid. The path can be up to 864 characters in length and must have read-write permissions.
• <Log_Format_in_XML/evtx>: The output format of the audit logs. It can be either Data ONTAP-specific XML or Microsoft Windows EVTX log format.
• <Log_File_Size_Limit_in_KB/MB/GB/TB/PB>: The audit log file size limit, represented as an integer, along with the unit (e.g., 200MB).
• <Log_Files_Rotation_Limit>: The audit log files rotation limit. A value of “0” indicates that all the log files are retained, and a value of “5” indicates that the last five audit logs are retained.

Example: Vserver audit create -Vserver vs1 -destination /cifs_audit_log -format evtx -rotate-size 200MB -rotate-limit 10

Configuring SACLs in the shares

System access-control lists (SACLs) decide which files and folders will be audited and ensure that the system generates audit events when files are accessed. The required SACLs for NetApp CMode CIFS auditing can be configured either automatically or manually.

Automatic SACL configuration

If you want ADAudit Plus to auto-configure the required SACLs in the target cluster shares, ensure that the Necessary object level auditing will be set on selected shares check box is selected. Click OK.

If you wish to configure SACLs manually, deselect the Necessary object level auditing will be set on selected shares check box and proceed to the next step.

Manual SACL configuration

For steps to manually configure object-level auditing in your NetApp cluster servers, refer to this page.

Troubleshooting

a. Bad username or password

Check whether the provided username and password are correct.

b. Unable to connect to the NetApp Server through mentioned port and protocol

Perform these checks:

1. Check if the management IP is correct and that you have selected the correct management IP type (i.e., either cluster or Vserver management IP).
2. Ensure that the credentials entered belong to the provided management IP and are correct.
   Note: To check the items above, use a PuTTy or SSH client and connect to the provided NetApp management IP with the credentials. You should be able to log in without any errors.
3. Ensure that the port number and protocol (HTTP/HTTPS) for the web console are correct.

Try connecting to the NetApp OnCommand center with the provided port and protocol. You should be able to access the web console.

c. Unable to find API: volume create (errno-13005)

This error occurs when the configured user does not have sufficient permission to execute certain operations on the NetApp server. Refer to the image below for the required roles and permissions.

d. Aggregate does not exist (errno-14420)

Check whether the aggregate name (provided for storing audit logs) is valid and has storage provisions for the configured CIFS Vserver.

e. The specified path does not exist in the namespace (errno-13001)

Check whether the junction path provided for the log path is valid and mounted and that it belongs to the configured CIFS Vserver.