Planning the auditing configuration

Before you configure auditing on storage virtual machines (SVMs), you must understand which configuration options are available and plan the values that you want to set for each option. This information can help you configure the auditing configuration that meets your business needs.

There are certain configuration parameters that are common to all auditing configurations.

Additionally, there are certain parameters that you can use to specify which methods are used when rotating the consolidated and converted audit logs. You can specify one of the three following methods when you configure auditing:

Note: At least one of the methods for log rotation should always be set.

Parameters common to all auditing configurations

There are two required parameters that you must specify when you create the auditing configuration. There are also three optional parameters that you can specify:

Type of information Option Required Include Your values
SVM name

Name of the SVM on which to create the auditing configuration. The SVM must already exist.

-vserver vserver_name Yes Yes  
Log destination path

Specifies where the converted audit logs are stored. The path must already exist on the SVM.

The path can be up to 864 characters in length and must have read-write permissions.

If the path is not valid, the audit configuration command fails.

If the SVM is an SVM disaster recovery source, the log destination path cannot be on the root volume. This is because root volume content is not replicated to the disaster recovery destination.

You cannot use a FlexCache volume as a log destination (ONTAP 9.7 and later).

-destination text Yes Yes  
Categories of events to audit

Specifies the categories of events to audit. The following event categories can be audited:

  • File access events (both SMB and NFSv4)
  • CIFS logon and logoff events
  • Central access policy staging events

    Central access policy staging events are a new advanced auditing event available starting with Windows 2012 Active Directory domains. Central access policy staging events log information about changes to central access policies configured in Active Directory.

  • File share category events
  • Audit policy change events
  • Local user account management events
  • Security group management events
  • Authorization policy change events

The default is to audit file access and CIFS logon and logoff events.

Note: Before you can specify cap-staging as an event category, a CIFS server must exist on the SVM.

Although you can enable central access policy staging in the auditing configuration without enabling Dynamic Access Control on the CIFS server, central access policy staging events are generated only if Dynamic Access Control is enabled. Dynamic Access Control is enabled through a CIFS server option. It is not enabled by default.

-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|security-group|authorization-policy-change} No    
Log file output format

Determines the output format of the audit logs. The output format can be either ONTAP-specific XML or Microsoft Windows EVTX log format. By default, the output format is EVTX.

-format {xml|evtx} No    
Log files rotation limit

Determines how many audit log files to retain before rotating the oldest log file out. For example, if you enter a value of 5, the last five log files are retained.

A value of 0 indicates that all the log files are retained. The default value is 0.

-rotate-limit integer No    

Parameters used for determining when to rotate audit event logs

Rotate logs based on log size

The default is to rotate audit logs based on size.
  • The default log size is 100 MB
  • If you want to use the default log rotation method and the default log size, you do not need to configure any specific parameters for log rotation.
  • If you want to rotate the audit logs based on a log size alone, use the following command to unset the -rotate-schedule-minute parameter: vserver audit modify -vserver vs0 -destination / -rotate-schedule-minute -
If you do not want to use the default log size, you can configure the -rotate-size parameter to specify a custom log size:
Type of information Option Required Include Your values
Log file size limit

Determines the audit log file size limit.

-rotate-size {integer[KB|MB|GB|TB|PB]} No    

Rotate logs based on a schedule

If you choose to rotate the audit logs based on a schedule, you can schedule log rotation by using the time-based rotation parameters in any combination.

You can use the following list of available auditing parameters to determine what values to use for configuring a schedule for audit event log rotations:

Type of information Option Required Include Your values
Log rotation schedule: Month

Determines the monthly schedule for rotating audit logs.

Valid values are January through December, and all. For example, you can specify that the audit log is to be rotated during the months January, March, and August.

-rotate-schedule-month chron_month No    
Log rotation schedule: Day of week

Determines the daily (day of week) schedule for rotating audit logs.

Valid values are Sunday through Saturday, and all. For example, you can specify that the audit log is to be rotated on Tuesdays and Fridays, or during all the days of a week.

-rotate-schedule-dayofweek chron_dayofweek No    
Log rotation schedule: Day

Determines the day of the month schedule for rotating the audit log.

Valid values range from 1 through 31. For example, you can specify that the audit log is to be rotated on the 10th and 20th days of a month, or all days of a month.

-rotate-schedule-day chron_dayofmonth No    
Log rotation schedule: Hour

Determines the hourly schedule for rotating the audit log.

Valid values range from 0 (midnight) to 23 (11:00 p.m.). Specifying all rotates the audit logs every hour. For example, you can specify that the audit log is to be rotated at 6 (6 a.m.) and 18 (6 p.m.).

-rotate-schedule-hour chron_hour No    
Log rotation schedule: Minute

Determines the minute schedule for rotating the audit log.

Valid values range from 0 to 59. For example, you can specify that the audit log is to be rotated at the 30th minute.

-rotate-schedule-minute chron_minute Yes, if configuring schedule-based log rotation; otherwise, no.    

Rotate logs based on log size and schedule

You can choose to rotate the log files based on log size and a schedule by setting both the -rotate-size parameter and the time-based rotation parameters in any combination. For example: if -rotate-size is set to 10 MB and -rotate-schedule-minute is set to 15, the log files rotate when the log file size reaches 10 MB or on the 15th minute of every hour (whichever event occurs first).