SMB events that can be audited

ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.

The following additional SMB events can be audited in ONTAP 9.2 and later:

Event ID (EVT/EVTX) Event Description Category
4670 Object permissions were changed OBJECT ACCESS: Permissions changed. File Access
4907 Object auditing settings were changed OBJECT ACCESS: Audit settings changed. File Access
4913 Object Central Access Policy was changed OBJECT ACCESS: CAP changed. File Access

The following SMB events can be audited in ONTAP 9.0 and later:

Event ID (EVT/EVTX) Event Description Category
540/4624 An account was successfully logged on LOGON/LOGOFF: Network (CIFS) logon. Logon and Logoff
529/4625 An account failed to log on LOGON/LOGOFF: Unknown user name or bad password. Logon and Logoff
530/4625 An account failed to log on LOGON/LOGOFF: Account logon time restriction. Logon and Logoff
531/4625 An account failed to log on LOGON/LOGOFF: Account currently disabled. Logon and Logoff
532/4625 An account failed to log on LOGON/LOGOFF: User account has expired. Logon and Logoff
533/4625 An account failed to log on LOGON/LOGOFF: User cannot log on to this computer. Logon and Logoff
534/4625 An account failed to log on LOGON/LOGOFF: User not granted logon type here. Logon and Logoff
535/4625 An account failed to log on LOGON/LOGOFF: User's password has expired. Logon and Logoff
537/4625 An account failed to log on LOGON/LOGOFF: Logon failed for reasons other than above. Logon and Logoff
539/4625 An account failed to log on LOGON/LOGOFF: Account locked out. Logon and Logoff
538/4634 An account was logged off LOGON/LOGOFF: Local or network user logoff. Logon and Logoff
560/4656 Open Object/Create Object OBJECT ACCESS: Object (file or directory) open. File Access
563/4659 Open Object with the Intent to Delete OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete. File Access
564/4660 Delete Object OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory). File Access
567/4663 Read Object/Write Object/Get Object Attributes/Set Object Attributes OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).
Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.
File Access
NA/4664 Hard link OBJECT ACCESS: An attempt was made to create a hard link. File Access
NA/4818 Proposed central access policy does not grant the same access permissions as the current central access policy OBJECT ACCESS: Central Access Policy Staging. File Access
NA/NA Data ONTAP Event ID 9999 Rename Object OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event. File Access
NA/NA Data ONTAP Event ID 9998 Unlink Object OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event. File Access

Additional information about Event 4656

The HandleID tag in the audit XML event contains the handle of the object (file or directory) accessed. The HandleID tag for the EVTX 4656 event contains different information depending on whether the open event is for creating a new object or for opening an existing object: