CLI change events that can be audited

ONTAP can audit certain CLI change events, including certain cifs-share events, certain audit policy events, certain local security group events, local user group events, and authorization policy events. Understanding which change events can be audited is helpful when interpreting results from the event logs.

You can manage storage virtual machine (SVM) auditing CLI change events by manually rotating the audit logs, enabling or disabling auditing, displaying information about auditing change events, modifying auditing change events, and deleting auditing change events.

As an administrator, if you execute any command to change configuration related to the cifs-share, local user-group, local security-group, authorization-policy, and audit-policy events, a record generates and the corresponding event gets audited:

Auditing Category Events Event IDs Run this command...
Mhost Auditing policy-change [4719] Audit configuration changed vserver audit disable|enable|modify
file-share [5142] Network share was added vserver cifs share create
[5143] Network share was modified vserver cifs share modify vserver cifs share create|modify|deletevserver cifs share add|remove
[5144] Network share deleted vserver cifs share delete
Auditing user-account [4720] Local user created vserver cifs users-and-groups local-user create vserver services name-service unix-user create
[4722] Local user enabled vserver cifs users-and-groups local-user create|modify
[4724] Local user password reset vserver cifs users-and-groups local-user set-password
[4725] Local user disabled vserver cifs users-and-groups local-user create|modify
[4726] Local user deleted vserver cifs users-and-groups local-user delete vserver services name-service unix-user delete
[4738] Local user Change vserver cifs users-and-groups local-user modifyvserver services name-service unix-user modify
[4781] Local user Rename vserver cifs users-and-groups local-user rename
security-group [4731] Local Security Group created vserver cifs users-and-groups local-group create vserver services name-service unix-group create
[4734] Local Security Group deleted vserver cifs users-and-groups local-group delete vserver services name-service unix-group delete
[4735] Local Security Group Modified vserver cifs users-and-groups local-group rename|modify vserver services name-service unix-group modify
[4732] User added to Local Group vserver cifs users-and-groups local-group add-members vserver services name-service unix-group adduser
[4733] User Removed from Local Group vserver cifs users-and-groups local-group remove-members vserver services name-service unix-group deluser
authorization-policy-change [4704] User Rights Assigned vserver cifs users-and-groups privilege add-privilege
[4705] User Rights Removed vserver cifs users-and-groups privilege remove-privilege|reset-privilege