vserver security trace filter create
Create a security trace entry
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security trace filter create
command creates a security trace filter entry. Prior to Data ONTAP 9.3, this feature was only supported for CIFS. In Data ONTAP 9.3 and later, this feature is supported for both NFS and CIFS.
NFS security trace filters are not supported for FlexGroup volumes, and will only be applied to the FlexVol volumes within the specified Vserver.
Parameters
-vserver <vserver name>
- Vserver-
This parameter specifies the name of the Vserver on which the permission trace is applied.
-index <integer>
- Filter Index-
This parameter specifies the index number you want to assign to the trace filter. A maximum of 10 entries can be created. The allowed values for this parameter are 1 through 10.
[-protocols {cifs|nfs}]
- Protocols-
This parameter specifies the protocols for which the permission trace is created. If the
-protocols
parameter is not specified, the filter will only apply to the CIFS protocol. [-client-ip <IP Address>]
- Client IP Address to Match-
This parameter specifies the IP Address from which the user is accessing the Vserver.
[-path <TextNoCase>]
- Path-
This parameter specifies the path to which permission tracing is applied. The value can be the complete path, starting from the root of the share (for a CIFS filter) or the root of the junction path (for an NFS filter) that the client is accessing, or the value can be a part of the path that the client is accessing. Use NFS style directory separators in the path value.
- {
[-windows-name <TextNoCase>]
- Windows User Name -
This parameter specifies the Windows user name to trace. You can use any of the following formats when specifying the value for this parameter:
-
user_name
-
domain\user_name
-
- |
[-unix-name <TextNoCase>]
- UNIX User Name or User ID } -
This parameter specifies the UNIX user name to trace. It accepts UNIX user ID only for NFS filters.
[-trace-allow {yes|no}]
- Trace Allow Events-
Security tracing can trace deny events and allow events. Deny event tracing is always ON by default. Allow events can optionally be traced. If set to yes, this option allows tracing of allow events. If set to no, allow events are not traced.
[-enabled {enabled|disabled}]
- Filter Enabled-
This parameter specifies whether to enable or disable the filter. Filters are enabled by default.
[-time-enabled <integer>]
- Minutes Filter is Enabled-
This parameter specifies a timeout for this filter, after which it is deleted.
Examples
The following example creates a security trace filter.
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -time-enabled 120 -client-ip 10.72.205.207
The following examples create filters that include the -path option, these filters are deleted when the time specified in the time enabled field elapses.The default value for the time-enabled option is 60 min. If the client is accessing a file with the path \\server\sharename\dir1\dir2\dir3\file.txt, for a filter applicable to CIFS, a complete path starting from the root of the share or a partial path can be given as shown:
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -path /dir1/dir2/dir3/file.txt
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -path dir3/file.txt
Similarly, while creating a filter for NFS, if -path option is specified and the client is accessing a file with path /junction_path1/junction_path2/dir1/file.txt, a complete path starting from the last junction path or a partial path can be given as shown:
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -protocols nfs -path dir1/file.txt
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -protocols nfs -path file.txt
The following example creates a filter that is applicable to both CIFS and NFS.
cluster1::> vserver security trace filter create -vserver vs0 -index 1 -protocols cifs,nfs -unix-user root