CLI change events that can be audited overview

Contributors

ONTAP can audit certain CLI change events, including certain cifs-share events, certain audit policy events, certain local security group events, local user group events, and authorization policy events. Understanding which change events can be audited is helpful when interpreting results from the event logs.

You can manage storage virtual machine (SVM) auditing CLI change events by manually rotating the audit logs, enabling or disabling auditing, displaying information about auditing change events, modifying auditing change events, and deleting auditing change events.

As an administrator, if you execute any command to change configuration related to the cifs-share, local user-group, local security-group, authorization-policy, and audit-policy events, a record generates and the corresponding event gets audited:

Auditing Category Events Event IDs Run this command…​

Mhost Auditing

policy-change

[4719] Audit configuration changed

vserver audit disable|enable|modify

file-share

[5142] Network share was added

vserver cifs share create

[5143] Network share was modified

vserver cifs share modify vserver cifs share create|modify|delete vserver cifs share add|remove

[5144] Network share deleted

vserver cifs share delete

Auditing

user-account

[4720] Local user created

vserver cifs users-and-groups local-user create vserver services name-service unix-user create

[4722] Local user enabled

vserver cifs users-and-groups local-user create|modify

[4724] Local user password reset

vserver cifs users-and-groups local-user set-password

[4725] Local user disabled

vserver cifs users-and-groups local-user create|modify

[4726] Local user deleted

vserver cifs users-and-groups local-user delete vserver services name-service unix-user delete

[4738] Local user Change

vserver cifs users-and-groups local-user modify vserver services name-service unix-user modify

[4781] Local user Rename

vserver cifs users-and-groups local-user rename

security-group

[4731] Local Security Group created

vserver cifs users-and-groups local-group create vserver services name-service unix-group create

[4734] Local Security Group deleted

vserver cifs users-and-groups local-group delete vserver services name-service unix-group delete

[4735] Local Security Group Modified

vserver cifs users-and-groups local-group rename|modify vserver services name-service unix-group modify

[4732] User added to Local Group

vserver cifs users-and-groups local-group add-members vserver services name-service unix-group adduser

[4733] User Removed from Local Group

vserver cifs users-and-groups local-group remove-members vserver services name-service unix-group deluser

authorization-policy-change

[4704] User Rights Assigned

vserver cifs users-and-groups privilege add-privilege