Create the auditing configuration
Creating a file and directory auditing configuration on your storage virtual machine (SVM) includes understanding the available configuration options, planning the configuration, and then configuring and enabling the configuration. You can then display information about the auditing configuration to confirm that the resultant configuration is the desired configuration.
Before you can begin auditing file and directory events, you must create an auditing configuration on the storage virtual machine (SVM).
If you plan on creating an auditing configuration for central access policy staging, a SMB server must exist on the SVM.
|
If the SVM is an SVM disaster recovery source, the destination path cannot be on the root volume.
-
Using the information in the planning worksheet, create the auditing configuration to rotate audit logs based on log size or a schedule:
If you want to rotate audit logs by…
Enter…
Log size
vserver audit create -vserver vserver_name -destination path -events [{file-ops|cifs-logon-logoff|cap-staging|file-share|authorization-policy-change|user-account|security-group|authorization-policy-change}] [-format {xml|evtx}] [-rotate-limit integer] [-rotate-size {integer[KB|MB|GB|TB|PB]}]
A schedule
vserver audit create -vserver vserver_name -destination path -events [{file-ops|cifs-logon-logoff|cap-staging}] [-format {xml|evtx}] [-rotate-limit integer] [-rotate-schedule-month chron_month] [-rotate-schedule-dayofweek chron_dayofweek] [-rotate-schedule-day chron_dayofmonth] [-rotate-schedule-hour chron_hour] -rotate-schedule-minute chron_minute
The
-rotate-schedule-minute
parameter is required if you are configuring time-based audit log rotation.
The following example creates an auditing configuration that audits file operations and SMB logon and logoff events (the default) using size-based rotation. The log format is EVTX
(the default). The logs are stored in the /audit_log
directory. The log file size limit is 200 MB
. The logs are rotated when they reach 200 MB in size:
cluster1::> vserver audit create -vserver vs1 -destination /audit_log -rotate-size 200MB
The following example creates an auditing configuration that audits file operations and SMB logon and logoff events (the default) using size-based rotation. The log format is EVTX
(the default). The logs are stored in the /cifs_event_logs
directory. The log file size limit is 100 MB
(the default), and the log rotation limit is 5
:
cluster1::> vserver audit create -vserver vs1 -destination /cifs_event_logs -rotate-limit 5
The following example creates an auditing configuration that audits file operations, CIFS logon and logoff events, and central access policy staging events using time-based rotation. The log format is EVTX
(the default). The audit logs are rotated monthly, at 12:30 p.m. on all days of the week. The log rotation limit is 5
:
cluster1::> vserver audit create -vserver vs1 -destination /audit_log -events file-ops,cifs-logon-logoff,file-share,audit-policy-change,user-account,security-group,authorization-policy-change,cap-staging -rotate-schedule-month all -rotate-schedule-dayofweek all -rotate-schedule-hour 12 -rotate-schedule-minute 30 -rotate-limit 5