Manage audit-policy-change event
Suggest changes
When an audit-policy-change event is configured for a storage virtual machine (SVM) and an audit is enabled, audit events are generated. The audit-policy-change events are generated when an audit policy is modified using vserver audit
related commands.
The audit-policy-change event with the event-id 4719 is generated whenever an audit policy is disabled, enabled, or modified and helps to identify when a user attempts to disable auditing to cover the tracks. It is configured by default and requires diagnostic privilege to disable.
The following example displays an audit-policy change event with the ID 4719 generated, when an audit is disabled:
netapp-clus1::*> vserver audit disable -vserver vserver_1 - System - Provider [ Name] NetApp-Security-Auditing [ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473} EventID 4719 EventName Audit Disabled ... ... SubjectUserName admin SubjectUserSid 65533-1001 SubjectDomainName ~ SubjectIP console SubjectPort