Manage audit-policy-change event
Contributors
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
![](https://docs.netapp.com/common/images/pdf-zip.png)
Collection of separate PDF docs
Creating your file...
This may take a few minutes. Thanks for your patience.
Your file is ready
When an audit-policy-change event is configured for a storage virtual machine (SVM) and an audit is enabled, audit events are generated. The audit-policy-change events are generated when an audit policy is modified using vserver audit
related commands.
The audit-policy-change event with the event-id 4719 is generated whenever an audit policy is disabled, enabled, or modified and helps to identify when a user attempts to disable auditing to cover the tracks. It is configured by default and requires diagnostic privilege to disable.
The following example displays an audit-policy change event with the ID 4719 generated, when an audit is disabled:
netapp-clus1::*> vserver audit disable -vserver vserver_1 - System - Provider [ Name] NetApp-Security-Auditing [ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473} EventID 4719 EventName Audit Disabled ... ... SubjectUserName admin SubjectUserSid 65533-1001 SubjectDomainName ~ SubjectIP console SubjectPort