Manage user-account ONTAP events
Suggest changes
PDFs
When a user-account event is configured for a storage virtual machine (SVM) and an audit is enabled, audit events are generated.
The user-account events with event-ids 4720, 4722, 4724, 4725, 4726, 4738, and 4781 are generated when a local SMB or NFS user is created or deleted from the system, local user account is enabled, disabled or modified, and local SMB user password is reset or changed. The user-account events are generated when a user account is modified using vserver cifs users-and-groups <local user> and vserver services name-service <unix user> commands.
The following example displays a user account event with the ID 4720 generated, when a local SMB user is created:
netapp-clus1::*> vserver cifs users-and-groups local-user create -user-name testuser -is-account-disabled false -vserver vserver_1
Enter the password:
Confirm the password:
- System
- Provider
[ Name] NetApp-Security-Auditing
[ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
EventID 4720
EventName Local Cifs User Created
...
...
TargetUserName testuser
TargetDomainName NETAPP-CLUS1
TargetSid S-1-5-21-2447422786-1297661003-4197201688-1003
TargetType CIFS
DisplayName testuser
PasswordLastSet 1472662216
AccountExpires NO
PrimaryGroupId 513
UserAccountControl %%0200
SidHistory ~
PrivilegeList ~
The following example displays a user account event with the ID 4781 generated, when the local SMB user created in the preceding example is renamed:
netapp-clus1::*> vserver cifs users-and-groups local-user rename -user-name testuser -new-user-name testuser1
- System
- Provider
[ Name] NetApp-Security-Auditing
[ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
EventID 4781
EventName Local Cifs User Renamed
...
...
OldTargetUserName testuser
NewTargetUserName testuser1
TargetDomainName NETAPP-CLUS1
TargetSid S-1-5-21-2447422786-1297661003-4197201688-1000
TargetType CIFS
SidHistory ~
PrivilegeList ~