SMB events that can be audited overview

Contributors

ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.

The following additional SMB events can be audited in ONTAP 9.2 and later:

Event ID (EVT/EVTX) Event Description Category

4670

Object permissions were changed

OBJECT ACCESS: Permissions changed.

File Access

4907

Object auditing settings were changed

OBJECT ACCESS: Audit settings changed.

File Access

4913

Object Central Access Policy was changed

OBJECT ACCESS: CAP changed.

File Access

The following SMB events can be audited in ONTAP 9.0 and later:

Event ID (EVT/EVTX) Event Description Category

540/4624

An account was successfully logged on

LOGON/LOGOFF: Network (CIFS) logon.

Logon and Logoff

529/4625

An account failed to log on

LOGON/LOGOFF: Unknown user name or bad password.

Logon and Logoff

530/4625

An account failed to log on

LOGON/LOGOFF: Account logon time restriction.

Logon and Logoff

531/4625

An account failed to log on

LOGON/LOGOFF: Account currently disabled.

Logon and Logoff

532/4625

An account failed to log on

LOGON/LOGOFF: User account has expired.

Logon and Logoff

533/4625

An account failed to log on

LOGON/LOGOFF: User cannot log on to this computer.

Logon and Logoff

534/4625

An account failed to log on

LOGON/LOGOFF: User not granted logon type here.

Logon and Logoff

535/4625

An account failed to log on

LOGON/LOGOFF: User’s password has expired.

Logon and Logoff

537/4625

An account failed to log on

LOGON/LOGOFF: Logon failed for reasons other than above.

Logon and Logoff

539/4625

An account failed to log on

LOGON/LOGOFF: Account locked out.

Logon and Logoff

538/4634

An account was logged off

LOGON/LOGOFF: Local or network user logoff.

Logon and Logoff

560/4656

Open Object/Create Object

OBJECT ACCESS: Object (file or directory) open.

File Access

563/4659

Open Object with the Intent to Delete

OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete.

File Access

564/4660

Delete Object

OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory).

File Access

567/4663

Read Object/Write Object/Get Object Attributes/Set Object Attributes

OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).

Note

For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.

File Access

NA/4664

Hard link

OBJECT ACCESS: An attempt was made to create a hard link.

File Access

NA/4818

Proposed central access policy does not grant the same access permissions as the current central access policy

OBJECT ACCESS: Central Access Policy Staging.

File Access

NA/NA Data ONTAP Event ID 9999

Rename Object

OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event.

File Access

NA/NA Data ONTAP Event ID 9998

Unlink Object

OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event.

File Access

Additional information about Event 4656

The HandleID tag in the audit XML event contains the handle of the object (file or directory) accessed. The HandleID tag for the EVTX 4656 event contains different information depending on whether the open event is for creating a new object or for opening an existing object:

  • If the open event is an open request to create a new object (file or directory), the HandleID tag in the audit XML event shows an empty HandleID (for example: <Data Name="HandleID">00000000000000;00;00000000;00000000</Data> ).

    The HandleID is empty because the OPEN (for creating a new object) request gets audited before the actual object creation happens and before a handle exists. Subsequent audited events for the same object have the right object handle in the HandleID tag.

  • If the open event is an open request to open an existing object, the audit event will have the assigned handle of that object in the HandleID tag (for example: <Data Name="HandleID">00000000000401;00;000000ea;00123ed4</Data> ).