Skip to main content

NetApp Data ONTAP

Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the Auditor console computer. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.

CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.

You can configure your IT Infrastructure for monitoring in one of the following ways:

  • Automatically through a monitoring plan – This is a recommended method. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary.

    • To use this option for NetApp Clustered Data ONTAP 8 or ONTAP 9, make sure that audit configuration has been created (with vserver audit create command) for the target system enabling audit configuration is optional.

  • Manually – Native audit settings must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Auditor to continually enforce the relevant audit policies or configure them manually:

    • On the NetApp device:

      • CIFS Network Protocol support is required.

      • Qtree Security must be configured. The volume where the audited file shares are located must be set to the "ntfs" or "mixed" security style.

      • On Clustered Data ONTAP 8 and ONTAP 9:

        • External Web Services: true.

          RECOMMENDED: For security reasons, enable only SSL access.

        • Firewall policy for data interfaces must be configured to allow ONTAPI protocol connections.

        • Audit settings must be configured as follows:

          Audit SettingConfiguration
          Auditing State:true
          Log Destination Path/audit
          Categories of Events to Auditfile-ops, cifs-logon-logoff
          Log Formatevtx
          Log File Size Limit300 MB

      • On Data ONTAP 7 and Data ONTAP 8 in 7-mode:

        • The httpd.admin.enable or the httpd.admin.ssl.enable option must be set to "on". For security reasons, it is recommended to configure SSL access and enable the httpd.admin.ssl.enable option.

        • The cifs.audit.liveview.enable option must be set to "off".

        • The cifs.audit.enable and the cifs.audit.file_access_events.enable options must be set to "on".

        • Unless you are going to audit logon events, the cifs.audit.logon_events.enable and the cifs.audit.account_mgmt_events.enable options must be set to "off".

        • The Security log must be configured:

          • cifs.audit.logsize 300 000 000 (300 MB)
          • cifs.audit.autosave.onsize.enable on
          • cifs.audit.autosave.file.extension timestamp

      • Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security → Auditing settings for the audited shared folders:

        • List Folder / Read Data (Files only)
        • Create Files / Write Data
        • Create Folders / Append Data
        • Write Extended Attributes
        • Delete Subfolders and Files
        • Delete
        • Change Permissions
        • Take Ownership

    • On the Auditor console computer:

      • If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Auditor Server.

See the following topics for additional information:

The following table lists the actions that can be performed on NetApp:

FileFolderShare
Added+++
Add (failed attempt)
Modified+++
Modify (failed attempt)++
Moved+*+*
Move (failed attempt)+*+*
Read+-
Read (failed attempt)++
Renamed+*+*
Renamed (failed attempt)+*+*
Removed+++
Remove (failed attempt)++
Copied

Actions marked with an asterisks (*) are reported for NetApp Clustered Data ONTAP 8 and ONTAP 9 only.

Configure NetApp Clustered Data ONTAP 8 and ONTAP 9 for Monitoring

To configure Clustered Data ONTAP 8 and ONTAP 9 for monitoring, perform the following procedures:

Prerequisites

Netwrix assumes that you are aware of basic installation and configuration steps. If not, refer to the following administration and management guides.

VersionRelated documentation
Clustered Data ONTAP 8.2- Clustered Data ONTAP® 8.2 File Access and Protocols Management Guide - Clustered Data ONTAP® 8.2 System Administration Guide for SVM Administrators
Clustered Data ONTAP 8.3- Clustered Data ONTAP® 8.3 System Administration Guide for Cluster Administrators - Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS
ONTAP 9.0 - 9.10- ONTAP 9 Documentation Center

Perform the following steps before proceeding with the audit configuration.

Step 1 – Configure CIFS server and make sure it functions properly.

NOTE: NFS file shares are not supported.

Step 2 – Configure System Access Control List (SACL) on your file share. See Configure Audit Settings for CIFS File Shares topic for additional information.

Step 3 – Set the Security Style for Volume or Qtree where the audited file shares are located to the "ntfs" or "mixed".

Step 4 – Configure audit manually. For 8.3, review the Auditing NAS events on SVMs with FlexVol volumes section in Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS.

NOTE: The current version of Netwrix Auditor does not support auditing of Infinite Volumes.