File system auditing

Last updated
Save as PDF

File system auditing monitors and records file access and modification operations performed through the SMB and NFSv3 protocols. Records are made using the Windows Eventlog format and can be stored to the file system's audit log or made available to third-party external tools.

File system audit logging is performed and controlled on a per file system basis.

Currently, file system auditing is only supported for operations using SMB and NFSv3. By default, when file system auditing is enabled, access to the audited file system is only allowed for these two protocols. However, access by clients using other protocols like NFSv2, can optionally be allowed. When such access is allowed, access to file system objects through these protocols is not audited.

Note Auditing of SMB is based on the open and close operations; because NFSv3 is a stateless protocol and lacks equivalent operations, auditing checks must be performed on each I/O operation, which can be costly in terms of system performance. Therefore, if auditing was enabled for a file system in a previous release, on upgrade to this release NFSv3 auditing is disabled. The protocols which cause audit events to be generated can be controlled with the --audit-protocol (-p) option of the filesystem-audit command.

After a file has been externally migrated (migrated to an external server), for example to a Hitachi Content Platform (HCP) system, subsequent access to the file through the NAS server is audited as if the file were still local.

For known users (users with a Windows user mapping), the NAS server logs Object Access events 560, 562, 563 and 564. As with the Windows operating system, auditable events for objects are specified by SACLs (system access control lists). Auditing events are logged under the following conditions:

560 – open handle
This event is logged when a network client asks for access to an object. An access check is performed against the DACL (discretionary access control list) and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.
562 – close handle
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 560.
563 – open handle for delete
This event is logged when a network client asks for access to a file using the CreateFile call, and the delete-on-close flag is specified. An access check is performed against the DACL and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.

For successful deletions, the audit records the accesses that were granted, and for failures the audit records the accesses that were requested.
564 – delete
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 563.

NoteEvents for any user who is a member of the Audit Service Accounts local group are excluded from the audit log. Adding the third party auditing software user to this group results in a small but measurable performance gain.

About file system audit logs

The file system audit log is buffered in memory, and may be permanently stored in a file in the file system being audited. Active audit log files are stored in Windows event log file format (.evt) so that standard tools can access them. The name, location, size of the active audit log file, log file retention, and active log file backup settings are defined when enabling auditing for a file system.

NoteFile System Audit logs are saved in Windows XP format. An effect of this is that, depending upon how the saved .evt file is opened, a Windows Vista or Windows 2008 Server event viewer can report the file as corrupted, or might not be able to fully interpret the events. Note that the same situation occurs when a Windows Vista event viewer is used to display saved logs from an XP system. To display the logs correctly, use a Windows XP event viewer.

Audit log files are limited in size, and the retention behavior when a log fills is configurable. When an audit log reaches its maximum size, log entries (file system events) can be overwritten, or the full audit log can be saved, and a new log started

NoteAll file system audit log parameters are specified on a per file system basis.

You can specify a backup policy, which backs up the active log at regular intervals, and starts a new active log file. Backup log files are created in the same directory as the active audit log file.

In the event of a server crash, active file system audit logs are recovered only if a rollback is performed on restart. Note that a rollback may reset the audit log file to a time when it can be recovered, thus saving some records that would otherwise be lost.

Controlling file system auditing

File system auditing requires that a file system audit policy be defined for the file system to be monitored, and that auditing is enabled for the specific file system. File system auditing is performed and controlled on a per file system basis.

Creating a file system audit policy

The file system audit policy specifies access restrictions for clients connecting through unauditable protocols (if access is allowed or denied), and specifies audit log details. The audit log policy specifies naming, location in the file system, size, the log roll over policy, and the backup policy.

Procedure

Navigate to Home Files Services File System Audit Policies, and click add to display the Add File System Audit Policy page.

Field/Item	Description
EVS/File System	Lists the currently selected EVS and file system, to which the audit policy will apply. Click change to go to the Select a File System page, where you can select a different EVS and file system.
Access via Unsupported Protocols	When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: Deny Access. Client access to the file system using unauditable protocols (such as NFSv2) is denied. Allow Access. Allows client access to the file system using unauditable protocols (such as NFSv2), but does not create any auditing events.
Audited Protocols	When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: smb. Only the SMB protocol is audited. Access to SMB is always allowed, and access via other protocols is determined via the Other Protocol Support option. smb, nfsv3. Both the SMB and NFSv3 protocols are audited. Access to SMB and NFSv3 is always allowed, and access via other protocols is determined via the Other Protocol Support option.
External	Stops the audit records from being stored locally (including audit log backups) and instead only makes them available to an external audit log server. To configure an external logging server, use the audit-syslog CLI command or for third-party audit logging applications, configure an audit log consolidated cache and then read the audit logs using the Windows EVENTLOG protocol.
Active Log File Name	Specify the file name for the file system audit log. The file name must have an .evt extension. The default file name is audit.evt.
Logging Directory	Specify the directory within the file system in which the file system audit log files are saved. You can use the browse button to search for an existing directory, or enter the name of a directory to be created.
Maximum Log File Size	Specify the maximum size of the active audit log file in KiB or MiB. The default size is 512 KiB. The maximum log file size is 50 MiB.
Log roll over policy	Determines what the system does once the active audit log file is full (when it reaches the Maximum Log File Size). You can select either: Wrap, which causes the system to delete the oldest existing audit entry to allow room for a new entry. New, which causes the system to create a new active audit log file. The default is New.
Backup Interval	Specify the time (in minutes) between automatic backups of the active audit log. The backup interval must be between 5 and 14400 minutes (10 days). A value of 0 disables the automatic backups. The default is 0.
Number of files to retain	Specify the number of backup audit log files to retain. The default is 10. The maximum number of files to retain is 50.

Specify the access settings for unsupported (unauditable) protocols
- Deny Access. Client access to the file system using unauditable protocols (such as NFS) is denied.
  Specifying Deny Access generates an error if there is an NFS export mounted on an unauditable client or the file system has a FTP user that has a directory available. To ensure this error is not generated, you can remove the NFS export for the file system, remove the FTP user, or select the Allow Access option.
- Allow Access. Allows client access to the file system using unauditable protocols (such as NFS), but does not create any auditing events.
Specify the name for the active audit log file. The file type suffix must be .evt.
Click browse to specify an existing logging directory, or enter the name of a directory to create.
For ease of access to the audit log files, the logging directory should be within in a CIFS share that can be accessed by those who need to review the access log.
Specify the maximum log file size.
Specify the roll over (retention) policy.
Specify the backup interval.
Specify the number of files to retain.
Click OK to save the policy as specified.

Configuring auditing on the Windows client

After creating a file system audit policy, the next step is to configure which of these events gets audited from the Windows client. By default, no file system accesses will be audited.

NoteOnly members of the Administrators local group have the right to edit the file system audit log policy from within Windows Explorer. A user that is not a member of Administrators Local Group cannot amend the audit settings of a file or directory.

Procedure

Right-click a folder that resides on a server file system that is configured for auditing and select Properties, and then the Security tab.
Click Advanced and select the Auditing tab.
Select Add and select which users get audited.
For example, select Everyone so that all users get audited.
A box pops up and allows you to specify which events are to be audited for the specified user.
You can choose to audit Successful, Failed, or both for each access type.

Enabling auditing for a file system

File system auditing can be enabled on a per-file system basis.

NoteBy default, when file system auditing is enabled, access to the file system is limited to the SMB and NFSv3 protocols. Access by clients using other protocols, like iSCSI, can, however, be allowed. When such access is allowed, access to file system objects through these protocols is not audited.

To enable file system auditing for a particular file system, the file system must be added to the file system audit list.

Procedure

Navigate to Home File Services File System Audit Policies.

Field/Item	Description
EVS	Lists the EVS to which host the file system is assigned. Click change to go to the Select an EVS page, where you can select a different EVS.
Audit Log Consolidated Cache	The server uses this cache for reporting file system audit events to Windows clients. Only one consolidated cache file can be configured per EVS.
modify	Enables the user to configure a file system, directory where the file is stored and file name for the audit log consolidated cache file.
File System	Lists all file systems in the specified EVS that have an audit policy.
Status	Indicates whether file system auditing is enabled or disabled. It also indicates whether auditing is external.
details	Displays the File System Audit Policy Details page, in which you can change the auditing options for a file system.
add	Displays the Add File System Audit Policy page, in which you can set the auditing options for a file system. Only one audit policy is allowed per file system.
delete	Deletes the audit policy for a selected file system.
enable	Enables file system auditing for the selected file system.
disable	Disables file system auditing for the selected file system.

If the file system on which you want to enable auditing is listed, an audit policy has already been defined for that file system.
- If the Audit Policy Status is enabled, logging is already enabled for the file system, and no further actions are required.
- If the Audit Policy Status is disabled, select the check box next to the file system name, and click enable.
If the file system on which you want to enable auditing is not displayed, a file system audit policy may not have been defined for that file system, or the file system may have an audit policy defined, but the file system is not in the currently selected EVS.
Click change to display the Select an EVS page, in which you can select a different EVS.
- If, after selecting the EVS that hosts the file system, the file system on which you want to enable auditing is now listed on the File System Audit Policies page, select the check box next to the file system name, and click enable.
- If, after selecting the EVS that hosts the file system, the file system on which you want to enable auditing is still not displayed, you must define a file system audit policy for that file system. Click add to display the Add File System Audit Policy page, in which you can set the auditing options for a file system.

Modifying a file system audit policy

Navigate to Home Files Services File System Audit Policies.
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click change to go to the Select an EVS page, in which you can select a different EVS.

Click the details button on the file system with the audit policy you want to modify to display the File System Audit Policy Details page.

The following table describes the fields on this page:

Field/Item	Description
EVS/File System	Lists the currently selected EVS and file system, to which the audit policy will apply. Click change to go to the Select a File System page, where you can select a different EVS and file system.
Auditing	Indicates whether file system auditing is enabled or disabled. Click enable or disable to toggle the auditing mode.
Access via Unsupported Protocols	When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: Deny Access. Client access to the file system using unauditable protocols (such as iSCSI) is denied. Allow Access. Allows client access to the file system using unauditable protocols (such as iSCSI), but does not create any auditing events.
Audited Protocols	When clients attempt to access the file system through a protocol that does not support auditing (such as iSCS), this setting determines if those clients are permitted to access the file system. You can select either: smb. Only the SMB protocol is audited. Access to SMB is always allowed, and access through other protocols is determined through the Other Protocol Support option. smb,nfsv3. Both the SMB and NFSv3 protocols are audited. Access to SMB and NFSv3 is always allowed, and access through other protocols is determined via the Other Protocol Support option.
External	Stops the audit records from being stored locally (including audit log backups) and instead only makes them available to an external audit log server. To configure an external logging server, use the audit-syslog CLI command or for third-party audit logging applications, configure an audit log consolidated cache and then read the audit logs using the Windows EVENTLOG protocol.
Active Log File Name	Specifies the file name for the file system audit log. The file name must have an .evt extension. The default file name is audit.evt.
Logging Directory	Specifies the directory within the file system in which the file system audit log files are saved. You can use the browse button to search for an existing directory, or enter the name of a directory to be created.
Maximum Log File Size	Specifies the maximum size of the active audit log file in KiB or MiB. The default is 512 KiB. The maximum value is 50 MiB.
Log roll over policy	Determines what the system does once the active audit log file is full (when it reaches the Maximum Log File Size). You can select either: Wrap, which causes the system to delete the oldest existing audit entry to allow room for a new entry. New, which causes the system to create a new active audit log file. The default is New.
Backup Interval	Specifies the time (in minutes) between automatic backups of the active audit log. The backup interval must be between 5 and 14400 minutes (10 days). A value of 0 disables the automatic backups. The default is 0.
Number of files to retain	Specifies the number of backup audit log files to retain. The default is 10.

Modify the policy as required.
Click OK to save the policy as specified.

Enabling or disabling auditing for a file system

Navigate to Home Files Services File System Audit Policies.
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click change to go to the Select an EVS page, in which you can select a different EVS.
Select the check box next to the name of the file system with the audit policy you want to enable or disable.
Click Enable to allow a disabled policy to function again, or click Disable to stop the policy from functioning.
When disabled, file system access operations are not logged, and protocol restrictions are not enforced. Note that disabling a policy does not delete it.

Deleting a file system audit policy

Navigate to Home Files Services File System Audit Policies.
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click change to go to the Select an EVS page, in which you can select a different EVS.
Select the check box next to the name of the file system with the audit policy you want to delete, and click delete.

NoteExisting log files are not deleted automatically when a policy is deleted. If you want to delete these logs, you must do so manually,

Displaying file system audit logs

The NAS server supports using a remote Windows Event Viewer to display file system audit log events. The audit log files are shown in the "FS" (file system) log, which can be displayed by the Windows Event Viewer, assuming that:

You have used the audit-log-consolidated-cache command to configure a single consolidated cache file (the audit-log-consolidated-cache).
If the cache file is not configured, the Windows Event Viewer cannot view file system events. The consolidated cache file has a default size of 10MB, and a maximum size of 50MB.

NoteOnly one consolidated cache file can be configured per EVS. Audit events from all file systems assigned to that EVS are collected into this single consolidated cache file.

When you create the consolidated cache file, you must specify the name of the file system in which the file will be stored. The cache file is located in the .audit directory of the root of the named file system. The default name for the consolidated cache file is audit_cache.evt (audit log files for individual file systems have a default name of audit.evt).
The logging directory is within a CIFS share.

Using the Windows Event Viewer, you can display, save, and clear the local event logs, or those on a remote computer. Audit logs can be saved in several formats, including a .evt event format or a plain text file. The Windows Event Viewer can only save in .evt format to a file on the same computer as the event log, because it is the computer being viewed that does the copy (meaning the Event Viewer does not just read the event log and write it to a file). The Event Viewer can also be used to open and display saved audit log files.

Optionally, you can send file system audit logs to a remote syslog server using the audit-syslog command. Enter man audit-syslog at the CLI, or see the Command Line Reference for more information.

We've Moved!

Product Documentation has moved to docs.hitachivantara.com

About file system audit logs