The NAS server supports using a remote Windows Event Viewer to display file system audit log events. The audit log files are shown in the "FS" (file system) log, which can be displayed by the Windows Event Viewer, assuming that:
- You have used the audit-log-consolidated-cache command to configure a single consolidated cache file (the audit-log-consolidated-cache).
If the cache file is not configured, the Windows Event Viewer cannot view file system events. The consolidated cache file has a default size of 10MB, and a maximum size of 50MB.
Note: Only one consolidated cache file can be configured per EVS. Audit events from all file systems assigned to that EVS are collected into this single consolidated cache file.When you create the consolidated cache file, you must specify the name of the file system in which the file will be stored. The cache file is located in the .audit directory of the root of the named file system. The default name for the consolidated cache file is audit_cache.evt (audit log files for individual file systems have a default name of audit.evt).
- The logging directory is within a CIFS share.
Using the Windows Event Viewer, you can display, save, and clear the local event logs, or those on a remote computer. Audit logs can be saved in several formats, including a .evt event format or a plain text file. The Windows Event Viewer can only save in .evt format to a file on the same computer as the event log, because it is the computer being viewed that does the copy (meaning the Event Viewer does not just read the event log and write it to a file). The Event Viewer can also be used to open and display saved audit log files.
Optionally, you can send file system audit logs to a remote syslog server using the audit-syslog command. Enter man audit-syslog at the CLI, or see the Command Line Reference for more information.