File system auditing monitors and records file access and modification operations performed through the SMB and NFSv3 protocols. Records are made using the Windows Eventlog format and can be stored to the file system's audit log or made available to third-party external tools.
File system audit logging is performed and controlled on a per file system basis.
Currently, file system auditing is only supported for operations using SMB and NFSv3. By default, when file system auditing is enabled, access to the audited file system is only allowed for these two protocols. However, access by clients using other protocols like NFSv2, can optionally be allowed. When such access is allowed, access to file system objects through these protocols is not audited.
After a file has been externally migrated (migrated to an external server), for example to a Hitachi Content Platform (HCP) system, subsequent access to the file through the NAS server is audited as if the file were still local.
For known users (users with a Windows user mapping), the NAS server logs Object Access events 560, 562, 563 and 564. As with the Windows operating system, auditable events for objects are specified by SACLs (system access control lists). Auditing events are logged under the following conditions:
- 560 – open handle
This event is logged when a network client asks for access to an object. An access check is performed against the DACL (discretionary access control list) and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.
- 562 – close handle
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 560.
- 563 – open handle for delete
This event is logged when a network client asks for access to a file using the CreateFile call, and the delete-on-close flag is specified. An access check is performed against the DACL and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.
For successful deletions, the audit records the accesses that were granted, and for failures the audit records the accesses that were requested.
- 564 – delete
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 563.