About file system audit logs

File Service Administration Guide for Hitachi NAS Platform

Version
14.9.x
Audience
anonymous
Part Number
MK-92HNAS006-31

The file system audit log is buffered in memory, and may be permanently stored in a file in the file system being audited. Active audit log files are stored in Windows event log file format (.evt) so that standard tools can access them. The name, location, size of the active audit log file, log file retention, and active log file backup settings are defined when enabling auditing for a file system.

Note: File System Audit logs are saved in Windows XP format. An effect of this is that, depending upon how the saved .evt file is opened, a Windows Vista or Windows 2008 Server event viewer can report the file as corrupted, or might not be able to fully interpret the events. Note that the same situation occurs when a Windows Vista event viewer is used to display saved logs from an XP system. To display the logs correctly, use a Windows XP event viewer.

Audit log files are limited in size, and the retention behavior when a log fills is configurable. When an audit log reaches its maximum size, log entries (file system events) can be overwritten, or the full audit log can be saved, and a new log started

Note: All file system audit log parameters are specified on a per file system basis.

You can specify a backup policy, which backs up the active log at regular intervals, and starts a new active log file. Backup log files are created in the same directory as the active audit log file.

In the event of a server crash, active file system audit logs are recovered only if a rollback is performed on restart. Note that a rollback may reset the audit log file to a time when it can be recovered, thus saving some records that would otherwise be lost.