Data ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.
The following SMB events can be audited:
| Event ID (EVT/EVTX) | Event | Description | Category |
|---|---|---|---|
| 540/4624 | An account was successfully logged on | LOGON/LOGOFF: Network (CIFS) logon. | Logon and Logoff |
| 529/4625 | An account failed to log on | LOGON/LOGOFF: Unknown user name or bad password. | Logon and Logoff |
| 530/4625 | An account failed to log on | LOGON/LOGOFF: Account logon time restriction. | Logon and Logoff |
| 531/4625 | An account failed to log on | LOGON/LOGOFF: Account currently disabled. | Logon and Logoff |
| 532/4625 | An account failed to log on | LOGON/LOGOFF: User account has expired. | Logon and Logoff |
| 533/4625 | An account failed to log on | LOGON/LOGOFF: User cannot log on to this computer. | Logon and Logoff |
| 534/4625 | An account failed to log on | LOGON/LOGOFF: User not granted logon type here. | Logon and Logoff |
| 535/4625 | An account failed to log on | LOGON/LOGOFF: User's password has expired. | Logon and Logoff |
| 537/4625 | An account failed to log on | LOGON/LOGOFF: Logon failed for reasons other than above. | Logon and Logoff |
| 539/4625 | An account failed to log on | LOGON/LOGOFF: Account locked out. | Logon and Logoff |
| 538/4634 | An account was logged off | LOGON/LOGOFF: Local or network user logoff. | Logon and Logoff |
| 560/4656 | Open Object/Create Object | OBJECT ACCESS: Object (file or directory) open. | File Access |
| 563/4659 | Open Object with the Intent to Delete | OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete. | File Access |
| 564/4660 | Delete Object | OBJECT ACCESS: Delete Object (file or directory). Data ONTAP generates this event when a Windows client attempts to delete the object (file or directory). | File Access |
| 567/4663 | Read Object/Write Object/Get Object Attributes/Set Object Attributes | OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute). Note: For this event, Data ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents Data ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.
|
File Access |
| NA/4664 | Hard link | OBJECT ACCESS: An attempt was made to create a hard link. | File Access |
| NA/4818 | Proposed central access policy does not grant the same access permissions as the current central access policy | OBJECT ACCESS: Central Access Policy Staging. | File Access |
| NA/NA Data ONTAP Event ID 9999 | Rename Object | OBJECT ACCESS: Object renamed. This is a Data ONTAP event. It is not currently supported by Windows as a single event. | File Access |
| NA/NA Data ONTAP Event ID 9998 | Unlink Object | OBJECT ACCESS: Object unlinked. This is a Data ONTAP event. It is not currently supported by Windows as a single event. | File Access |
The HandleID is empty because the OPEN (for creating a new object) request gets audited before the actual object creation happens and before a handle exists. Subsequent audited events for the same object have the right object handle in the HandleID tag.
