Auditing SMB File Access
  • 6 Minutes to read
  • PDF

Auditing SMB File Access

  • PDF

Article summary

The CTERA Edge Filer provides audit logs of the SMB file access operations performed on the CTERA Edge Filer. This enables organizations to ensure compliance with internal policies and regulations.

Note

The SMB audit log does not record sync operations between the CTERA Edge Filer and a CTERA Portal.

To enable SMB audit logs:

  1. In the Configuration view, select Log Viewer > Audit Logs in the navigation pane.
    The Audit Logs page is displayed.
    image.png

  2. Select the Enable CIFS/SMB Audit Logs option.

  3. In the Save log files to field, click ....

    Note

    CTERA recommends that SMB Audit logging is saved to a folder that is local on the edge filer and not a part of cloudsyncfor example, on the root of vol1, which can then be used to create a share.

    • If you have created network shares, the following window is displayed, listing the available network shares.
      image.png
      Select the network share for the destination to save the log files.
      Click Close if you want to create a different network share for the audit logs and then create the network share, as described in Managing Network Shares.

    • If you have not created a network share, the following window is displayed.
      image.png

      1. To create a network share to use as the destination for the audit logs, click the Want to create one now? link.
        The Select a Folder to Share wizard opens, displaying the volumes and folders on the CTERA Edge Filer.
      2. Follow the wizard to define the network share, as described in Managing Network Shares.
        The network share is selected as the destination to save the log files.

      Click Close if you do not want to create a network share for the audit logs.

    The audit log will be saved to /network_share/audit.log.dir/audit.log.

  4. Optionally, change the following logging details as desired:
    Rotate files every (time limit) – How often to rollover the log files. You can define the rotation time in minutes, hours or days.
    Rotate files every (size limit) – When to rollover the log files if they grow large. You can define the rotate size in KB, MB, or GB.
    Keep closed files for – The number of days to keep closed log files.
    A background task is run every 10 minutes and checks these values. For example, if the time to rotate the file has passed or if the size is over the specified size the log file is rotated. Note that this can mean that the file can be larger than the specified value as it will grow until the 10-minute check is performed.
    The task also checks if closed log files have exceeded the specified time and any closed log file that has exceeded this time is deleted.

    Note

    If closed log files have exceeded the time specified in Keep closed files for and are deleted, and these deleted log files were not sent to the portal. For example, when the connection to the portal is down for a long time, the information in these deleted log files is lost.
    This should never normally happen if the default for Keep closed files for is not set to too short a time.

  5. In the Events to log area, optionally change the events to log, based on your organization's needs. To add or delete events to log, scroll through the list and select or clear the appropriate check boxes. The events you can log are:

    Flag in User InterfaceMeaning
    List Folder Read DataLog when data is read from a file.
    Create Files Write DataLog when data is written or appended to a file.
    Create Folders Append DataLog when a directory is created.
    Read Extended AttributesLog when an extended attribute is fetched.
    Write Extended AttributesLog when an extended attribute is replaced or a new extended attribute is created.
    Traverse Folder Execute FileLog an attempt to open a file.
    Delete Subfolders and Files
    Write AttributesLog when the file attributes, such as the system and hidden attributes, are changed.
    DeleteLog when a file or directory is deleted.
    Change PermissionsLog any change to a file or directory access permission.
    Change OwnerLog when the owner of a file or directory is modified.
  6. Optionally, check Log permission changes in human readable format, for changes in ACL permissions to files and folders to be reported in the audit log in an understandable format. Where:
    ace-type indicates the type of ACE (allow/deny)
    ace-rights indicates the type of permissions/AccessMask
    ace-flags indicates the ACE behavior

    Note

    Setting the log to be readable degrades performance. CTERA recommends not setting this option, unless you really need it.

  7. Click Save.

CTERA Edge Filer generates audit log messages upon various operations.

Example Log Entries

open

July 30 08:33:42 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=open|timestamp=1609310022|local_time=1609302822|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/CopiedFile - Copy.png|access=01101001100000000100100000000000|remote hostname=10.212.134.55||

OpenDenied

July 30 08:34:06 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|fail|0xc0000034|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=OpenDenied|timestamp=1609310046|local_time=1609302846|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/E0EAEC4D.tmp|access=00000100000000000000000000000000|remote hostname=10.212.134.55|isDir=1||

read

July 30 08:33:41 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=read|timestamp=1609310021|local_time=1609302821|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/CopiedFile - Copy.png|type=file|remote hostname=10.212.134.55|fileSize=148071|dataRW=4096||

write

July 30 08:33:51 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=write|timestamp=1609310031|local_time=1609302831|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/~$w Microsoft Word Document1.docx|type=file|remote hostname=10.212.134.55|fileSize=54|dataRW=113||

move

July 30 08:34:06 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=move|timestamp=1609310046|local_time=1609302846|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|source path=users/portal admin/My Files/Photos/New Microsoft Word Document1.docx|destination path=users/portal admin/My Files/Photos/E0EAEC4D.tmp|type=file|remote hostname=10.212.134.55||

create

July 30 08:33:51 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=create|timestamp=1609310031|local_time=1609302831|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/~$w Microsoft Word Document1.docx|type=file|remote hostname=10.212.134.55||

delete

fail operation

July 30 08:33:42 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|fail|0xc0000034|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=delete|timestamp=1609310022|local_time=1609302822|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/._CopiedFile - Copy.png|type=file|remote hostname=10.212.134.55|fileSize=10000|dataRW=18446744073709551615||

ok operation

July 30 08:33:42 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=delete|timestamp=1609310022|local_time=1609302822|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/CopiedFile - Copy.png|type=file|remote hostname=10.212.134.55|fileSize=10000|dataRW=18446744073709551615||

setattrib

July 30 08:33:42 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|ok|0x00000000|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=setattrib|timestamp=1609310022|local_time=1609302822|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=users/portal admin/My Files/Photos/CopiedFile - Copy.png|dosattrib=0000|remote hostname=10.212.134.55||

getea

July 29 10:30:47 2022EdgeFiler smbd: |2022EdgeFiler|ctera_audit|fs|fail|0xc0000225|user=2022EDGEFILER\admin|sid=S-1-5-21-2761415951-3033486807-2004858877-1402|op=getea|timestamp=1609230647|local_time=1609223447|rootPath=/var/vol/syncgateway/cloudshare|share=cloud|path=/var/vol/syncgateway/cloudshare|att=org.netatalk.Metadata|remote hostname=10.212.134.70||

Each field in the message is separated by the | character. The fields in the examples have the following meaning:
Timestamp and edge filer name – Each line in the audit log starts with the timestamp when it was written to the log and the edge filer connected to. For example, July 30 08:33:42 2022EdgeFiler smbd:
Edge filer name – The name of the device on which the operation was executed. For example, 2022EdgeFiler
Log name – The name of the audit log: ctera_audit
Type – The audit type.
Operation result – The result, either ok or fail.
Operation result code – The result code for the operation. 0xc0000000 for ok. fail is 0xc0000225
User name – The name of the user who executed the operation. For example, user=2022EDGEFILER\admin
User SID – The security identifier. For example, sid=S-1-5-21-2278938113-1352723297-1199027263-1402
Operation – The operation that was executed. For example, op=open
Timestamp – The UTC time the operation was executed. For example, timestamp=1609230647
Local time – The local time the operation was executed. For example, local_time=1609223447
Root Path – The root path for the share. For example, rootPath=/var/vol/syncgateway/cloudshare|share=cloud
Share – The name of the share. For example, share=cloud
Path – The path to a file being handled. For example, path=users/portal admin/My Files/Photos/New Microsoft Word Document1.docx
Destination – The destination for a move or copy operation. For example, destination path=users/portal admin/My Files/Photos/E0EAEC4D.tmp
Type – Whether the operation is on a folder or file.
Attributes – The attributes, either in readable format, for example, att=org.netatalk.Metadata or machine readable, for example, dosattrib=0000dosattrib=0000
Access code – The access code. For example, access=00000100000000000000000000000000
Remote hostname – The IP address of the device connected using SMB to the edge filer. For example, remote hostname=10.212.134.70
File size – The size of the file being operated on. For example, Size=18446744073709551615
Data Read/Write – For example, dataRW=18446744073709551615
Directory – Whether the operation is on a directory or not. For example, isDir=1

The operations have the following meanings:

Operation in LogDescriptionFlag in User Interface
read, OpenDeniedOpen a file for readingList Folder Read Data
create, write, createDenied, OpenDenied, moveCreate or write to a file Create FilesWrite Data
create, createDenied, OpenDeniedCreate a folderCreate Folders Append Data
geteaGet the extended attributesRead Extended Attributes
seteaSet the extended attributesWrite Extended Attributes
deleaDelete an extended attributeWrite Extended Attributes
openOpen a fileTraverse Folder
delete, moveDelete a file or folderDelete
getattribGet the attributes
setattribSet the attributesWrite Attributes
ACEChangedChange permissionsChange Permissions
ACLAdded, ACLDeleted, ACLProtectionAdded, ACLProtectionDeletedChange access permissionsChange Permissions
setdaclSet permissionsChange Permissions
getsdThe security descriptor of a file or directory is fetched
setsd, AclDeniedThe security descriptor of a file or directory is setChange Permissions
chown, AclDeniedChange the ownerChange Owner
deleteDeniedDon’t allow deleting a file or folderDelete Subfolders and Files

Was this article helpful?