SMB events that can be audited
ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.
The following additional SMB events can be audited in ONTAP 9.5 and later:
| Event ID (EVT/EVTX) | Event | Description | Category |
|---|---|---|---|
| 4670 | Object permissions were changed | OBJECT ACCESS: Permissions changed. | File Access |
| 4907 | Object auditing settings were changed | OBJECT ACCESS: Audit settings changed. | File Access |
| 4913 | Object Central Access Policy was changed | OBJECT ACCESS: CAP changed. | File Access |
The following SMB events can be audited in ONTAP 9.5 and later:
| Event ID (EVT/EVTX) | Event | Description | Category |
|---|---|---|---|
| 540/4624 | An account was successfully logged on | LOGON/LOGOFF: Network (CIFS) logon. | Logon and Logoff |
| 529/4625 | An account failed to log on | LOGON/LOGOFF: Unknown user name or bad password. | Logon and Logoff |
| 530/4625 | An account failed to log on | LOGON/LOGOFF: Account logon time restriction. | Logon and Logoff |
| 531/4625 | An account failed to log on | LOGON/LOGOFF: Account currently disabled. | Logon and Logoff |
| 532/4625 | An account failed to log on | LOGON/LOGOFF: User account has expired. | Logon and Logoff |
| 533/4625 | An account failed to log on | LOGON/LOGOFF: User cannot log on to this computer. | Logon and Logoff |
| 534/4625 | An account failed to log on | LOGON/LOGOFF: User not granted logon type here. | Logon and Logoff |
| 535/4625 | An account failed to log on | LOGON/LOGOFF: User's password has expired. | Logon and Logoff |
| 537/4625 | An account failed to log on | LOGON/LOGOFF: Logon failed for reasons other than above. | Logon and Logoff |
| 539/4625 | An account failed to log on | LOGON/LOGOFF: Account locked out. | Logon and Logoff |
| 538/4634 | An account was logged off | LOGON/LOGOFF: Local or network user logoff. | Logon and Logoff |
| 560/4656 | Open Object/Create Object | OBJECT ACCESS: Object (file or directory) open. | File Access |
| 563/4659 | Open Object with the Intent to Delete | OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete. | File Access |
| 564/4660 | Delete Object | OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory). | File Access |
| 567/4663 | Read Object/Write Object/Get Object Attributes/Set Object Attributes | OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute). Note For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object. | File Access |
| NA/4664 | Hard link | OBJECT ACCESS: An attempt was made to create a hard link. | File Access |
| NA/4818 | Proposed central access policy does not grant the same access permissions as the current central access policy | OBJECT ACCESS: Central Access Policy Staging. | File Access |
| NA/NA Data ONTAP Event ID 9999 | Rename Object | OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event. | File Access |
| NA/NA Data ONTAP Event ID 9998 | Unlink Object | OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event. | File Access |
Additional information about Event 4656
The HandleID tag in the audit XML event contains the handle of the object (file or directory) accessed. The HandleID tag for the EVTX 4656 event contains different information depending on whether the open event is for creating a new object or for opening an existing object:
If the open event is an open request to create a new object (file or directory), the HandleID tag in the audit XML event shows an empty HandleID (for example: <Data Name="HandleID">00000000000000;00;00000000;00000000</Data> ).
The HandleID is empty because the OPEN (for creating a new object) request gets audited before the actual object creation happens and before a handle exists. Subsequent audited events for the same object have the right object handle in the HandleID tag.
- If the open event is an open request to open an existing object, the audit event will have the assigned handle of that object in the HandleID tag (for example: <Data Name="HandleID">00000000000401;00;000000ea;00123ed4</Data> ).