How active audit logs are viewed using Event Viewer
If the audit consolidation process is running on the cluster, the consolidation process appends new records to the active audit log file for audit-enabled storage virtual machines (SVMs). This active audit log can be accessed and opened over an SMB share in Microsoft Event Viewer.
In addition to viewing existing audit records, Event Viewer has a refresh option that enables you to refresh the content in the console window. Whether the newly appended logs are viewable in Event Viewer depends on whether oplocks are enabled on the share used to access the active audit log.
| Oplocks setting on the share | Behavior |
|---|---|
| Enabled | Event Viewer opens the log that contains events written to it up to that point in time. The refresh operation does not refresh the log with new events appended by the consolidation process. |
| Disabled | Event Viewer opens the log that contains events written to it up to that point in time. The refresh operation refreshes the log with new events appended by the consolidation process. |
Note
This information is applicable only for EVTX event logs. XML event logs can be viewed through SMB in a browser or through NFS using any XML editor or viewer.
Give documentation feedback