From the left navigation menu, select Settings and then Auditing.
Complete the General Settings:
Audit directory name
Specify a name for the audit directory. A directory of this name will be created directly under the root directory of the Element Store. Audit records will be written to this directory.
Specify users in this field to grant them read access to all files in the audit directory.
Specify each user by user name. Enter a comma to start entering a new user. Each user name appears with a removal button so that you can remove if needed while you are editing the field.
Specify groups in this field to grant them read access to all files in the audit directory.
Specify each group by group name. Enter a comma to start entering a new group. Each group name appears with a removal button so that you can remove if needed while you are editing the field.
Max audit file size
The maximum size of each file of audit records. Audit records are written to subdirectories of the audit directory per CNode core. Records written to each directory roll over to a new file when the file reaches this size.
This setting limits the size of each audit file, but it does not limit the total size of all audit files.
Specify the value with units of MB, GB, TB and so on.
Default: 1024 MB
Under Global Baseline Audit Settings, optionally set auditing settings to apply globally to all views. Any settings that you do not enable here can be set per view policy. Settings that you do enable here will apply to all views, even if the view policy does not have these settings.
Slide the Enable setting to the ON position. Default global audit settings are now enabled.
From the Protocols dropdown, select one or more protocols to enable auditing for:
NFSv3. Enables auditing of NFSv3 operations.
NFSv4.1. Enables auditing of NFSv4.1 operations.
SMB. Enables auditing of SMB operations.
Select the categories of operations that you want to be audited:
Category of Operations to audit
NFSv3 Operations Included (provided NFSv3 protocol is enabled for auditing)
NFSv4.1 Operations Included (provided NFSv4.1 protocol is enabled for auditing)
SMB Operations included (provided SMB protocol is enabled for auditing)
Operations that create, delete files and directories.
CREATE, when it creates a file
OPEN, when it creates a file
CREATE, when it creates a new file/directory or opens an existing file in delete-on-close mode
SET_INFO, when it is used for delete on close
SET_INFO, when it renames a file/directory
Operations that modify data (this includes operations that change the file size) and metadata.
CREATE, when it truncates a file
OPEN, if it truncates an existing file
CREATE - if it truncates an existing file
SET_INFO - if it changes metadata
Operations that read data and metadata.
ACCESS, if the RPC failed or if the granted access is lower than the requested access
For sessions that use Kerberos 5 authentication (krb5, krb5i, or krb5p): Session creation and closing operations.
Kerberos user token creation
Kerberos user token deletion
Optionally change the Audit record options:
Log full path
Available and relevant for NFSv3 and NFSv4.1 audits.
If enabled, audit records contain the full Element Store path to the requested resource. This may affect performance. When disabled, the view path is recorded.
Disabled by default.
If enabled, audit records contain the username (if a username can be retrieved from the auth provider).
To view the currently enabled global auditing settings, use the cluster show command with the
In the following example, auditing has not been enabled on the cluster:
vcli: admin> cluster show --audit +--------------------------+----------+ | ID | 1 | | Name | Bonzo-02 | | Audit-dir-name | | | Read-access-users |  | | Read-access-users-groups |  | | Max-file-size(GB) | 1.024 | | Max-retention-period | 1 | | Max-retention-timeunit | h | | Protocols |  | +--------------------------+----------+ Auditing disabled for all protocols
To configure global auditing settings, use the cluster modify command.
For example, the following command sets the audit directory name to vast_audit_dir, grants read access for the audit files to the user janef and enables auditing of a few types of NFSv3 and SMB operations:
vcli: admin> cluster modify --id 1 --audit-protocols NFSv3,SMB --read-access-users janef --audit-operations create_delete_files_dirs_objects,modify_data_md,read_data --audit-dir-name .vast_audit_dir --enable-audit-settings