We are looking at moving our current user home directories and department shares from a Windows Server share to a NetApp CIFS share. Currently we audit the Windows server shares for object access and privileged use and we need to keep this functionally. Is it possible to audit files that are shared directly from a NetApp filer?
First make sure you have set up your splunk forwarder with a domain account (not the local user option).
This domain account must have corresponding administrative rights, so that the forwarder kann access the filer.
Assuming you already have enabled cifs audit on your netapp, put this in your inputs.conf of your forwarder:
[monitor://\\filer_host\c$\etc\log\*.evt]
disabled = 0
index=whateveryoulike
This will do the trick.
Regards,
Phil