API - NetApp CIFS Audit Event Log

If you cannot connect to the NetApp box using Event Viewer and are getting errors indicating the RPC server is unavailable, you may need to map a drive from NetApp to the Agent host, and then try again.

You must run Windows Agent as a user that has sufficient privileges on the NetApp box LocalSystem or the configuration will not work. Provide the service credentials for the System Monitor Agent in Services. Go to Control Panel, click Administrative Tools, then click Services.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is API - NetApp CIFS Security Audit Event Log. In addition, when configuring this log source:

• For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
• For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
• On the Flat File Settings tab, enter the following:
  • • Format is: [MachineName]:[PathToNetAppResourceDLL]

    • PathToNetAppResourceDLL: The path to the NetApp message resource file. The resource file is called ontapAuditE.dll and can be found in the NetApp’s ETC$ directory.

      • Examples of File Path when ontapAuditE.dll is on NetApp filer and accessed using the default ETC$ administrative CIFS share:
        • 192.168.0.9:\\192.168.0.9\etc$\ontapAuditE.dll
        • 192.168.0.1:Y:\etc\ontapAuditE.dll
        • Netapp_filerA:\\Netapp_filerA\etc$\ontapAuditE.dll
      • Examples of ontapAuditE.dll on local (Agent) machine:
        • 192.168.0.6:C:\NetAppResource\ontapAuditE.dll
        • Netapp_filerA:C:\NetAppResource\ontapAuditE.dll