Skip to main content

Configure and Audit CIFS Audit Logs for Confidential Shares

This article applies to: Shared File Services

If you need to store confidential data on SFS, you must request a properly configured share.

SFS provides the ability to enable, configure, and perform CIFS auditing in compliance with Cornell Policy 5.10,; however, it is the responsibility of the customer to do so.

When your confidential share is created on SFS a second billable share is created to hold your audit logs. For example:

  • Requested Share: \\\CIT\Employee-Data
    Billed at our normal rates.
  • Audit Log Share: \\\CIT\Employee-Data-auditlog
    Billed at a higher rate.
    Starts at 150 GB, and is automatically grown as required in 150 GB increments. This share is not to be used for any other purpose.
  • You Configure CIFS Auditing for the share you requested, \\\CIT\Employee-Data
  • The resultant CIFS Audit Log files are automatically stored on the Audit Log Share\\\CIT\Employee-Data-auditlog.
Do not configure CIFS Auditing for the Audit Log Share itself, \\\CIT\Employee-Data-auditlog.
Suggestion for File System Administrators: Map a Network Drive Using Your "Doc" Account to these locations.

Following is the default configuration for CIFS audit logging:

  1. A CornellAD group containing only CornellAD “doc” accounts is required to configure the CIFS Audit Logs.  Personal NetID’s are not allowed within this group.
  2. Log files are saved to this share as “filename.evt”, accessible via the Windows Event Viewer application.
  3. Log files will rotate at least daily.
  4. Log files will rotate more frequently upon approaching 5 GB capacity per log.
  5. Log files will contain the creation date/time in their filenames.
  6. Up to 100 log files will be maintained.
  7. Your Audit Log Share starts at 150 GB, and will be grown automatically in 150 GB units.

About this Article

Last updated: 

Thursday, December 19, 2019 - 9:13am

Was this page helpful?

Your feedback helps improve the site.