NetApp ONTAP Audit¶
About¶
NetApp ONTAP Audit Logging is a security and operational logging feature of NetApp ONTAP storage systems that records administrative activities, data access events, authentication events, configuration changes, and system operations across storage clusters. These audit logs provide visibility into user actions, protocol-level file and object access (such as NFS, SMB, and S3), and system-level changes, enabling security monitoring, compliance reporting, and forensic investigations within enterprise storage environments.
Product Details¶
Vendor URL: NetApp ONTAP Audit
Product Type: Storage Audit
Product Tier: Tier III
Integration Method: Bindplane
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: NETAPP_ONTAP_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| TimeCreated | metadata.event_timestamp |
| ProviderName | additional.fields |
| EventName | metadata.product_event_type |
| Version | additional.fields |
| Source | additional.fields |
| SubjectUserName | principal.user.userid |
| SubjectDomain | principal.administrative_domain |
| ObjectName | target.file.full_path |
| ObjectType | target.resource.type |
| DesiredAccess | additional.fields |
| SubjectUserSid | principal.user.windows_sid |
| Level | security_result.severity |
| Opcode | security_result.severity_detailsĀ |
| Result | security_result.action |
| EventId | metadata.product_log_id |
| SourceFile | additional.fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Open Object | FILE_OPEN |
| Read Object | FILE_READ |
| Write Object | FILE_MODIFICATION |
| all | GENERIC_EVENT |
Log Sample¶
{"TimeCreated":"2026-06-12T14:22:10.123456000Z","ProviderName":"NetApp-Security-Auditing","EventName":"Open Object","Version":"101.3","Source":"CIFS","SubjectIP":"192.168.10.45","SubjectUserName":"jdoe","SubjectDomain":"US","ObjectType":"Directory","ObjectName":"(CORP_vol);/CORP/US/Finance/Reports/20260612/Q2/Final/Board_Presentation","DesiredAccess":"Read Data; List Directory; Read Attributes; ","SubjectUserSid":"S-1-5-21-1122334455-6677889900-1234567890-1001","Level":"Informational","Opcode":"Info","Keywords":"0x8020000000000000","Result":"Audit Success","EventId":4656,"SourceFile":"audit_CORPFILESERVER_D2026-06-12-T14-22-10_0000000000.evtx"}
Sample Parsing¶
metadata.event_timetsamp = "2026-06-12T14:22:10.123456000Z"
metadata.event_type = "FILE_OPEN"
metadata.product_event_type = "Open Object"
metadata.product_log_id = "4656"
principal.user.userid = "jdoe"
principal.administrative_domain = "US"
principal.user.windows_sid = "S-1-5-21-1122334455-6677889900-1234567890-1001"
target.file.full_path = "(CORP_vol);/CORP/US/Finance/Reports/20260612/Q2/Final/Board_Presentation"
target.resource.type = "Directory"
additional.fields["ProviderName"] = "NetApp-Security-Auditing"
additional.fields["Version"] = "101.3"
additional.fields["Source"] = "CIFS"
additional.fields["DesiredAccess"] = "Read Data; List Directory; Read Attributes; "
additional.fields["Source"] = "audit_CORPFILESERVER_D2026-06-12-T14-22-10_0000000000.evtx"
security_result.category_detail = "Audit"
security_result.action = "ALLOW"
security.result.severity = "INFORMATIONAL"
security.result.severity_details = "Info"