I assume that this API is AuditPlus issuing a CIFS audit.save command to force NetApp to dump the .alf to .evtx? This appears to be failing as the AuditPlus software cannot establish an SSLv3 connection with the filer head. Problem is, even though it indicates this is failing in the logs, the UI says success. at the Filer end, the .alf will eventually be saved off when it reaches a certain size as i have the audit.onsize settings setup. Thereafter, AuditPlus ll pick up the new .evtx file but if this is whats happening, it can result in a long delay before critical audit events are picked up i.e. I have noticed my critical alerts for file deletions are firing hours after the actual event. I suspect this is due to my analysis above. If so, this would need to be addressed in the software as an admin must know when there is a communications problem.
↧