Edit

Share via


Manage file access logs in Azure NetApp Files

File access logs provide file access logging for individual volumes, capturing file system operations on selected volumes. The logs capture standard file operation. File access logs provide insights beyond the platform logging captured in the Azure Activity Log.

Considerations

Important

The file access logs feature is only supported with SMB3, NFSv4.1, and dual-protocol volumes. It's not supported on NFSv3 volumes.

  • Once file access logs are enabled on a volume, they can take up to 75 minutes to become visible.
  • Each log entry consumes approximately 1 KB of space.
  • File access logs occasionally create duplicate log entries that must be filtered manually.
  • Deleting any diagnostic settings configured for ANFFileAccess causes any file access logs for any volume with that setting to become disabled. See the diagnostic setting configuration for more information.
  • Before enabling file access logs on a volume, either access control lists (ACLs) or Audit access control entries (ACEs) need to be set on a file or directory. You must set ACLs or Audit ACEs after mounting a volume.

    Important

    For dual-protocol volumes using the NTFS security style, you must set Audit ACLs from a Windows machine. For dual-protocol volumes using UNIX security style, Audit ACLs must be set from a Linux machine.

  • Azure NetApp Files file access logs provide detailed information about successful and failed requests to the storage service. This information can be used to monitor individual requests and to diagnose file access issues. Requests are logged on a best-effort basis, meaning that most requests result in a log record, but the completeness and timeliness of file access logs aren't guaranteed. The Azure NetApp Files file access logs feature doesn't provide explicit or implicit expectations or guarantees around logging for auditing and compliance purposes.

Performance considerations

  • All file access log file access events have a performance impact.

    • Events such as file/folder creation or deletion are key events to log.
    • System access control list (SACL) settings for logging should be used sparingly. Frequent operations (for example, READ or GET) can have significant performance impact, but have limited logging value. It's recommended that SACL setting not log these frequent operations to conserve performance.
    • SACL policy additions aren't currently supported with file access logs.
  • With clubbing events such as READ/WRITE, only a handful of operation per file read or write are captured to reduce event logging rate. 

  • File access logs support a log generation rate metric.

    If the rate of file access event generation exceeds 64 MiB/minute, the Activity log sends a message stating that the rate of file access log generation is exceeding the limit. If log generation exceeds the limit, logging events can be delayed or dropped. If you're approaching this limit, disable noncritical auditing ACLs to reduce the event generation rate. As a precaution, you can create an alert for this event.

  • During migration or robocopy operations, disable file access logs to reduce log generation.

  • It's recommended you avoid enabling file access logs on files with more than 450 ACEs to avoid performance issues.

Recognized events

The events capture in file access logs depend on the protocol of your volume.

Logged NFS events

  • Close
  • Create
  • Get attributes
  • Link
  • Nverify
  • Open
  • Open attribute
  • Remove
  • Rename
  • Set attribute
  • Verify
  • Write

Logged SMB events

  • Create
  • Delete
  • Get attributes
  • Hard link
  • Open object
  • Open object with the intent to delete
  • Read
  • Rename
  • Set attribute
  • Unlink
  • Write

Supported regions

Availability for file access log is limited to the following regions:

  • Australia Central
  • Australia Central 2
  • Australia East
  • Australia Southeast
  • Brazil South
  • Brazil Southeast
  • Canada Central
  • Canada East
  • Central India
  • Central US
  • East Asia
  • East US
  • East US 2
  • France Central
  • Germany North
  • Japan East
  • Japan West
  • Korea Central
  • Korea South
  • North Europe
  • Norway East
  • Norway West
  • South Africa North
  • South Central US
  • Southeast Asia
  • South India
  • Sweden Central
  • Switzerland North
  • Switzerland West
  • UAE Central
  • UAE North
  • UK South
  • UK West
  • US Gov Arizona
  • US Gov Virginia
  • West Europe
  • West US
  • West US 2
  • West US 3

Set SACLs or Audit ACEs on files and directories

You must set SACLs for SMB shares or Audit ACEs for NFSv4.1 exports for auditing.

To enable logging access on individual files and directories, complete the following steps on the Windows administration host.

Note

Select only the events you need to log. Selecting too many log options can impact system performance.

Steps

To enable logging access on individual files and directories, complete the following steps on the Windows administration host.

  1. Select the file or directory for which to enable logging access.
  2. Right-click the file or directory, then select Properties.
  3. Select the Security tab then Advanced.
  4. Select the Auditing tab. Add, edit, or remove the auditing options you want.

Enable file access logs

  1. In the Volumes menu, select the volume you want to enable file access logs for.
  2. Select Diagnostic settings from the left-hand pane.
  3. Select + Add diagnostic setting. Screenshot of Azure Diagnostic settings menu.
  4. In the Diagnostic setting page, provide a diagnostic setting name. Under Logs > Categories, select ANFFileAccess then set the retention period of the logs. Screenshot of Azure Diagnostic settings menu with file access diagnostic setting.
  5. Select one of the destination options for the logs:
    • Archive to a storage account
    • Stream to an event hub
    • Send to Log Analytics workplace
    • Send to a partner solution
  6. Save the settings.

Disable file access logs

  1. In the Volumes menu, select the volume on which you want to disable file access logs.
  2. Select the Diagnostic setting menu from the left-hand pane.
  3. In the Diagnostic settings page, deselect Audit. This automatically deselects ANFFileAccess.
  4. Select Save.

Note

After disabling file access logs, you must wait at least ten minutes before attempting to enable or re-enable file access logs on any volume.

Next Steps