Merge pull request #216559 from b-ahibbard/anf-fileaccesslogs-15dec

File Access Logs 2022.03

Author: JamesJBarnett

articles/azure-netapp-files/TOC.yml

@@ -369,6 +369,8 @@
         href: manage-default-individual-user-group-quotas.md
       - name: Manage storage with cool access 
         href: manage-cool-access.md
+      - name: Manage file access logs 
+        href: manage-file-access-logs.md
     - name: Update Terraform-managed volume
       href: terraform-manage-volume.md
   - name: Manage application volume groups 

articles/azure-netapp-files/azure-government.md

@@ -25,6 +25,7 @@ All [Azure NetApp Files features](whats-new.md) available on Azure public cloud
 | Azure NetApp Files features | Azure public cloud availability |  Azure Government availability |
 |:--- |:--- |:--- |
 | Azure NetApp Files large volumes | Generally available (GA) | Generally available [(select regions)](large-volumes-requirements-considerations.md#supported-regions) |
+| Azure NetApp Files file access logs | Public preview | Public preview [(select regions)](manage-file-access-logs.md#supported-regions) |
 
 ## Portal access
 

articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md

@@ -73,9 +73,9 @@ Before creating an SMB volume, you need to create an Active Directory connection
         The subnet you specify must be delegated to Azure NetApp Files. 
 
         If you haven't delegated a subnet, you can select **Create new** on the Create a Volume page. Then in the Create Subnet page, specify the subnet information, and select **Microsoft.NetApp/volumes** to delegate the subnet for Azure NetApp Files. In each VNet, only one subnet can be delegated to Azure NetApp Files.   
+      
+        :::image type="content" source="./media/shared/azure-netapp-files-create-subnet.png" alt-text="Screenshot of create new subnet interface." lightbox="./media/shared/azure-netapp-files-create-subnet.png":::
 
-        ![Create subnet](./media/shared/azure-netapp-files-create-subnet.png)
-
     * **Network features**  
         In supported regions, you can specify whether you want to use **Basic** or **Standard** network features for the volume. See [Configure network features for a volume](configure-network-features.md) and [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md) for details.
 

articles/azure-netapp-files/azure-netapp-files-create-volumes.md

@@ -83,7 +83,9 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
         Specify the subnet that you want to use for the volume.  
         The subnet you specify must be delegated to Azure NetApp Files. 
         
-        If you have not delegated a subnet, you can select **Create new** on the Create a Volume page. Then in the Create Subnet page, specify the subnet information, and select **Microsoft.NetApp/volumes** to delegate the subnet for Azure NetApp Files. In each Virtual Network, only one subnet can be delegated to Azure NetApp Files.   
+        If you have not delegated a subnet, you can click **Create new** on the Create a Volume page. Then in the Create Subnet page, specify the subnet information, and select **Microsoft.NetApp/volumes** to delegate the subnet for Azure NetApp Files. In each VNet, only one subnet can be delegated to Azure NetApp Files.   
+ 
+        :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-new-volume.png" alt-text="Screenshot of create new volume interface." lightbox="../media/azure-netapp-files/azure-netapp-files-new-volume.png":::
 
         ![Create subnet](./media/shared/azure-netapp-files-create-subnet.png)
 

articles/azure-netapp-files/faq-security.md

@@ -48,6 +48,8 @@ For the complete list of Azure NetApp Files permissions, see Azure resource prov
 
 Azure NetApp Files is an Azure native service. All PUT, POST, and DELETE APIs against Azure NetApp Files are logged. For example, the logs show activities such as who created the snapshot, who modified the volume, and so on.
 
+Azure NetApp Files also offers [file access logging](manage-file-access-logs.md).
+
 For the complete list of API operations, see [Azure NetApp Files REST API](/rest/api/netapp/).
 
 ## Can I use Azure policies with Azure NetApp Files?

articles/azure-netapp-files/kerberos.md

@@ -170,22 +170,22 @@ New machine accounts are created when an Azure NetApp Files SMB volume is provis
 | First new SMB volume | New SMB machine account/DNS name |
 | Subsequent SMB volumes created in short succession from first SMB volume | Reused SMB machine account/DNS name (in most cases). |
 | Subsequent SMB volumes created much later than first SMB volume | The service determines if new machine account is needed. It's possible multiple machine accounts can be created, which creates multiple IP address endpoints. |
-| First dual protocol volume | New SMB machine account/DNS name |
-| Subsequent dual protocol volumes created in short succession from first dual protocol volume	| Reused SMB machine account/DNS name (in most cases) |
-| Subsequent dual protocol volumes created much later than first dual protocol volume | The service determines if a new machine account is needed. It's possible multiple machine accounts can be created, which creates multiple IP address endpoints |
-| First SMB volume created after dual protocol volume | New SMB machine account/DNS name |
-| First dual protocol volume created after SMB volume | New SMB machine account/DNS name |
+| First dual-protocol volume | New SMB machine account/DNS name |
+| Subsequent dual-protocol volumes created in short succession from first dual-protocol volume	| Reused SMB machine account/DNS name (in most cases) |
+| Subsequent dual-protocol volumes created much later than first dual-protocol volume | The service determines if a new machine account is needed. It's possible multiple machine accounts can be created, which creates multiple IP address endpoints |
+| First SMB volume created after dual-protocol volume | New SMB machine account/DNS name |
+| First dual-protocol volume created after SMB volume | New SMB machine account/DNS name |
 
-The SMB machine account created for the Azure NetApp Files SMB (or dual protocol) volume uses a naming convention that adheres to the [15-character maximum that is enforced by Active Directory](/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou). The name uses the structure of [SMB Server prefix specified in Active Directory connection configuration]-[unique numeric identifier].
+The SMB machine account created for the Azure NetApp Files SMB (or dual-protocol) volume uses a naming convention that adheres to the [15-character maximum that is enforced by Active Directory](/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou). The name uses the structure of [SMB Server prefix specified in Azure AD connection configuration]-[unique numeric identifier].
 
 For instance, if you've [configured your AD connections](create-active-directory-connections.md) to use the SMB server prefix "AZURE," the SMB machine account that Azure NetApp Files creates resembles "AZURE-7806." That same name is used in the UNC path for the SMB share (for example, \\AZURE-7806) and is the name that dynamic DNS services use to create the A/AAAA record. 
 
 >[!NOTE]
->Because a name like “AZURE-7806” can be hard to remember, it's beneficial to create a CNAME record as a DNS alias for Azure NetApp Files volumes. For more information, see [Creating SMB server aliases](#creating-smb-server-aliases).
+>Because a name like "AZURE-7806" can be difficult to remember, it's beneficial to create a CNAME record as a DNS alias for Azure NetApp Files volumes. For more information, see [Creating SMB server aliases](#creating-smb-server-aliases).
 
 :::image type="content" source="media/kerberos/multiple-dns-smb.png" alt-text="Diagram of multiple machine accounts/DNS entries in Azure NetApp Files." lightbox="media/kerberos/multiple-dns-smb.png":::
 
-In some cases, when creating multiple SMB and/or dual protocol volumes, the configuration can end up with multiple disparate SMB machine accounts and DNS names.
+In some cases, when creating multiple SMB and/or dual-protocol volumes, the configuration can end up with multiple disparate SMB machine accounts and DNS names.
 
 If a single namespace for user access across the volumes is desired, this can present a challenge in configuration, as a single CNAME alias can only point to a single A/AAAA host record, while using multiple identical A/AAAA record aliases can result in unpredictability of data access in accessing volumes across different SMB machine accounts, as there's no guarantee that the endpoint the client selects in the DNS lookup contains the expected volume due to the round-robin nature of DNS record selection in those configurations. 
 
@@ -196,7 +196,7 @@ To address this limitation, [Azure NetApp Files volumes can participate as targe
 
 ### SMB Kerberos SPN creation workflow
 
-The following diagram illustrates how an SMB Kerberos SPN is created when an Azure NetApp Files SMB or dual protocol volume is created. SMB SPNs are associated with SMB machine account objects in the domain. The SPN can be viewed and managed via the machine account properties using the attribute editor in the Advanced view.
+The following diagram illustrates how an SMB Kerberos SPN is created when an Azure NetApp Files SMB or dual-protocol volume is created. SMB SPNs are associated with SMB machine account objects in the domain. The SPN can be viewed and managed via the machine account properties using the attribute editor in the Advanced view.
 
 :::image type="content" source="media/kerberos/azure-smb-properties.png" alt-text="Screenshot of Azure-SMB properties." lightbox="media/kerberos/azure-smb-properties.png":::
 
@@ -337,7 +337,7 @@ When an Azure NetApp Files volume is mounting using Kerberos, a Kerberos ticket
 - The SMB service ticket is retrieved from the KDC.
 - Azure NetApp Files attempts to map the Windows user requesting access to the share to a valid UNIX user.
     - A Kerberos TGS request is made using the SMB server Kerberos credentials stored with the SMB server’s keytab from initial SMB server creation to use for an LDAP server bind.
-    - LDAP is searched for a UNIX user that is mapped to the SMB user requesting share access. If no UNIX user exists in LDAP, then the default UNIX user `pcuser` is used by Azure NetApp Files for name mapping (files/folders written in dual protocol volumes use the mapped UNIX user as the UNIX owner).
+    - LDAP is searched for a UNIX user that is mapped to the SMB user requesting share access. If no UNIX user exists in LDAP, then the default UNIX user `pcuser` is used by Azure NetApp Files for name mapping (files/folders written in dual-protocol volumes use the mapped UNIX user as the UNIX owner).
 - Another negotiate protocol/session request/tree connect is performed, this time using the SMB server’s Kerberos SPN to the Active Directory DC’s IPC$ share.
     - A named pipe is established to the share via the `srvsvc`. 
     - A NETLOGON session is established to the share and the Windows user is authenticated.
@@ -456,7 +456,7 @@ In most cases, knowing these steps in depth won’t be necessary for day-to-day
 
 ### NFS Kerberos SPN creation workflow
 
-The following diagram shows how an NFS SPN is created when an Azure NetApp Files NFS or dual protocol volume is created with Kerberos enabled. In most cases, knowing detailed steps in depth won’t be necessary for day-to-day administration tasks, but are useful in troubleshooting any failures when attempting to create an SMB volume in Azure NetApp Files.
+The following diagram shows how an NFS SPN is created when an Azure NetApp Files NFS or dual-protocol volume is created with Kerberos enabled. In most cases, knowing detailed steps in depth won’t be necessary for day-to-day administration tasks, but are useful in troubleshooting any failures when attempting to create an SMB volume in Azure NetApp Files.
 
 :::image type="content" source="media/kerberos/nfs-keberos-spn.png" alt-text="Diagram of NFS Kerberos SPN creation workflow." lightbox="media/kerberos/nfs-keberos-spn.png":::
 

articles/azure-netapp-files/manage-file-access-logs.md

@@ -0,0 +1,182 @@
+---
+title: Manage file access logs in Azure NetApp Files
+description: File access logs provide file access logging for individual volumes, capturing file system operations on selected volume
+services: azure-netapp-files
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.topic: how-to
+ms.date: 04/01/2025
+ms.author: anfdocs
+ms.custom: references_regions
+---
+
+# Manage file access logs in Azure NetApp Files (preview)
+
+File access logs provide file access logging for individual volumes, capturing file system operations on selected volumes. The logs capture [standard file operation](#recognized-events). File access logs provide insights beyond the platform logging captured in the [Azure Activity Log](/azure/azure-monitor/essentials/activity-log).
+
+## Considerations
+
+>[!IMPORTANT]
+>The file access logs feature is only supported with SMB3, NFSv4.1, and dual-protocol volumes. It's not supported on NFSv3 volumes. 
+
+* Once file access logs are enabled on a volume, they can take up to 75 minutes to become visible. 
+* Each log entry consumes approximately 1 KB of space.
+* File access logs occasionally create duplicate log entries that must be filtered manually. 
+* Deleting any diagnostic settings configured for `ANFFileAccess` causes any file access logs for any volume with that setting to become disabled. See the [diagnostic setting configuration](#diagnostic) for more information. 
+* Before enabling file access logs on a volume, either [access control lists (ACLs)](configure-access-control-lists.md) or Audit access control entries (ACEs) need to be set on a file or directory. You must set ACLs or Audit ACEs after mounting a volume.  
+* File access logs provide no explicit or implicit expectations or guarantees around logging for auditing and compliance purposes. 
+
+### Performance considerations 
+
+* All file access log file access events have a performance impact.
+    * Events such as file/folder creation or deletion are key events to log. 
+    * System access control list (SACL) settings for logging should be used sparingly. Frequent operations (for example, READ or GET) can have significant performance impact, but have limited logging value. It's recommended that SACL setting not log these frequent operations to conserve performance. 
+    * SACL policy additions aren't currently supported with file access logs. 
+* When clubbing events such as READ/WRITE, only a handful of operation per file read or write are captured to reduce event logging rate.  
+* File access logs support a [log generation rate metric](azure-netapp-files-metrics.md). The log generation rate shouldn't exceed 64 MiB/minute.
+
+    If the rate of file access event generation exceeds 64 MiB/minute, the [Activity log](monitor-azure-netapp-files.md) sends a message stating that the rate of file access log generation is exceeding the limit. If log generation exceeds the limit, logging events can be delayed or dropped. If you're approaching this limit, disable noncritical auditing ACLs to reduce the event generation rate. As a precaution, you can [create an alert](/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule) for this event.
+ 
+* During migration or robocopy operations, disable file access logs to reduce log generation. 
+* It's recommended you avoid enabling file access logs on files with more than 450 ACEs to avoid performance issues. 
+
+## Recognized events
+
+The events capture in file access logs depend on the protocol of your volume.
+
+### Logged NFS events
+* Close
+* Create
+* Get attributes
+* Link
+* `Nverify`
+* Open
+* Open attribute
+* Remove
+* Rename
+* Set attribute 
+* Verify 
+* Write
+
+### Logged SMB events
+* Create
+* Delete
+* Get attributes
+* Hard link
+* Open object
+* Open object with the intent to delete
+* Read
+* Rename
+* Set attribute 
+* Unlink
+* Write
+
+## Register the feature
+
+The file access logs feature is currently in preview. If you're using this feature for the first time, you need to register the feature first. 
+
+1. Register the feature:
+
+    ```azurepowershell-interactive
+      Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFFileAccessLogs
+    ```
+
+1. Check the status of the registration: 
+
+    > [!NOTE]
+    > The **RegistrationState** can be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is **Registered** before continuing.
+
+    ```azurepowershell-interactive
+    Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFFileAccessLogs`
+    ```
+
+You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
+
+## Supported regions
+
+Availability for file access log is limited to the following regions: 
+
+- Australia Central
+- Australia East
+- Australia Southeast
+- Brazil South
+- Canada Central
+- Canada East
+- Central India
+- Central US
+- East US
+- East US 2
+- Japan West
+- North Europe
+- South Central US
+- Switzerland North
+- Switzerland West
+- UK South
+- US Gov Virginia
+- West Europe
+- West US
+- West US 2
+
+## Set SACLs or Audit ACEs on files and directories  
+
+You must set SACLs for SMB shares or Audit ACEs for NFSv4.1 exports for auditing. 
+
+### [Set SACLs for SMB shares](#tab/sacls-smb)
+
+If you're logging access events on all files and directories within a volume, set SACLs by applying Storage-Level Access Guard security. 
+
+>[!NOTE]
+> Select only the events you need to log. Selecting too many log options can impact system performance. 
+
+To enable logging access on individual files and directories, complete the following steps on the  Windows administration host. 
+
+#### Steps 
+
+To enable logging access on individual files and directories, complete the following steps on the  Windows administration host. 
+
+1. Select the file or directory for which to enable logging access. 
+1. Right-click the file or directory, then select **Properties**. 
+1. Select the **Security** tab then **Advanced**.
+1. Select the **Auditing** tab. Add, edit, or remove the auditing options you want. 
+
+
+### [Set Audit ACEs for NFSv4.1 shares](#tab/sacls-nfs)
+
+For NFSv4.1, both discretionary and system ACEs are stored in the same ACL, not separate discretionary ACLs and SACLs. Exercise caution when adding audit ACEs to an existing ACL to avoid overwriting and losing an existing ACL. The order in which you add audit ACEs to an existing ACL doesn't matter. 
+
+**For steps**, see [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md).
+
+---
+
+## Enable file access logs
+
+1. In the **Volumes** menu, select the volume you want to enable file access logs for. 
+1. Select **Diagnostic settings** from the left-hand pane.
+1. Select **+ Add diagnostic setting**.
+:::image type="content" source="./media/manage-file-access-logs/logs-diagnostic-settings-add.png" alt-text="Screenshot of Azure Diagnostic settings menu.":::
+1. <a name="diagnostic"></a> In the **Diagnostic setting** page, provide a diagnostic setting name.
+    Under **Logs > Categories**, select **ANFFileAccess** then set the retention period of the logs. 
+:::image type="content" source="./media/manage-file-access-logs/logs-diagnostic-settings-enable.png" alt-text="Screenshot of Azure Diagnostic settings menu with file access diagnostic setting.":::
+1. Select one of the destination options for the logs:
+    * Archive to a storage account
+    * Stream to an event hub
+    * Send to Log Analytics workplace
+    * Send to a partner solution
+1. Save the settings.
+
+## Disable file access logs
+
+1. In the **Volumes** menu, select the volume on which you want to disable file access logs.
+2. Select the **Diagnostic setting** menu from the left-hand pane. 
+3. In the **Diagnostic settings** page, deselect **Audit**. This automatically deselects **ANFFileAccess**.
+4. Select **Save**. 
+
+>[!NOTE]
+>After disabling file access logs, you must wait at least ten minutes before attempting to enable or re-enable file access logs on any volume.
+ 
+## Next Steps
+
+* [Security FAQs](faq-security.md) 
+* [Azure resource logs](/azure/azure-monitor/essentials/resource-logs)
+* [Understand NFSv4.x access control lists in Azure NetApp Files](nfs-access-control-lists.md)
+* [Understand SMB file permissions in Azure NetApp Files](network-attached-file-permissions-smb.md)