Which Computer/IP deleted 25% of Data on closed network

[Niktronics]

Build FreeNAS-11.0-U3 (c5dcf4416), Dataset is wide open allowing computers in closed network, to erase/delete/move file/folders inside the dataset.

Lost 25% of data in a dataset at a know time. Yes running snap shots and recover. Would like to find the Computer/IP address that connect to the Nas and deleted the files. Think there might be a LOG of this event, where do I look??

Please Help, Which IP deleted the data?

 

[bigphil]

With default settings, I don't think there is a log of file operations. For an SMB share, you'd first need to enable one or all of the vfs "audit" objects. See the documentation on the available vfs objects for details.

 

[Ericloewe]

Yeah, this is the sort of thing you have to preemptively log.

 

[JoshDW19]

Bump! Op asked me to see if there are any more answers out there.

 

[JoshDW19]

One of the devs had this to say:

"We need more details... Was it done locally? via smb? nfs? etc. Locally? check auth log for ssh connections, zpool history, etc. Oh btw, it's probably a good idea to not keep things wide open like that ;-)"