I have installed audit 2.8.5 on a CentOS 7 and set up the following rule in /etc/audit/rules.d/audit.rules:

-w /data

/data is shared via Samba to a Windows Server 2016 system. If I write to /data in the CentOS7 system, I get the open syscall event in the auditd log. If I write to the same directory in the Windows Server 2016, I see the file in the /data directory in the CentOS7 system, but the event is not logged by audit. Is that the expected behavior? 

Thanks in advance.