8 Replies Latest reply: Jul 24, 2013 3:32 PM by nigelslocum RSS

Access/ download event logs from etc$

ASRARGUNA
Currently Being Moderated

Hello All,

 

I have CIFS Auditing enabled on FAS3240 filer. If I connect to this filer through on-command system manager and go to configuration -> protocol -> CIFS, it shows that the log files are at /etc/log/adtlog.evt.  There is an edit button next to it which helps me to change the location of the log files. If I click on it, i can see all the generated log files at the location: "vol/vol0/etc/log"

 

How can I download these log files which are at the above location? If I type \\Filer_Name\etc$ on my windows PC, it says path not found. I have to view these log files through event viewer on windows PC and find out who deleted the files on CIFS Share. Is there any way I can save these log files (.evt) on my PC from the filer?

 

 

Thanks- AG

  • Re: Access/ download event logs from etc$
    ASRARGUNA
    Currently Being Moderated

    Anybody having any suggestions, please share. I am kind of stuck

     

    Thank You

  • Re: Access/ download event logs from etc$
    obrakmann
    Currently Being Moderated

    If the etc$ share is not accessible for you  there is something wrong with your configuration. Check that the share exists, that you are connecting with a user that has admin privileges on the filer, and that CIFS is running.

     

    An alternative to accessing the event log is setting the option cifs.audit.liveview.enable to on and connecting the MMC directly to the filer.

    • Re: Access/ download event logs from etc$
      ASRARGUNA
      Currently Being Moderated

      Thanks Obrakmann,

       

      The CIFS is running. I am the admin. Also check the output of cifs audit status command

       

      Filer-1> cifs audit status

      Enabled:        yes

      State:          Started

      Message Queue: <empty>

      Record Buffer Size: 65536

      Pending New Record Buffer Size: (none)

      Log File Descriptor: 19952

      Actual Logfile Size: 81084

      Maximum Logfile Size: 1048576

      Pending New Maximum Logfile Size: (none)

      ACTIVE  BUFSIZE    FO_FGR   FO_NEXT    LOST

           1           0                  16          81080        0

  • Re: Access/ download event logs from etc$
    bondbhola
    Currently Being Moderated

    Hi,

     

    Is cifs share setup is exsiting on filer? If yes cifs shares should be running.

    Please provide the command output.

    .cifs shares

    .cifs sessions

    . cifs domaininfo

     

    From your local desk please ping the filer? try to access the filer from your desk with ipaddress.

     

    Thanks,

    Bhola Gond

    • Re: Access/ download event logs from etc$
      ASRARGUNA
      Currently Being Moderated

      Hi bondbhola,

       

      Yes CIFS share setup exists on the filer and CIFS service is running. The output of the below commands does show the Shares and their permissions, sessions and domain info. I am also able to ping the filer from my PC. However \\Filer_Name\etc$ OR \\Filer_Name\C$ is not accessible. It says no network path found?

       

      Is there any other way to download the event logs so that I can analyse them in event viewer pf my pc?

       

      Also in on-command system manager, under config -> protocol -> CIFS, it shows that service is started and CIFS Auditing: Enabled. It shows the log file at /etc/log/adtlog.evt

       

      How can I access this location?

       

      Thanks-AG

      • Re: Access/ download event logs from etc$
        nigelslocum
        Currently Being Moderated

        Is this a C-Mode or 7-Mode system? If its C-Mode you cannot access the root volume via CIFS anymore. You can use either http or unlock the diag account access the systemshell which allows you to ftp or scp or what I do it create a .tar file and download the file via http with web browser.

         

        There is a few KB articles about accessing logs from C-Mode.

More Like This

  • Retrieving data ...