I have CIFS Auditing enabled on FAS3240 filer. If I connect to this filer through on-command system manager and go to configuration -> protocol -> CIFS, it shows that the log files are at /etc/log/adtlog.evt. There is an edit button next to it which helps me to change the location of the log files. If I click on it, i can see all the generated log files at the location: "vol/vol0/etc/log"
How can I download these log files which are at the above location? If I type \\Filer_Name\etc$ on my windows PC, it says path not found. I have to view these log files through event viewer on windows PC and find out who deleted the files on CIFS Share. Is there any way I can save these log files (.evt) on my PC from the filer?
If the etc$ share is not accessible for you there is something wrong with your configuration. Check that the share exists, that you are connecting with a user that has admin privileges on the filer, and that CIFS is running.
An alternative to accessing the event log is setting the option cifs.audit.liveview.enable to on and connecting the MMC directly to the filer.
The CIFS is running. I am the admin. Also check the output of cifs audit status command
Filer-1> cifs audit status
Message Queue: <empty>
Record Buffer Size: 65536
Pending New Record Buffer Size: (none)
Log File Descriptor: 19952
Actual Logfile Size: 81084
Maximum Logfile Size: 1048576
Pending New Maximum Logfile Size: (none)
ACTIVE BUFSIZE FO_FGR FO_NEXT LOST
1 0 16 81080 0
Is cifs share setup is exsiting on filer? If yes cifs shares should be running.
Please provide the command output.
. cifs domaininfo
From your local desk please ping the filer? try to access the filer from your desk with ipaddress.
Yes CIFS share setup exists on the filer and CIFS service is running. The output of the below commands does show the Shares and their permissions, sessions and domain info. I am also able to ping the filer from my PC. However \\Filer_Name\etc$ OR \\Filer_Name\C$ is not accessible. It says no network path found?
Is there any other way to download the event logs so that I can analyse them in event viewer pf my pc?
Also in on-command system manager, under config -> protocol -> CIFS, it shows that service is started and CIFS Auditing: Enabled. It shows the log file at /etc/log/adtlog.evt
How can I access this location?
Is this a C-Mode or 7-Mode system? If its C-Mode you cannot access the root volume via CIFS anymore. You can use either http or unlock the diag account access the systemshell which allows you to ftp or scp or what I do it create a .tar file and download the file via http with web browser.
There is a few KB articles about accessing logs from C-Mode.