Network and Storage Protocols

Access/ download event logs from etc$

ASRARGUNA
13,788 Views

Hello All,

I have CIFS Auditing enabled on FAS3240 filer. If I connect to this filer through on-command system manager and go to configuration -> protocol -> CIFS, it shows that the log files are at /etc/log/adtlog.evt.  There is an edit button next to it which helps me to change the location of the log files. If I click on it, i can see all the generated log files at the location: "vol/vol0/etc/log"

How can I download these log files which are at the above location? If I type \\Filer_Name\etc$ on my windows PC, it says path not found. I have to view these log files through event viewer on windows PC and find out who deleted the files on CIFS Share. Is there any way I can save these log files (.evt) on my PC from the filer?

Thanks- AG

8 REPLIES 8

ASRARGUNA
13,788 Views

Anybody having any suggestions, please share. I am kind of stuck

Thank You

obrakmann
13,788 Views

If the etc$ share is not accessible for you  there is something wrong with your configuration. Check that the share exists, that you are connecting with a user that has admin privileges on the filer, and that CIFS is running.

An alternative to accessing the event log is setting the option cifs.audit.liveview.enable to on and connecting the MMC directly to the filer.

ASRARGUNA
13,788 Views

Thanks Obrakmann,

The CIFS is running. I am the admin. Also check the output of cifs audit status command

Filer-1> cifs audit status

Enabled:        yes

State:          Started

Message Queue: <empty>

Record Buffer Size: 65536

Pending New Record Buffer Size: (none)

Log File Descriptor: 19952

Actual Logfile Size: 81084

Maximum Logfile Size: 1048576

Pending New Maximum Logfile Size: (none)

ACTIVE  BUFSIZE    FO_FGR   FO_NEXT    LOST

     1           0                  16          81080        0

venuk
13,787 Views

You can try mapping the c$ (\\filer_name\c$) and access the etc folder and the subsequent logs under folder "log"

ASRARGUNA
13,787 Views

Hi Venuk,

Thank You for your reply.

I already tried \\Filer_Name\c$ as well but gives me the same error which it gives me while accessing \\Filer_Name\etc$ "Windows cannot access \\Filer_Name\c$. The network path was not found"

Any further help would be highly appreciated.

bondbhola
13,787 Views

Hi,

Is cifs share setup is exsiting on filer? If yes cifs shares should be running.

Please provide the command output.

.cifs shares

.cifs sessions

. cifs domaininfo

From your local desk please ping the filer? try to access the filer from your desk with ipaddress.

Thanks,

Bhola Gond

ASRARGUNA
13,787 Views

Hi bondbhola,

Yes CIFS share setup exists on the filer and CIFS service is running. The output of the below commands does show the Shares and their permissions, sessions and domain info. I am also able to ping the filer from my PC. However \\Filer_Name\etc$ OR \\Filer_Name\C$ is not accessible. It says no network path found?

Is there any other way to download the event logs so that I can analyse them in event viewer pf my pc?

Also in on-command system manager, under config -> protocol -> CIFS, it shows that service is started and CIFS Auditing: Enabled. It shows the log file at /etc/log/adtlog.evt

How can I access this location?

Thanks-AG

nigelslocum
13,787 Views

Is this a C-Mode or 7-Mode system? If its C-Mode you cannot access the root volume via CIFS anymore. You can use either http or unlock the diag account access the systemshell which allows you to ftp or scp or what I do it create a .tar file and download the file via http with web browser.

There is a few KB articles about accessing logs from C-Mode.

Public