I have CIFS Auditing enabled on FAS3240 filer. If I connect to this filer through on-command system manager and go to configuration -> protocol -> CIFS, it shows that the log files are at /etc/log/adtlog.evt. There is an edit button next to it which helps me to change the location of the log files. If I click on it, i can see all the generated log files at the location: "vol/vol0/etc/log"
How can I download these log files which are at the above location? If I type \\Filer_Name\etc$ on my windows PC, it says path not found. I have to view these log files through event viewer on windows PC and find out who deleted the files on CIFS Share. Is there any way I can save these log files (.evt) on my PC from the filer?
If the etc$ share is not accessible for you there is something wrong with your configuration. Check that the share exists, that you are connecting with a user that has admin privileges on the filer, and that CIFS is running.
An alternative to accessing the event log is setting the option cifs.audit.liveview.enable to on and connecting the MMC directly to the filer.
Yes CIFS share setup exists on the filer and CIFS service is running. The output of the below commands does show the Shares and their permissions, sessions and domain info. I am also able to ping the filer from my PC. However \\Filer_Name\etc$ OR \\Filer_Name\C$ is not accessible. It says no network path found?
Is there any other way to download the event logs so that I can analyse them in event viewer pf my pc?
Also in on-command system manager, under config -> protocol -> CIFS, it shows that service is started and CIFS Auditing: Enabled. It shows the log file at /etc/log/adtlog.evt
Is this a C-Mode or 7-Mode system? If its C-Mode you cannot access the root volume via CIFS anymore. You can use either http or unlock the diag account access the systemshell which allows you to ftp or scp or what I do it create a .tar file and download the file via http with web browser.
There is a few KB articles about accessing logs from C-Mode.