Solved: Re: Unable to view Security Log on filer from Windows 2003 or 2008 server

SMAMMSMAMM · ‎2012-04-04

I work in an environment where NetApp filers are heavily utilized for employee home drives and public shares. We've recently been notified that an automated task is intermittently failing because of "authentication problems" on a shared folder on a public drive housed on a filer. It's too early to tell whether there's any validity to the "credential" problem, but I configured auditing on the share for the task and credentials in question.

Here's the problem: When connecting to the filer from Computer Management on a Windows 2003 or 2008 server, I cannot view the security log. I get the following error:

"Unable to complete the operation on "Security". The remote procedure call failed."

Every other function works within this session, as only viewing the log fails. For example, I can view local users and groups, and can also browse Shared Folders (shares, sessions, open files).

Anyone come across this before? I've viewed security logs on a NetApp filer via Computer Management on a Windows Server before, not sure why it now fails for all users from all Windows servers. Does access to this log have to be enabled with the filer settings?

columbus_admin · ‎2012-04-05

Yes we are, you can't just click on Application or Security though, you need to right click, open log, then select it from the save location, default of \\filername\c$\etc\log\adtlog.evt. Then you will be able to view it from a Windows system. A little more convoluted, but no extra tools or transfer needed.

One thing to keep in mind is to watch how quickly those logs grow. Previously we set up a reserved space so as not to fill the root vol on the filer.

- Scott

View solution in original post

columbus_admin · ‎2012-04-04

I would assume that the filer is not configured.

Run "options cifs.audit" to see if anything is set.

This link has the info on proper setup: https://kb.netapp.com/support/index?page=content&id=1011243

There is one bug that used to exist...if the log fills up, the auditing will need to be stopped and restarted. It used to appear on when it was not actually gathering any information.

- Scott

Message was edited by: Scott Chubb

SMAMMSMAMM · ‎2012-04-04

Thanks for the reply. I've been reading up on CIFS Auditing and it seems that most references to it are in regards to capturing and then exporting a log, as opposed to being able to view it in real time via a Windows Server Computer Management console. Just wanted to make sure we are talking about the same thing before I ask our NetApp admin to enable auditing.

columbus_admin · ‎2012-04-05

Yes we are, you can't just click on Application or Security though, you need to right click, open log, then select it from the save location, default of \\filername\c$\etc\log\adtlog.evt. Then you will be able to view it from a Windows system. A little more convoluted, but no extra tools or transfer needed.

One thing to keep in mind is to watch how quickly those logs grow. Previously we set up a reserved space so as not to fill the root vol on the filer.

- Scott

SMAMMSMAMM · ‎2012-04-19

Resolved, thanks for the assist.