Just a
note about CIFS auditing on the Network Appliance filer:
OnTap 6.0 and later releases, access audit events are logged into an
internally-formatted file in order to provide better auditing performance.
When the user issues the 'cifs audit save [-f]' command, the records are dumped,
oldest record first, from the internal file into the Microsoft compatible .evt
file. It is the .evt file (default is /etc/log/adtlog.evt) that can be
read by the Microsoft Event Viewer application and other compatible
Information about how to interpret specific
EVENTLOGRECORDs is kept in the Windows Registry. Prior to Windows 2K, the
Windows Event Viewer program retrieved this information from the client
machine's Registry. The Windows 2K Event Viewer uses remote procedure
calls to retrieve the Registry entries from the machine on which the .evt file
is located. It is for that reason that the filer's .evt files must be
moved to the client before they can be viewed by a W2K Event Viewer. I
bring this up because other applications that view and interpret EVENTLOGRECORD
entries from the .evt file may exhibit the same behavior.
I think the original question was to convert the file to CSV
format. The dumpel.exe requires RPC,
which the filer does not support. Robert wants to convert the EVT
file to a CSV (text file), so he can scan the txt file with something like
Swatch. I have been working on the same issue, but have not been
successful. I tried some shareware utilities, but they all work like
dumpel. This is an important question if you want to audit CIFS
security. I was working on a perl script to do this, but there has got
to be an easier way.
I wrote an script that RSH's to the filers,
dumps the event log, copies it to a central location and renames it to the
date that it was dumped. Set it up as scheduled task from an NT box and the
auditiong dumps are take care of automatically - you just go to the central
location to manipulate the evt files.
it is then a .evt file you should be able to use other tools that you
currently use with event logs. Don't specifically know about csv file
Cheers -- Paul.
A long time since I figured out how to do
From memory, you need to run the command 'CIFS AUDIT SAVE -f' on
the filer console, that saves the logs to disk in the location
Sorry its a bit vague, but should enable you to generate a
Event Log, that can be read by Event Viewer.
Jason Palmer
WorldCom EMEA
I am looking for some help Cifs auditing and hoped you may be
able to help.
I have managed to setup the auditing that I require but am looking
for a way of dumping the security logs into a CSV file.
Under NT we would use Dumpel from the reskit or some such util
but does not will not work for the filer.
Is there anyway of doing it or can any one offer some advice.
Many Thanks,
Get your FREE download of MSN Explorer at http://explorer.msn.com