We've just switched from a Windows file server to a 3020c and are experiencing significant issues with cifs auditing.
We have several directories that need to be monitored and we have turned on auditing via NTFS (right-click | properties | security | advanced | auditing). On the old file server we used a third-party tool (ScriptLogic) to monitor CIFS access but it only works on Windows servers.
The problem we have is if a user opens up one of the monitored folders, the filer spits out about 300 events for each file. There are three or maybe four slight differences between the 300 events (some might refer to SMBRead and others SMBReadEA, for example), but at least 50 events are completely identical to each other in every way. We've been auditing about 19,000 files (<4GB) for a week and we already have 10GB of .evt files.
We tried limiting the audits to List Folder / Read Data, Create Files / Write Data, Create Folders / Append Data, Delete, Change Permissions and Take Ownership, and we applied only to files. It didn't improve things from what we could see.
NetApp support told us to contact MS but that didn't get us anywhere so now we're looking for third-party alternatives. Can anyone suggest a good tool that can gather .evt files from a specified directory, weed out duplicates and store the end result in either a database or another .evt file?
We ran into a similar problem. Our Wintel teams are currently testing a product by Varonis that will provide this detail via fpolicy. I'm not sure of the pricing model myself since I just handle the NetApp integration, but it provides an enormous amount of customizable reporting.
Internet JHill@jennison.com
Sent by: owner-toasters@mathworks.com 06/14/2007 05:22 PM
To toasters cc
Subject Cifs audit logs
We've just switched from a Windows file server to a 3020c and are experiencing significant issues with cifs auditing.
We have several directories that need to be monitored and we have turned on auditing via NTFS (right-click | properties | security | advanced | auditing). On the old file server we used a third-party tool (ScriptLogic) to monitor CIFS access but it only works on Windows servers.
The problem we have is if a user opens up one of the monitored folders, the filer spits out about 300 events for each file. There are three or maybe four slight differences between the 300 events (some might refer to SMBRead and others SMBReadEA, for example), but at least 50 events are completely identical to each other in every way. We've been auditing about 19,000 files (<4GB) for a week and we already have 10GB of .evt files.
We tried limiting the audits to List Folder / Read Data, Create Files / Write Data, Create Folders / Append Data, Delete, Change Permissions and Take Ownership, and we applied only to files. It didn't improve things from what we could see.
NetApp support told us to contact MS but that didn't get us anywhere so now we're looking for third-party alternatives. Can anyone suggest a good tool that can gather .evt files from a specified directory, weed out duplicates and store the end result in either a database or another ..evt file?
This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified.
---------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie.
Can anyone suggest a good tool that can gather .evt files from a
specified directory, weed out duplicates and store the end result in
either a database or another .evt file?
If you don't mind using a cryptic but powerful utility, do a google search for "Log Parser" or go here: http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms px
We've just switched from a Windows file server to a 3020c and are
experiencing significant issues with cifs auditing.
I feel your pain. I don't have any good answers for this though.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Thursday, June 14, 2007 3:22 PM To: toasters Subject: Cifs audit logs
[snip]
NOTICE - This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. The City of Calgary thanks you for your attention and co-operation.
You nailed it - cryptic but powerful. I couldn't figure out how to get it to split the Message field by CrLf, so I had to hack it a little bit, using the colon as my delimiter and cutting out the subsequent field name. Should be okay so long as no paths have the word Handle ID in them.
For those who are interested, here's the syntax I used from a command prompt. With a little effort this can be turned into a DHTML page (see the Samples directory after you've installed LogParser). logparser "select distinct eventid, TO_STRING(TimeGenerated, 'dddd, MMMM d, yyyy') AS LongTimeStamp, TO_STRING(TimeGenerated, 'M/d hh:mm:ss') AS ShortTimeStamp, extract_token(message,4, ':') as Drive, extract_prefix(extract_token(message,5, ':'), 0, ' Handle ID') as path, extract_prefix(extract_token(message,12, ':'), 0, ' Client User Name') as user, extract_prefix(extract_token(message,13, ':'), 0, ' Client Domain') as domain, extract_prefix(extract_token(message,15, ':'), 0, ' Accesses') as LogonID, extract_prefix(extract_token(message,16, ':'), 0, 'Privileges') as Accesses from *.evt" -i:EVT -o:csv -resolveSIDs > output.csv
Thanks. This may do it for us.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Warkentin, Grant Sent: Friday, June 15, 2007 11:41 AM To: Jon Hill; toasters Subject: RE: Cifs audit logs
Can anyone suggest a good tool that can gather .evt files from a
specified directory, weed out duplicates and store the end result in
either a database or another .evt file?
If you don't mind using a cryptic but powerful utility, do a google search for "Log Parser" or go here: http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms px
-
Jon Hill -
scott.belisle@americas.bnpparibas.com -
Warkentin, Grant