Hi,
Just a note about CIFS auditing on the Network Appliance filer:
In OnTap 6.0 and later releases, access audit events are logged into an internally-formatted file in order to provide better auditing performance. When the user issues the 'cifs audit save [-f]' command, the records are dumped, oldest record first, from the internal file into the Microsoft compatible .evt file. It is the .evt file (default is /etc/log/adtlog.evt) that can be read by the Microsoft Event Viewer application and other compatible apps.
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/event... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/eventlog_2tbb.asp .
Information about how to interpret specific EVENTLOGRECORDs is kept in the Windows Registry. Prior to Windows 2K, the Windows Event Viewer program retrieved this information from the client machine's Registry. The Windows 2K Event Viewer uses remote procedure calls to retrieve the Registry entries from the machine on which the .evt file is located. It is for that reason that the filer's .evt files must be moved to the client before they can be viewed by a W2K Event Viewer. I bring this up because other applications that view and interpret EVENTLOGRECORD entries from the .evt file may exhibit the same behavior.
Best,
Dan
-----Original Message----- From: Drew O'Donnell [mailto:drew@cooperneff.com] Sent: Wednesday, November 07, 2001 9:45 AM To: toasters@mathworks.com Subject: RE: Cifs Auditing
I think the original question was to convert the file to CSV format. The dumpel.exe requires RPC, which the filer does not support. Robert wants to convert the EVT file to a CSV (text file), so he can scan the txt file with something like Swatch. I have been working on the same issue, but have not been successful. I tried some shareware utilities, but they all work like dumpel. This is an important question if you want to audit CIFS security. I was working on a perl script to do this, but there has got to be an easier way.
-----Original Message----- From: Carruthers, Paul A [mailto:Paul_Carruthers@AIMFUNDS.COM] Sent: Wednesday, November 07, 2001 11:34 AM To: toasters@mathworks.com Subject: RE: Cifs Auditing
I wrote an script that RSH's to the filers, dumps the event log, copies it to a central location and renames it to the date that it was dumped. Set it up as scheduled task from an NT box and the auditiong dumps are take care of automatically - you just go to the central location to manipulate the evt files.
As it is then a .evt file you should be able to use other tools that you currently use with event logs. Don't specifically know about csv file conversion...
Cheers -- Paul.
-----Original Message----- From: Palmer, Jason (London) [mailto:jason.palmer@wcom.com] Sent: Wednesday, November 07, 2001 9:19 AM To: 'Robert Lobban'; toasters@mathworks.com Subject: RE: Cifs Auditing
A long time since I figured out how to do this...
From memory, you need to run the command 'CIFS AUDIT SAVE -f' on the filer console, that saves the logs to disk in the location '/etc/log/adtlog.evt'
Sorry its a bit vague, but should enable you to generate a Event Log, that can be read by Event Viewer.
Regards,
Jason Palmer WorldCom EMEA
-----Original Message----- From: Robert Lobban [mailto:r_lobban@hotmail.com] Sent: 07 November 2001 14:02 To: toasters@mathworks.com Subject: Cifs Auditing
I am looking for some help Cifs auditing and hoped you may be able to help.
I have managed to setup the auditing that I require but am looking for a way of dumping the security logs into a CSV file.
Under NT we would use Dumpel from the reskit or some such util but does not will not work for the filer.
Is there anyway of doing it or can any one offer some advice.
Many Thanks, Rob
_____
Get your FREE download of MSN Explorer at http://explorer.msn.com http://go.msn.com/bql/hmtag_itl_EN.asp
-
Watson, Dan