shivadaimler
2 Bronze

Exporting VNX CIFS .evt files

Jump to solution

Hi,

I am looking to export all security files in CIFS to a location or share path as a .evt file.

I tried to copy files from \\CIFSserver\c$\.etc\audit but when i paste the file get error as (You need permission to perform this action , you  require permission from the computers administrators to make changes to this file)

I am able to connect to CIFS server Classic event viewer in global logs i am able to export file, but its manual. If i change the export files to .evt from txt and tried to open getting corrupted file alert.

Question :

1. Can i export to security.evt file to share path ?

2. Can i copy files from \\CIFSserver\c$\.etc\audit ?

3. Is there a command where i can initiate a copy of files and save it in a mount point ?


How to do it for Unity and VNX



Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Rainer_EMC
5 Osmium

Re: Exporting VNX CIFS .evt files

Jump to solution

make sure that when you run regedit that you have the security context of a member of the local Administrators group

Easiest way is to first open C$ and leave it open

path is from the VDM / NAS server root

so if your fs is mounted on /<fs1> and a subdir /<fs1>/logs exists than c:\fs1\logs should work

If it still doesnt work please open a service request to have support investigate

I wont have time to verify in the lab for the next two weeks

Is your error on VNX or on Unity ?

0 Kudos
6 Replies
Rainer_EMC
5 Osmium

Re: Exporting VNX CIFS .evt files

Jump to solution

Hi,

same as in VNX the currently in use security.evt is locked and cannot be copied.

my advice is:

relocate .evt files to a data file system (from the default .etc in the rootfs)

enable auto archiving

setup a job from a client to copy the archived .evt files periodically if necessary

the copy could be done using CIFS, NFS, ftp/scp, ...

on this archived files you can then run event viewer or any other command that understands .evt format

there should be a knowledgebase article about relocation and setting up security event log rotation

or see the VNX CIFS manual under event log auto archive - its the same steps using regedit on Unity as on VNX

Rainer

shivadaimler
2 Bronze

Re: Exporting VNX CIFS .evt files

Jump to solution

Hi,

Thanks, I checked VNX CIFS guide, in Event log Auto archive section i read the instructions and applied it. I am getting error as " Error Writing the value's new contents ", Checked KB article for this issue 000374610 i have set as per the KB article but still getting error. Autoarchiveenable.jpgError.jpg

I needed some clarity on File . What is the rite way to mention the path as per the document its mentions the file either saves in c:\.etc\audit\security or a file system path. How to mention the file system path ? i create a 10 GB file system with SMB share. gave the path as c:\swoef205\Auditlogs but it does not work.  What the correct way path i have to give and how to fix this error ?

Thanks in Advance.

Shiva.

0 Kudos
Rainer_EMC
5 Osmium

Re: Exporting VNX CIFS .evt files

Jump to solution

make sure that when you run regedit that you have the security context of a member of the local Administrators group

Easiest way is to first open C$ and leave it open

path is from the VDM / NAS server root

so if your fs is mounted on /<fs1> and a subdir /<fs1>/logs exists than c:\fs1\logs should work

If it still doesnt work please open a service request to have support investigate

I wont have time to verify in the lab for the next two weeks

Is your error on VNX or on Unity ?

0 Kudos
shivadaimler
2 Bronze

Re: Exporting VNX CIFS .evt files

Jump to solution

Hi,

After the path mentioned as c:\FS\logs i was able to give the file path it worked and i was able to enable Autoarchiveenable. It works i was able to set 1 hour archive.

The solution works and thanks alot.

0 Kudos
Rainer_EMC
5 Osmium

Re: Exporting VNX CIFS .evt files

Jump to solution

thanks for the feedback

did you find out what the reason for the initial regedit error was ?

0 Kudos
shivadaimler
2 Bronze

Re: Exporting VNX CIFS .evt files

Jump to solution

The issue was with Path once correct path was provided c:\FS\logs error dint appear. May be in the audit logs document if the path format is explained it would be  a good information.

0 Kudos