Unsolved
This post is more than 5 years old
1 Rookie
•
91 Posts
0
6049
Increasing unity security log for auditing file access
Customer wants to track who deleted files.
I was able to get auditing working, but the log file rolls over every 5 minutes, so the customer can’t find out who deleted something yesterday if they check it more than 5 minutes later.
How can I increase to security log more than 512K? Used to be able to on VNX, but can you on Unity?
Can the files be rolled over to an archive? The options don't seem to be there in the event log properties.
Also event id 538 (logon/logoff) is taking up most of the security log file. Can we not audit those events to save space?
512KB seems pretty useless to me - What were they thinking?
Rainer_EMC
8.6K Posts
1
March 28th, 2018 11:00
if you mean the security.evt file
That was only ever meant as a temporary buffer with the defaults and an application digesting it should get the events there frequently
there is a kb article on how to enlarge and relocate to a different file system
and also to enable log rotation
this works pretty much the same way as on VNX
Other option is to use 3rd party professional software like Varonis that can do this
mjzraz
1 Rookie
1 Rookie
•
91 Posts
0
April 2nd, 2018 10:00
Yes, the security.evt file.
I got the KB, had to open an SR.
There are no guidelines on the max size. Is there any impact to having a large log file like 360 MB?
I was trying to expand from 512KB gets me 5 minutes of log, so 360 MB gets me 12 hours in theory.
Here it is:
Knowledge Base Article: 000518095
Dell EMC Unity: How To Change the location of the Unity NAS/SMB Server Security Log file
and increase the log size (User Correctable) (000518095)
Rainer_EMC
8.6K Posts
0
April 3rd, 2018 05:00
if you have moved it to another file system I am not aware of any size guidelines there.
I think its still the case that the currently used security.evt file is blocking copy
That why I would recommend to enable log rotation with smaller files
Rainer_EMC
8.6K Posts
0
April 3rd, 2018 05:00
which application are you using to analyze and archive these security.evt files ?
mjzraz
1 Rookie
1 Rookie
•
91 Posts
0
April 6th, 2018 08:00
None - We have splunk for our Isilon auditing which is working great.
Veronis wanted something crazy like 3 million
Rainer_EMC
8.6K Posts
0
April 6th, 2018 08:00
I just remember that looking at lots of evt files isnt very user friendly
I think there also is a splunk integration with CEPA for auditing
mjzraz
1 Rookie
1 Rookie
•
91 Posts
0
April 6th, 2018 08:00
Oh yeah, it sucks.
Everybody and their brother is trying to get data into splunk and this is a small use case but I can't really predict how much data would go to splunk if I enabled it on unity. we might give it a try. I would much prefer it.
flaviomcs
1 Message
0
May 8th, 2018 11:00
How are you guys enabling auditing security? I am looking for something that allows me to see who deleted what.
Is that possible? Thank you.
Rainer_EMC
8.6K Posts
0
May 8th, 2018 12:00
you first need to enable CIFS auditing using a Windows client - see knowledgebase
then you need to configure it via a Windows client
Its the same as on VNX - so take a look at the PDF manuals there which are more detailed
Other options is through CEPA and 3rd party software like Varonis
crklosterman
450 Posts
0
May 8th, 2018 13:00
To be more specific, I wouldn't wish using .evt files on my very worst enemy. It's at-best a stop-gap while you get approval to buy something better. To get an idea of what I'm talking about, RDP into a windows server, and open the computer management MMC, and look at the security event logs. Now imagine a scrolling log like that for every file access event, or modification or deletion. That's why products like Varonis are so successful, because they can deal with the mountain of information that you'll get here, and help correlate and sort-through it.
~Chris
Rainer_EMC
8.6K Posts
0
May 9th, 2018 02:00
I agree - Windows event files arent user-friendly
sure you can export, convert, feed into other apps - IF you have the programming skills and time
otherwise spend some money on a 3rd party product
sometimes there is no free lunch
I think there was a splunk module utilizing CEPA - but again splunk needs time and knowledge
more than just asking for a step-by-step on a forum