Highlighted
2 Bronze

Can we forward cifs auditing logs to external syslog server?

I have enabled CIFS auditing using VNX MMC, however there is no option to forward those logs to syslog.

Please let me know if there is a way to forward cifs auditing logs.

Thank you!

0 Kudos
Reply
10 Replies
Highlighted
Moderator
Moderator

Hello Anusha_Hegde,

Are you using Virtual data mover? Here is the link to Configuring and Managing CIFS on VNX. https://dell.to/2Ypwbyr

Please let us know if you have any other questions.

DELL-Sam L
Dell | Social Outreach Services - Enterprise
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

0 Kudos
Reply
Highlighted
2 Bronze

Hi @DELL-Sam L 

Thank you for responding.

Yes, this test cifs server is configured on VDM.

I have configured VNX MMC to log the audit on this cifs server:

Anusha_Hegde_0-1592936360520.png

 

However, I'm unable to redirect this logs to external syslog server , like we have an option to configure syslog in control station for auditing Control station logins.

Is there a way from datamover/CS to configure syslog server to redirect these audit logs of cifs server ?

 

 

 

0 Kudos
Reply
Highlighted
Moderator
Moderator

Hello Anusha_Hegde,

Here is a link to an older document for Configuring and Using the Audit Tool on VNX for File.

https://dell.to/2Nnx7Nx

Please let us know if you have any other questions

DELL-Sam L
Dell | Social Outreach Services - Enterprise
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

0 Kudos
Reply
Highlighted
2 Bronze

Hi @DELL-Sam L , I have read this document and this document is only for control station audit logs.

Example:

May 18 18:32:14 nasdev244cs0 AUDIT_Messages.pl:05/18/2010,18:32:14,EDT,ABC12345678901,1101,Succesful
Login,root(uid=0)@local,0,/var/log/messages,May 1818:32:02 nasdev244cs0 sshd(pam_unix)[16132]: session
opened for user root by root(uid=0)

 

I do not need to audit control station logins, I need to forward CIFS server audit to external syslog server. Is this feature available?

0 Kudos
Reply
Highlighted
Moderator
Moderator

Hello Anusha_Hegde,

That feature is not available.  The only one that is available is control station audit log.

DELL-Sam L
Dell | Social Outreach Services - Enterprise
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

Reply
(1)
Highlighted
2 Bronze

@DELL-Sam L Thank you very much for the update.

0 Kudos
Reply
Highlighted
6 Indium

sending CIFS audit events to syslog isnt implemented

you can store them in .evt file and digest them through 3rd party tools
If you do that I would strongly recommend to move the logs to an extra file system, enlarge them and enable archiving

other option would be utilize CEPA to send event to a RabbitMQ server
But that isnt simple and doesnt use the Windows audit SACLs

0 Kudos
Reply
(1)
Highlighted
2 Bronze

@Rainer_EMC 
Thank you for the information, as auditing is very important in our project I would like to try CEPA option.
please let me know if there is any document on how to implement this

 

 

0 Kudos
Reply
Highlighted
2 Bronze

@Rainer_EMC I got one of the documents for CEE https://dl.dell.com/content/docu48055_Using_the_Common_Event_Enabler_on_Windows_Platforms.pdf?langua... please let me know if there are any other useful document.

 

Also I tried to download CEE from downloads and I do not see CEE kit maybe because of permission, please provide me the link to download.

 

Thank you!

0 Kudos
Reply