Unsolved
8 Posts
0
1823
Can we forward cifs auditing logs to external syslog server?
I have enabled CIFS auditing using VNX MMC, however there is no option to forward those logs to syslog.
Please let me know if there is a way to forward cifs auditing logs.
Thank you!
DELL-Sam L
Moderator
Moderator
•
7.1K Posts
0
June 22nd, 2020 12:00
Hello Anusha_Hegde,
Are you using Virtual data mover? Here is the link to Configuring and Managing CIFS on VNX. https://dell.to/2Ypwbyr
Please let us know if you have any other questions.
Anusha_Hegde
8 Posts
0
June 23rd, 2020 11:00
Hi @DELL-Sam L
Thank you for responding.
Yes, this test cifs server is configured on VDM.
I have configured VNX MMC to log the audit on this cifs server:
However, I'm unable to redirect this logs to external syslog server , like we have an option to configure syslog in control station for auditing Control station logins.
Is there a way from datamover/CS to configure syslog server to redirect these audit logs of cifs server ?
DELL-Sam L
Moderator
Moderator
•
7.1K Posts
0
June 23rd, 2020 15:00
Hello Anusha_Hegde,
Here is a link to an older document for Configuring and Using the Audit Tool on VNX for File.
https://dell.to/2Nnx7Nx
Please let us know if you have any other questions
Anusha_Hegde
8 Posts
0
June 24th, 2020 14:00
Hi @DELL-Sam L , I have read this document and this document is only for control station audit logs.
Example:
May 18 18:32:14 nasdev244cs0 AUDIT_Messages.pl:05/18/2010,18:32:14,EDT,ABC12345678901,1101,Succesful
Login,root(uid=0)@local,0,/var/log/messages,May 1818:32:02 nasdev244cs0 sshd(pam_unix)[16132]: session
opened for user root by root(uid=0)
I do not need to audit control station logins, I need to forward CIFS server audit to external syslog server. Is this feature available?
DELL-Sam L
Moderator
Moderator
•
7.1K Posts
1
June 25th, 2020 15:00
Hello Anusha_Hegde,
That feature is not available. The only one that is available is control station audit log.
Anusha_Hegde
8 Posts
0
June 29th, 2020 09:00
@DELL-Sam L Thank you very much for the update.
Rainer_EMC
8.6K Posts
0
July 2nd, 2020 07:00
sending CIFS audit events to syslog isnt implemented
you can store them in .evt file and digest them through 3rd party tools
If you do that I would strongly recommend to move the logs to an extra file system, enlarge them and enable archiving
other option would be utilize CEPA to send event to a RabbitMQ server
But that isnt simple and doesnt use the Windows audit SACLs
Anusha_Hegde
8 Posts
0
July 3rd, 2020 09:00
@Rainer_EMC
Thank you for the information, as auditing is very important in our project I would like to try CEPA option.
please let me know if there is any document on how to implement this
Anusha_Hegde
8 Posts
0
July 3rd, 2020 10:00
@Rainer_EMC I got one of the documents for CEE https://dl.dell.com/content/docu48055_Using_the_Common_Event_Enabler_on_Windows_Platforms.pdf?language=en_US&source=Coveo please let me know if there are any other useful document.
Also I tried to download CEE from downloads and I do not see CEE kit maybe because of permission, please provide me the link to download.
Thank you!
Anusha_Hegde
8 Posts
0
July 3rd, 2020 12:00
@Rainer_EMC
Current update: I downloaded the Common Event Enabler 8.7.5 for Windows - 32 and 64 bit -
and installed it on one of the windows serves 2008 r2, also tested on 2012 r2.
.Net Framework 3.5 is installed; however it fails when I start EMC CAVA service on the system. Is there any solution?
Also does this requires to enable CAVA on datamovers? because we have several issues with CAVA and stopped the services on DM.
Thank you!