CKnapp1
1 Nickel

VNX 5300 CIFS auditing

Good afternoon,

Looking for the process to enable auditing for a CIFS server off our VNX 5300. I can connect to the CIFS with the Microsoft Computer Management MMC, but am only able to see a few days worth of security logs.

I'd like to be able to audit who modified/deleted files, etc.

Thank you

Labels (1)
Tags (1)
0 Kudos
3 Replies
Highlighted
umichklewis
3 Zinc

Re: VNX 5300 CIFS auditing

Take a look at the EMC document, Configuring CIFS on VNX. In Appendix B, it talks about the various MMC snap-ins that can be added to manage VNX.  With the Datamover Security snap-in, you can enable auditing of logon/logoff events, file deletion etc.  Since the security log will suddenly become much larger, you should look at the section entitled "Change the location of the Windows security log".  It discusses the steps to create a new filesystem location for storing the event log, which is limited to 512kb by default on each datamover.  I believe the steps are the same if you're using VDMs, which should all have their own security logs, if memory serves.


Let us know if that helps!

Karl

CKnapp1
1 Nickel

Re: VNX 5300 CIFS auditing

I've actually been reading through the below document and see reference to the snap-ins. But not any actual information on where to obtain the snap-in, or how to use it.

EMC VNX Series

Release 7.1

Configuring and Managing CIFS on VNX

P/N 300-013-429 Re

v 02

0 Kudos
umichklewis
3 Zinc

Re: VNX 5300 CIFS auditing

Go to EMC Support and Select "Support by Product".  On the VNX1 series page, select Downloads > Product Tools and click More. Look for "VNX File and Celerra CIFS Mgmt.zip" :

2016-02-22 16_54_00-Clipboard.png

This zip file includes an executable to install the MMC snap-ins.  In the Datamover Security settings, you can modify the auditing settings:2016-02-22 17_00_51-Clipboard.png

If you already have a centralized event collection system, i.e. a tool to collect security events, I would pull the security logs to that collection host and analyze them there.  Otherwise, you might want to look at a tool like Northern Park, which uses the VNX Event Enabler's CEPA function to pull Windows events into their logging environment.

Let us know if that helps!

Karl

0 Kudos