This post is more than 5 years old
24 Posts
0
2925
Exporting VNX CIFS .evt files
Hi,
I am looking to export all security files in CIFS to a location or share path as a .evt file.
I tried to copy files from \\CIFSserver\c$\.etc\audit but when i paste the file get error as (You need permission to perform this action , you require permission from the computers administrators to make changes to this file)
I am able to connect to CIFS server Classic event viewer in global logs i am able to export file, but its manual. If i change the export files to .evt from txt and tried to open getting corrupted file alert.
Question :
1. Can i export to security.evt file to share path ?
2. Can i copy files from \\CIFSserver\c$\.etc\audit ?
3. Is there a command where i can initiate a copy of files and save it in a mount point ?
How to do it for Unity and VNX
Rainer_EMC
8.6K Posts
0
May 2nd, 2018 07:00
make sure that when you run regedit that you have the security context of a member of the local Administrators group
Easiest way is to first open C$ and leave it open
path is from the VDM / NAS server root
so if your fs is mounted on / and a subdir / /logs exists than c:\fs1\logs should work
If it still doesnt work please open a service request to have support investigate
I wont have time to verify in the lab for the next two weeks
Is your error on VNX or on Unity ?
Rainer_EMC
8.6K Posts
1
April 30th, 2018 17:00
Hi,
same as in VNX the currently in use security.evt is locked and cannot be copied.
my advice is:
relocate .evt files to a data file system (from the default .etc in the rootfs)
enable auto archiving
setup a job from a client to copy the archived .evt files periodically if necessary
the copy could be done using CIFS, NFS, ftp/scp, ...
on this archived files you can then run event viewer or any other command that understands .evt format
there should be a knowledgebase article about relocation and setting up security event log rotation
or see the VNX CIFS manual under event log auto archive - its the same steps using regedit on Unity as on VNX
Rainer
shivadaimler
24 Posts
0
May 1st, 2018 23:00
Hi,
Thanks, I checked VNX CIFS guide, in Event log Auto archive section i read the instructions and applied it. I am getting error as " Error Writing the value's new contents ", Checked KB article for this issue 000374610 i have set as per the KB article but still getting error.
I needed some clarity on File . What is the rite way to mention the path as per the document its mentions the file either saves in c:\.etc\audit\security or a file system path. How to mention the file system path ? i create a 10 GB file system with SMB share. gave the path as c:\swoef205\Auditlogs but it does not work. What the correct way path i have to give and how to fix this error ?
Thanks in Advance.
Shiva.
shivadaimler
24 Posts
0
May 4th, 2018 03:00
Hi,
After the path mentioned as c:\FS\logs i was able to give the file path it worked and i was able to enable Autoarchiveenable. It works i was able to set 1 hour archive.
The solution works and thanks alot.
Rainer_EMC
8.6K Posts
0
May 4th, 2018 06:00
thanks for the feedback
did you find out what the reason for the initial regedit error was ?
shivadaimler
24 Posts
0
May 6th, 2018 19:00
The issue was with Path once correct path was provided c:\FS\logs error dint appear. May be in the audit logs document if the path format is explained it would be a good information.