This post is more than 5 years old
5 Posts
0
5200
February 3rd, 2011 11:00
Modifying the CIFS security log to allow larger than 64MB
I've moved the default CIFS event logs to a seperate filesystem mounted to the same VDM (512MB file system) using the registry modification as per:
After enabling auditing I can see the new security.evt filling up nicely. Using the Computer Management MMC, I changed the log retention to "Overwrite events as needed" and tried to increase the log file from the default 65536 KB to something larger. No matter what value I use, it will always revert back to 65536 KB after I check the settings again. I verified that the log does start overwriting old events once it reaches this limit of 64MB.
I see that there is also a registry key on the CIFS server for, MaxSize, which has the value 67108864 (which is about 64MB). Tried changing this but it seems to get reset back to it's value as well.
Has anyone got the CIFS security event logs to become larger than this 64MB limit I'm running into? I've seen other posts about increasing the limits well above this so I'm wondering what's going on here.
Oh, and I have a second question: Can multiple CIFS server use the same security log on a file system mounted to the physical data mover? Is this a good thing to do? I'm currently using a seperate file system for each VDM (one CIFS server per VDM). I understand that it would filled very quickly, but if I could sort out the file size limitation it wouldn't be an issue. What happens in a fail over situation? I suppose I would have to replicate the file system we are using to hold the security logs as well.
Environment:
NAS version 5.6.50-2
Celerra NS-G8
Using Windows Server 2003 as the CIFS clients and for configuring the CIFS
bergec
275 Posts
1
February 3rd, 2011 23:00
Have you checked GPOs (I think you can use server_security to display current settings on the Data Mover)
Claude
Rainer_EMC
4 Operator
•
8.6K Posts
0
February 4th, 2011 09:00
Are you sure you modified the registry for the VDM and not for the physical data mover ?
you might be interested in an enhancement that was just done with 5.6.51:
Event log auto archive
With Windows operating system, applications can use the event
logging mechanism to log their own events. Celerra currently
supports the following three such event logs: security, system, and
applications. The physical format of these logs use a Microsoft format
called 'evt' that has a limitation of 4 GB in size because there are some
fields stored on 32 bits integers. Windows 2008 has introduced a new
format 'evtx' that does not have this limitation.
The event log auto archive feature allows automatic archiving of an
event log on a particular trigger and the logging to continue on a new
event log without losing any events. The archive is triggered on a
time and/or event log size basis defined by parameters in the
Windows registry. You can specify a retention policy to keep the
event log archives before they can be recycled based on the duration
and/or the total archive disk size.
All parameters are stored in the Windows registry of each VDM,
therefore, each VDM will have its own configuration. The parameters
can be viewed and edited with tools like regedit. The Managing CIFS
on Celerra technical module provides more information about this
m3th0dm4n
5 Posts
0
February 14th, 2011 09:00
This answer was so obvious I don't know how I missed that... doh! I haven't been able to confirm this was the issue yet, but now that I think about, I'm certain it was the GPO.
I have another question about relocating the CIFS audit logs:
After running a "server_checkup server_x" I notice that even the physical data mover is recommended to move the audit log files to a different file system. What is logged on the physical data mover vs. what is logged on the CIFS audit log? I know that the CIFS user actions will be logged at the VDM level, but what is logged at the PDM level? Is that only the CAVA actions and the NDMP backup sessions?
Secondly, is it possible or recommended to use one file system for ALL CIFS/PDM audit logging? Or is it only feasible to use one extra file system PER VDM (and have it mounted to the VDM) for storing these larger log files?
Also what happens during failover? I suppose I will need to create a replication session for these additional audit log file systems, otherwise in a DR, the event logs will be missing.
Once I've verified that the GPO issues resolved my problem, I'll mark the question answered
Rainer_EMC
4 Operator
•
8.6K Posts
1
February 14th, 2011 10:00
The audit log on the physical data mover will contain all events for all CIFS servers that were created on the physical data mover (not on the VDMs).
So if all your CIFS servers are on VDMs it will only contain info for the global CIFS server used for AV checking (if configured)
NDMP or other services don’t use the CIFS logs
I wouldn’t bother to create extra file systems – the recommendation to move the logs onto an extra file system is mostly because of space and not performance.
I would rather put them onto a data file system that also gets replicated.
Or at least one fs for all logs of that VDM – managing lots of small file systems is just a pain
And yes if you moved the log you have to make sure its available after a failover as well
What was the “simple” problem then ?
m3th0dm4n
5 Posts
0
February 14th, 2011 10:00
The audit log on the physical data mover will contain all events for all CIFS servers that were created on the physical data mover (not on the VDMs).
So if all your CIFS servers are on VDMs it will only contain info for the global CIFS server used for AV checking (if configured)
NDMP or other services don’t use the CIFS logs
OK that's what I was expecting. Thanks!
I wouldn’t bother to create extra file systems – the recommendation to move the logs onto an extra file system is mostly because of space and not performance.
I would rather put them onto a data file system that also gets replicated.
Or at least one fs for all logs of that VDM – managing lots of small file systems is just a pain
And yes if you moved the log you have to make sure its available after a failover as well
That sounds much more sensible! I'll move the audit logs to the production file systems as it is already replicated and then I won't have to manage an additional file system (and won't need to create another replication session)
Really appreciate the responses from this forum. Hope it helps other newbies like myself
dynamox
9 Legend
•
20.4K Posts
0
February 14th, 2011 10:00
if you have multiple CIFS servers in one VDM ..their audit logs will be combined together but you can still filter them by CIFS server in Event viewer.
DeanBerry
1 Rookie
•
24 Posts
0
July 24th, 2013 06:00
What did you mean by "make sure its available after failover..." above? I have repointed to new larger security event logs on different file systems.
Thanks
christopher_ime
2K Posts
0
July 27th, 2013 17:00
You would want to make sure the file system(s) that the newly redirected event log resides on is also being replicated. Therefore, as part of your switchover/failover/reverse operations, in addition to the VDM and (production) filesystems, you also will include in your runbook doing the same for the file systems that contains the event logs so that they are available for the corresponding CIFS servers that were replicated and brought online when the VDM was loaded on the peer array.
DeanBerry
1 Rookie
•
24 Posts
0
July 29th, 2013 07:00
Thanks so much for the response!
We’ve never done anything special with respect to failover for our current VDM’s when we’ve done data mover reboots during software upgrades. I’m not sure what we would need to do. I thought the backup data mover takes on the role of the primary during a failover.
Can you explain more or point me to some documentation?
Rainer_EMC
4 Operator
•
8.6K Posts
0
July 29th, 2013 13:00
Christopher meant failover of replicated VDMs between different VNX systems - not data mover failover