[logs] Re: CIFS Auditing log from NetApp

• Previous message: Anton Chuvakin: "[logs] Re: Vendor Log Resource"
• In reply to: Eric Fitzgerald: "[logs] Re: CIFS Auditing log from NetApp"
• Next in thread: Rainer Gerhards: "[logs] Re: CIFS Auditing log from NetApp"
• Reply: Rainer Gerhards: "[logs] Re: CIFS Auditing log from NetApp"
• Reply: Eric Fitzgerald: "[logs] Re: CIFS Auditing log from NetApp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Eric, I wasn't aware of that registry value, so that may prove handy
for other things.

However, NetApp isn't running a real version of Windows. It's running a
Linux variant, which "emulates" CIFS, and as far as I know, it doesn't have
a "registry" equivalent. I believe that's why it really logs to
cifsaudit.alf, then does a periodic bulk-export to the .EVT file format. Not
sure how they're emulating language (string) files etc, but I imagine
they're just intercepting the inbound API calls, working some foo, then
passing the buffer back to the caller.

Unless you know something I don't - and there is a config that works with
NetApp??

Right now, I can log files from almost all our platforms, but the CIFSAudit
log is a problem since it is neither a flat file, nor a true windows system
(so I can't install an agent). I can periodically pull data from the
eventlog, but then that causes me problems with either a) duplicate records
will many of the free/opensource tools for remotely pulling eventlog files
or b) loss of data if the eventlog overwrites. This is why I prefer
real-time a.la syslog style.

Anyone from NetApp on this distrib? I can go through our reseller, but
they're just going to forward the question, so if I can get a response
direct from someone who has actually done this, I'd prefer it - and it would
benefit the list.

On 8/14/06, Eric Fitzgerald <Eric.Fitzgerald@private> wrote:
>
>   Search for "autobackuplogfiles" in the KB (www.microsoft.com/support/kb
> ).
>
>
>
>
>
> *From:* loganalysis-bounces+ericf=windows.microsoft.com@private[mailto:
> loganalysis-bounces+ericf=windows.microsoft.com@private] *On
> Behalf Of *Gord Taylor
> *Sent:* Friday, August 11, 2006 6:17 AM
> *To:* loganalysis
> *Subject:* [logs] CIFS Auditing log from NetApp
>
>
>
> I'm looking to consolidate the logs on a NetApp server. For most of the
> logs, this looks pretty simple - standard syslog stuff.
>
> But for the filesystem auditing (cifsaudit), NetApp does a periodic write
> to the adtlog.evt file from (I believe) the cifsaudit.alf file. Anyone
> know if there is a way to PUSH the cifsaudit stuff from the NetApp box
> rather than doing periodic exports of the EVT file???
>
> Thanks in advance.
>



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Anton Chuvakin: "[logs] Re: Vendor Log Resource"
• In reply to: Eric Fitzgerald: "[logs] Re: CIFS Auditing log from NetApp"
• Next in thread: Rainer Gerhards: "[logs] Re: CIFS Auditing log from NetApp"
• Reply: Rainer Gerhards: "[logs] Re: CIFS Auditing log from NetApp"
• Reply: Eric Fitzgerald: "[logs] Re: CIFS Auditing log from NetApp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Aug 15 2006 - 17:32:30 PDT