Moving the security log for a Virtual Data Mover

Moving the security log for a Virtual Data Mover

Some time ago I was asked to start auditing a file share hosted within a Virtual Data Mover in an EMC VNX 5700. Actually this article is not on how to configure auditing, but on a specific step that it’s recommended to accomplish if you need to audit a share. As you might already know, enabling auditing on a Windows share will generate lots of records into the Security Event Log, this also happens on the VNX. It is recommended not to audit everything, but to perform and analysis in order to determine what’s strictly necessary to audit, and even when you have defined that, it will still generate tons of log entries, sometimes even more than one for a single operations (for example deleting a file requires opening the file, that generates one event, and deleting a file, that generates another entry in the log).That’s why a good idea to move the security log outside of the root of the Data Mover or VDM. There are procedures documented by EMC on how to do it for a DM, but none for a VDM, in fact information from EMC site turned to be so ambiguous that it is not clear if this is supported in a VDM. And the answer is yes, it can be done, and steps are pretty similar as what needs to be done for a DM.

These are the steps you need to accomplish in order to be able to move the security log outside of the root of the VDM:

  1. Create a new file system, not so large, might couple of GBs, it will only store the security log.
  2. Mount the newly created FS in the VDM where you want to move the security log under the following path: /winnt
  3. Publish the file system as a CIFS share named winnt$ (this is only for administration purposes)
  4. Get into the share (\\cifsServer\winnt$) and create the following folders system32\config so from the C$ share that would be \\cifsServer\C$\winnt\system32\config
  5. Open Regedit on your computer, go to “File”, and “Connect to network registry”: image
  6. Enter the name of you CIFS Server and connect to it: image
  7. Browse down to the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security
  8. Within that key you will find a value named File, edit it and change it’s current value for: C:\winnt\system32\config\security.evt

And that’s all! Some notes that might be useful:

  • In order to make the changes effective, you might have to delete all the events from the Security Event Log, after doing so the next event to be written will create the event log in the new location and start writing logs to it.
  • Regedit connecting to the VDM, it is not actually editing a remote registry, it’s more like the VDM having an API which allows to set some configuration parameters using Regedit, if you enter some values incorrectly, like you don’t writing security.evt after having edited the File value it will through and error and won’t let you continue. If you are used to Windows you might be used to “as long as the data being entered matches the data type of the Value it will let you continue and later the application will fail”.
  • Remember this is on a VDM basis, so if you have more than 1 CIFS Server running in the same VDM all CIFSs servers will record their security logs in the new security log file. I strongly recommend you that you have one to one relationship in what regards Virtual Data Movers and CIFS Servers.

Hope you find it useful!!
Hernán J. Larrea

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.