11 replies to this topic

[Thierryvdv]

Hi,

 

I'm monitoring 2 UNC paths.

When I Add and/or change a file on that path it takes until the next day before I can see this in the Search.

If I manually click update in the monitoring plan, than after a few hours, that status changes from working to ready again, and then I can see the adds/changes until the time that I pressed the update button.

 

I suppose that this is not the normal behaviour?

Did I misconfigure or forgot something?

 

Thanks.

 

[Kirill K]

Hi there,

 

What version of Netwrix Auditor do you use?

 

How much files per each UNC path?

[Thierryvdv]

latest version 9.6.

about 6.000.000 files for the first share and 300.000 for the second

[Kirill K]

Do you see error/warning messages at the system health event log?

[Thierryvdv]

not anymore. Yersterday morning, I had the message: Could not locate the end of the event log for 'srv02'. The event log might have been overwritten.

But that was probably because I was monitoring all 4 actions (success and failed changes and read accessà) . Changed that yesterday morning to only successful changes.

However security log itself on the fileserver still contains data from 2 days ago, so I'm not sure why I even got this message.

[Kirill K]

The event id 1102 "The audit log was cleared." forces the full update of the snapshot which might take a while, so that was a good idea to reduce the scope of the audit to successful changes only, since usually the security event log overwrite is caused by successful reads, the auditing of such action generates a huge number of events.

 

Take a look for a few days how fast the data collection goes after changing to successful changes only, I think it should be better.

 

Just in case what is the maximum size of security event log on the file server?

[Thierryvdv]

max size is 4GB.

and that change to only successful changes has been done 36 hours ago.

Does it Always that that long when changing something?

[Kirill K]

The very first collection takes a few hours because it is collected snapshot, full update of the snapshot either, the common collection updates the snapshot based on the events and depending on a number of performed changes since the last data collection may be different from several minutes to hours.

 

Please share the logs I will take a look if there is any problem.

 

I need the entire folder "NwFileStorageSvc", it is located here C:\ProgramData\Netwrix Auditor\Logs\DataCollectionCore\

[Thierryvdv]

log attached

Attached Files

•  NwFileStorageSvc.zip   94.28KB   1 downloads

[Thierryvdv]

now, after the weekend, I can query changes until about three hours ago, but nothing more recent.

[Thierryvdv]

Retried some new queries, and stil not any new information available. Last entry still from 6:21 as this morning (now 12:51)

[Kirill K]

Based on the log security event log is overwritten twice a day, as I previously mentioned this forces the full update of the snapshot and may take a while.