4 replies to this topic

[williamcheang]

Customer have explained to me that on their file servers setup.

 

Firstly, AD users access file server using file share cluster name eg. \\fileserver\Drive_T

Physical file server are \\fileserver01 and \\fileserver02. When active fileserver01 is having all the active Drive eg. Drive T:\

 

If fileserver01 is shutdown, fileserver02 will be the active server and it will have  the active Drive T:\ 

 

In this situation, what is the correct way to monitor the file share ?

Q) Do we monitor only with cluster name file share \\fileserver\Drive_T ?

Q) Do we monitor based on physical file servers, fileserver01 and fileserver02 ?

Q) Monitor with different way ? Kindly advice ?

 

[rihuka]

Hello William,

 

Please find the answer below:

 

Q) In this situation, what is the correct way to monitor the file share ?

 

A) A file server failover cluster can be built in different ways, listing some of them:

1. using file server role, the target item can be specified as UNC path using network name of the file server role (e.g. \\network name of file server role\share) or like computer object (e.g. FQDN, netbios, IPv4 of of file server role)

2. without file server role, here you can specify the target item using the cluster name the same way as described in first point, like UNC path or computer object.

 

Following the above mentioned settings, Netwrix Auditor automatically checks for active cluster node and collect the data accordingly.

 

If anything does not make sense, please feel free to ask.

 

Thank you

 

Best regards,

Kirill Kirkov

T2 Support Engineer

[williamcheang]

Hi Kirill,

Thanks for the info.

Customer is using File Server role and Failover Clustering Service.

OS – Windows Server Storage 2012 R2

 

So we should be monitor by both physical hostname(FQDN) example fileserver01.xxx.local and fileserver02.xxx.local, correct ?

(Customer is having 2 file servers in their cluster env)

 

regards,

William

[rihuka]

Hello William,

 

It is assigned a mapped netbios name while configuring File Server role, this name should be used as target item in the settings of Netwrix Auditor. 

 

You won't be able to use nodes because shared folders are built using File Server role netbios name.

 

If it does not make sense, please feel free to ask.

 

Best regards,

Kirill Kirkov

T2 Support Engineer

[williamcheang]

Hi Kirill,

We are still facing issue collecting event on file share server changes from Customer Cluster File Share server.

Below is the issue reported.

 

Ticket #:00260612

Brief description:Monitor Plan created & executed successfully but no data is collected

 

 

In customer environment, they are using $ as hidden drive in the UNC path

\\egwgwgfs\T$\sharedfolder

 

Based on the documentation:-

If you specify a single computer name, Netwrix Auditor will monitor all shared folders on this computer. Netwrix Auditor does not track content changes on folders whose name ends with the $ symbol (which are either hidden or administrative/system folders). In order for the report functionality to work properly, you need to configure audit settings for each share folder on the computer separately. Otherwise, reports will contain limited data and warning messages.

 

Will Netwrix support this UNC path \\egwgwgfs\T$\sharedfolder in term of track changes ?

 

regards,

William