Jump to content


Photo

file changes are not visible untill the next day


  • Please log in to reply
11 replies to this topic

#1 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 September 2018 - 02:02 PM

Hi,

 

I'm monitoring 2 UNC paths.

When I Add and/or change a file on that path it takes until the next day before I can see this in the Search.

If I manually click update in the monitoring plan, than after a few hours, that status changes from working to ready again, and then I can see the adds/changes until the time that I pressed the update button.

 

I suppose that this is not the normal behaviour?

Did I misconfigure or forgot something?

 

Thanks.

 



#2 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 28 September 2018 - 02:05 PM

Hi there,

 

What version of Netwrix Auditor do you use?

 

How much files per each UNC path?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#3 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 September 2018 - 02:27 PM

latest version 9.6.

about 6.000.000 files for the first share and 300.000 for the second



#4 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 28 September 2018 - 02:38 PM

Do you see error/warning messages at the system health event log?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#5 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 September 2018 - 02:54 PM

not anymore. Yersterday morning, I had the message: Could not locate the end of the event log for 'srv02'. The event log might have been overwritten.

But that was probably because I was monitoring all 4 actions (success and failed changes and read accessà) . Changed that yesterday morning to only successful changes.

However security log itself on the fileserver still contains data from 2 days ago, so I'm not sure why I even got this message.



#6 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 28 September 2018 - 03:15 PM

The event id 1102 "The audit log was cleared." forces the full update of the snapshot which might take a while, so that was a good idea to reduce the scope of the audit to successful changes only, since usually the security event log overwrite is caused by successful reads, the auditing of such action generates a huge number of events.

 

Take a look for a few days how fast the data collection goes after changing to successful changes only, I think it should be better.

 

Just in case what is the maximum size of security event log on the file server?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#7 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 September 2018 - 03:20 PM

max size is 4GB.

and that change to only successful changes has been done 36 hours ago.

Does it Always that that long when changing something?



#8 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 28 September 2018 - 03:54 PM

The very first collection takes a few hours because it is collected snapshot, full update of the snapshot either, the common collection updates the snapshot based on the events and depending on a number of performed changes since the last data collection may be different from several minutes to hours.

 

Please share the logs I will take a look if there is any problem.

 

I need the entire folder "NwFileStorageSvc", it is located here C:\ProgramData\Netwrix Auditor\Logs\DataCollectionCore\


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#9 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 September 2018 - 05:29 PM

log attached

Attached Files



#10 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 01 October 2018 - 07:18 AM

now, after the weekend, I can query changes until about three hours ago, but nothing more recent.



#11 Thierryvdv

Thierryvdv

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 01 October 2018 - 10:51 AM

Retried some new queries, and stil not any new information available. Last entry still from 6:21 as this morning (now 12:51)



#12 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 01 October 2018 - 11:06 AM

Based on the log security event log is overwritten twice a day, as I previously mentioned this forces the full update of the snapshot and may take a while.


Best regards,
Kirill Kirkov
T2 Support Engineer
 




0 user(s) are reading this topic

0 members, guests, anonymous users