This post is more than 5 years old
19 Posts
0
1263
Celerra AV File Scanning Visibility?
I frequently receive low water mark and high water mark error messages from our datamovers.
Mar 21 07:39:22 2014 DART:VC:ERROR:2 Slot 2: 1395409154: Vnode high water mark reached.
Is there a way to observe the file scanning activity in real-time or view historical statistics?
I'd like to use this information to establish a more accurate AV exclusion file for the datamovers.
Thanks!
Environment Overview
- 4x datamovers running v7.1.71 DART, 24 CIFS filesystems, 30TB of unstructured data.
- 7x scan servers, McAfee v8.8, and VEE v4.9.3 (upgrading to CEE v6.3.1 this month)
- virus checker configuration file settings: (We're aware that EMC doesn't recommend masks=*.* our security team requires it)
masks=*.*
excl=*.ldb:*.mad:*.maf:*.mam:*.maq:*.mar:*.mat:*.mda:*.mdb:*.mde:*.mdn:*.mdw:*.mdz
excl=*.inp:*.orc:*.sc:*.sqc:*.sql:*.sqr
excl=*.edb:*.ost:*.pst:*.stm
excl=*.db:*.dbf:*.gdb:*.fmt:*.fmb:*.fmx:*.frm:*.ora
excl=*.bz:*.gz:*.rar:*.tgz:*.tar:*.zip:*.Z
excl=*.adl:*.gdbtable:*.gdbindexes:*.gdbtablx:*.lock:*.prj:*.sbn:*.sbx:*.shp:*.shx
excl=*.index:*.db-journal:*.log:*.nsf:*.tmp:*.vmdk:>>>>>>>>:~$*.*:*.dbx-journal
BillStein-Dell
Moderator
Moderator
•
284 Posts
0
April 4th, 2014 09:00
Enable debug logging. There are two ways to do that, either from the Data Mover or from the scan engine. Ideally, you want to watch the interaction between the Data Mover and the scan engine while it is taking place. This KB article discusses the steps here in detail, and also discusses how to enable debug logging on the scan engine which I won't go into here, but to enable it on the Data Mover, enter the following:
Once debug logging is enabled, all interactions between the Data Mover and the scan engines will be logged to the server log. To watch it in real time, enter the following:
Notice that I sent the command to the background so that you can continue to work. You could also add something to stream it to a log instead of the screen, like this:
To kill the log streaming, enter:
To disable verbose logging, enter the following:
tzvb23
19 Posts
0
April 8th, 2014 06:00
Thank you for the quick reply!
I'm going to automate this on the control station.
So we get an email whenever the low water mark is exceeded so we can see which files are being scnned.
Rainer_EMC
8.6K Posts
0
April 8th, 2014 07:00
Just be careful that you don’t keep the system too busy with logging and flood the logs
tzvb23
19 Posts
0
April 8th, 2014 08:00
Is there a way to have the datamovers redirect cretain log facilites to a dedicated file?
It would be nice if that was configurable like syslog is on *nix systems.
The format of the viruschk debug messages is different than the default entries, which makes it difficult to parse.
Thanks.
Rainer_EMC
8.6K Posts
0
April 8th, 2014 13:00
Not a general way.
Anything that is considered an event is delivered to the control station and can be acted upon.
The fact that the data mover logs live on space directly accessed by the DM was a design decision so that it can uses its logs even if the control station or any of its networks aren’t available.