Running DI6.1 and after looking in my monitored shares, I'm noticing that the Audit Index Update timestamps are updating for some shares and not for others. I've also noticed that recently added shares fon't have any timestamp for that column even though the last full scan/last incremental/scan index update all are green and normal.
I looked in the idxcheck file and all of the integrity's were ok.
Before calling into support, any ideas what to look at? Thanks
You have not specified the specific device you are trying to audit. Know that scanning and monitoring are separate functions and one can be successful while the other not. It is unusual that the scan user does not have the appropriate permissions to also monitor the device.
monitoring usually is performed via an API or filter driver and requires direct access. Since 'some' audits are successfully performed that tells us that monitoring is functional and the shares you are attempting to add to the environment likely have issues. Support is your best option but the logging is based on the API for example cellerad or fpolicyd logs. You can check the log for the monitoring and see if you have any identifiable errors as a starting point. Eliminate the errors and test again.
If you can specify the device and show us the monitored shares tab output I can likely direct you to the actual log and default location.
Newbie, Check that fpolicyd (7-mode) and fpolicymod (cDOT, Cmode) log for the auditing. If safeguard is enabled all auditing should be stopping when in safeguard mode and running when in normal mode. The collector should show as registered (Fpolicy show matpol - on the filer) and CIFS should be the protocol with the access events tracked.
On the filer the audit log should also show issues with connection or registration.
IN the administration manual you will see the settings for SMB, the required capabilities and the prerequisites for the shares to be scanned and monitored.
I hope that helps you to narrow done the first steps.