Video Screencast Help

Archived items access report individual users is always equal to 1

Created: 27 May 2013 • Updated: 05 Jun 2013 | 11 comments
This issue has been solved. See solution.

Hi,

 

When I run the "Archived items access" report in Enterprise Vault 10, the "Number of Individual Users Accessing Items" is always 1.

 

Could this be due to my setup, becuase there are many users recalling files?

 

Regards

 

Paul

Operating Systems:

Comments 11 CommentsJump to latest comment

Rob.Wilcox's picture

Is this mailbox archiving or FSA?  Have you had a run through your IIS logs for requests?

TheEmptyMind's picture

Did you enable auditing for 'View' category?  Right-click on EV server -> Properties -> Auditing -> Select "Audit entries based on the following categories" -> Select "View" (both summary and detailed).  Please make sure that DB space is accounted before you enable auditing.

Palinxy's picture

Thanks for the replies.

We are only using FSA.  Users only access files from the placeholders, i.e. They don't use the web search function.  Why not I hear you say...I'm waiting on management approval to advise this to the users! :(

I have looked at the IIS logs and when I access files via the search function on the web I see my user account details in the log, but all other activity which I assume is from the users just opening the placeholder files then I see the vault service account and the ip address of our file system with "FSA+Placeholder+Service" in the log.

Yes, I have auditing switched on for both summary and detailed for VIEW.

So does one only get this audit data when using the search function available on the web?  I do remember reading a pdf published by Symantec that stated something about when files are access via the network then EV can not identify the user...

I have just noticed a Audit Viewer in the utilities pdf, I will have a look at what this tells me.

 

Thanks.

This link below describes the report I'm using but does not mention any restrictions etc..

http://www.symantec.com/business/support/index?page=content&id=HOWTO28053

JesusWept3's picture

Does the one user happen to be the evadmin each and every time per chance?

TheEmptyMind's picture

Audit Viewer at least can tell you whether information is being audited in the auditing DB.  If it were, see the 'Category' section to see if you can filter based on it to see if it meets your requirements.

Palinxy's picture

Hi, yes the one user is the evadmin user.

I've just run the auditviewer.exe tool and I can see lots of data.  All the view and web view operations are the evadmin user account and some view operations are with my user account when I used the search function.

 

So the report in EV does not really offer much use in my environment.

Rob.Wilcox's picture

Okay, but you have what you need through auditing? I'd suggest contact Symantec Support about the report, posting an idea on the Ideas section of this forum saying that for VSA relating things like FSA that this sort of report should be beefed up....

You may also want to mark one or more of the posts as the solution.

Tremaine's picture

Unfortunately as far as auditing access via FSA placeholder retrieval requests is concerned that's unlikely to change as EV does not send over any user credentials in this scenario. The access is controlled by the Share/NTFS permissions so you would need to enable auditing on the file server in that regard to see who is accessing what.

 

Access via the search/ArchiveExplorer interfaces though is a different kettle of fish and based on your 2nd last comment I am uncertain whether its really working for you or not? I am assuming not in which case I would consider this a defect if its not configured correctly and would need to be raised through support for a fix.

SOLUTION
Palinxy's picture

Thanks for the feedback.

Yes, I have found out that using placeholders there is no individual user access tracking because Placeholder service uses the EV service account and thus logs this user.  As mentioned previously we have not yet advertised to users the ability to use search (waiting on management approval to do this...), but this is working ok.  I have noticed the report does seem to include the users that access it via a web search, number of users in the report is > 1.

So to sum it all up, the report does not include access to place holders, maybe the report should mention this..probably yes.  When I get some spare time, I may put something up as an enhancement request.

Regards Paul