This section explains how to troubleshoot the integration between Qumulo Core and Varonis.

To Troubleshoot Qumulo Broker

  1. Do one of the following:

    • View Qumulo Broker operation logs in the /var/log/qumulo_audit.log file.

    • View the logs for each container by using the docker logs <container-id> command.

  2. If the logs show an issue related to audit log operations, uncomment the following line in the /etc/rsyslog/10-qumulo.conf file.

    # action(type="omfile" file="/var/log/qumulo_audit.log")
    
  3. To restart the rsyslog service, run the systemctl restart rsyslog command.

  4. Get the input log that you suspect to cause an issue from the /var/log/qumulo_audit.log file.

    Mar  3 14:08:51 q-varonis-1 qumulo
    {
      "user_id": {
        "sid": "S-1-5-21-123456790-3456789012-1234567890-123",
        "auth_id": "500",
        "name": "admin"
      },
      "user_ip": "203.0.113.0,
      "protocol": "smb2",
      "operation": "fs_create_file",
      "status": "ok",
      "details": {
        "file_id": "1000003",
        "path": "/my-file.txt"
      }
    }
    
  5. Use the input log from the from the /var/log/qumulo_audit.log file to run the /opt/qumulo/QumuloBroker/events/Broker command manually.

    2023-03-03T14:08:51.058379Z q-varonis-1 qumulo
    {
      "user_id": {
        "sid": "S-1-5-21-123456790-3456789012-1234567890-123",
        "auth_id": "500",
        "name": "admin"
      },
      "user_ip": "203.0.113.0",
      "protocol": "smb2",
      "operation": "fs_create_file",
      "status": "ok",
      "details": {
      "file_id": "1000003",
      "path": "/my-file.txt"
      }
    }
    
  6. For questions about any issues, contact the Qumulo Care team.