Troubleshooting the Integration between Qumulo Core and Varonis

This section explains how to troubleshoot the integration between Qumulo Core and Varonis.

To Troubleshoot Qumulo Broker

Do one of the following:
- View Qumulo Broker operation logs in the /var/log/qumulo_audit.log file.
- View the logs for each container by using the docker logs <container-id> command.
If the logs show an issue related to audit log operations, uncomment the following line in the /etc/rsyslog/10-qumulo.conf file.
```
# action(type="omfile" file="/var/log/qumulo_audit.log")
```
To restart the rsyslog service, run the systemctl restart rsyslog command.

Get the input log that you suspect to cause an issue from the /var/log/qumulo_audit.log file.

Mar  3 14:08:51 q-varonis-1 qumulo
{
  "user_id": {
    "sid": "S-1-5-21-123456790-3456789012-1234567890-123",
    "auth_id": "500",
    "name": "admin"
  },
  "user_ip": "203.0.113.0,
  "protocol": "smb2",
  "operation": "fs_create_file",
  "status": "ok",
  "details": {
    "file_id": "1000003",
    "path": "/my-file.txt"
  }
}

Use the input log from the from the /var/log/qumulo_audit.log file to run the /opt/qumulo/QumuloBroker/events/Broker command manually.

Note
Change the timestamp definition in your input to ISO 8601 with milliseconds.

2023-03-03T14:08:51.058379Z q-varonis-1 qumulo
{
  "user_id": {
    "sid": "S-1-5-21-123456790-3456789012-1234567890-123",
    "auth_id": "500",
    "name": "admin"
  },
  "user_ip": "203.0.113.0",
  "protocol": "smb2",
  "operation": "fs_create_file",
  "status": "ok",
  "details": {
  "file_id": "1000003",
  "path": "/my-file.txt"
  }
}

For questions about any issues, contact the Qumulo Care Team.

Troubleshooting the Integration between Qumulo Core and Varonis

To Troubleshoot Qumulo Broker

Related Topics