Solved

File Activity Anomaly

  • 1 February 2021
  • 25 replies
  • 816 views

Badge +3

Hi All

i got alert from File Activity Anomaly that large amount of file were deleted and modified

is there any way to view which files are deleted\modified?

 

tnx

icon

Best answer by Sri Karthik 1 February 2021, 17:16

View original

25 replies

Userlevel 6
Badge +13

Hi Avior,

 

You can download and run the report on Command Center / WebConsole: Viewing the File Activity Anomaly Report on the Command Center (commvault.com) to get this info.

 

Kind Regards,

Michael

Badge +3

Hi Michael

i downloaded and ran this report

but it only shows the Server\Client  Name, and the number of files that were “ infected”

my question is if there is a way to actually see which files\folder were “infected”

Userlevel 1
Badge +3

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

Badge +3

Tnx Karthik

can u pls ahre what means each number and their order… “ 0,0,0,9 “ i guess its  - created, deleted, renamed, modified ? yes?

Badge

Hi Avior,

Yes, That is correct.  Below are the fields in log file.

Time, Path, Creates, Deletes, Renames, Modifications

Userlevel 3
Badge +7

Hi,

 

I would like to add that we also have a KB article that steps through how to read this and correlate the detection timestamps to specific files/directories.

 

https://ma.commvault.com/Article/Details/49297

Userlevel 5
Badge +10

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

Hi @Sri Karthik, do you know if the report will cover laptop clients which only have File System Core loaded, as currently the Commvault Log Monitoring policies will only pull the logs from clients that have a full agent like the non-Core “File System” Agent? 

Userlevel 5
Badge +13

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 

Userlevel 1
Badge +3

@Anthony.Hodges Yes. The report will cover laptop clients as well

@Laurent We will check this internally and make necessary adjustments to the algorithm

Userlevel 5
Badge +11

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 

 

If its weekly, at some point it should not be anomalous.  We will look into it.

Userlevel 3
Badge +10

I was just about to ask the question,so thanks for the answers,

 

I downloaded the report and ran it, a few systems that have the “issue”.
I didn’t look more closely on them, but I did click the “clear” button on one of them. I assume it just removes that system from the list.

But I did get a mail “subjected: File Activity Anomaly Cleared” that confuses me. The mail body is “Data aging activity on client xyz-files1 is enabled by user xxx\zzzz. File activity anomaly is also cleared for this client.“

I didn’t do anything with the data againg part on the client, as far as I know it’s been enabled already. Is that just a bad wording in the mail itself?

 

I checked one other client where this happened and that still have the data aging enabled.

@Sri Karthik@MFasulo 

BR

Henke

 

Userlevel 5
Badge +11

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 

 

If its weekly, at some point it should not be anomalous.  We will look into it.

Follow up.   We will adjust the algo when it pertains to the windows directory, for this scenario.

 

I was just about to ask the question,so thanks for the answers,

 

I downloaded the report and ran it, a few systems that have the “issue”.
I didn’t look more closely on them, but I did click the “clear” button on one of them. I assume it just removes that system from the list.

But I did get a mail “subjected: File Activity Anomaly Cleared” that confuses me. The mail body is “Data aging activity on client xyz-files1 is enabled by user xxx\zzzz. File activity anomaly is also cleared for this client.“

I didn’t do anything with the data againg part on the client, as far as I know it’s been enabled already. Is that just a bad wording in the mail itself?

 

I checked one other client where this happened and that still have the data aging enabled.

@Sri Karthik@MFasulo 

BR

Henke

 

Henke, thanks for the ping.  I’ve been buried over the past couple of weeks, but Friday mornings are always good for a quick forum break!   

The reason this happens is because if you need to recover, we want to ensure we arent pruning jobs off that may have data that you need to recover from.   You can see on this page we describe the clearing of the action from the alert.  I’ll bring Cunningham into this convo to provide more details

https://documentation.commvault.com/11.22/essential/38587_data_views_for_file_activity_anomaly_report.html

Userlevel 3
Badge +10

Thanks, I woulden’t mind an update. We never really used the feature.

//Henke

Userlevel 5
Badge +11

Thanks, I woulden’t mind an update. We never really used the feature.

//Henke

Sure thing.  Cunningham is off today, so sometime monday or tuesday, he will provide additional details.  

Userlevel 6
Badge +12

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

@Sri Karthik why again a separate report???? can't you blend it into the file activity monitor that is introduced in FR23?

Userlevel 3
Badge +10

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 

Userlevel 1
Badge +3

@Onno van den Berg Yes. I was talking about the FR23 dashboard. You can see the folder listing where changes have happened in the dashboard now.

Userlevel 3
Badge +10

@MFasulo bump :-)

And do you have a recommendation on my last question?

Thanks

//Henke

Userlevel 5
Badge +11

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 

Elaborate on this, I want to ensure I answer this correctly.   DC will be responding today.

 

Userlevel 4
Badge +6

@Henke When we originally built the feature we would disable data aging automatically when an anomaly was detected, and when the anomaly was cleared it would re-enable data aging.  We removed this as default behavior, but I believe the email response wasn't updated.  I think we fixed this already in a later release.  Nontheless the new dashboard in 1123+ is what we will be using moving forward which wont exhibit this behavior.

Userlevel 3
Badge +10

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 

Elaborate on this, I want to ensure I answer this correctly.   DC will be responding today.

 

We enabled the feature or if it is on by default I don’t remember.

But we get alerts for File Anomaly and have since it was turned on. Now when I look on the report I see multiple clients in the list, ranging from recent to a few years old. Since they are old, would you recommend to just clear them? As far as I know we havent had any issues on the clients that was reported on.

For us to start fresh now that we know what it is.

 

//Henke

 

Badge +1

I have a question, does the CVIOMonitor.log only get created when there is an anomaly?

Userlevel 7
Badge +23

@Sri Karthik , do you know when the log file is created?  Upon an anomaly being detected, or once the alert is created/enabled?

Userlevel 1
Badge +3

@Mike Struening Yes. The log is generated when we see an anomaly

Userlevel 7
Badge +23

Thanks for confirming!!

Reply