Skip to main content
Solved

File Activity Anomaly


Forum|alt.badge.img+5

Hi All

i got alert from File Activity Anomaly that large amount of file were deleted and modified

is there any way to view which files are deleted\modified?

 

tnx

Best answer by Sri Karthik

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

View original
Did this answer your question?

29 replies

MichaelCapon
Vaulter
Forum|alt.badge.img+14

Hi Avior,

 

You can download and run the report on Command Center / WebConsole: Viewing the File Activity Anomaly Report on the Command Center (commvault.com) to get this info.

 

Kind Regards,

Michael


Forum|alt.badge.img+5
  • Author
  • Byte
  • 13 replies
  • February 1, 2021

Hi Michael

i downloaded and ran this report

but it only shows the Server\Client  Name, and the number of files that were “ infected”

my question is if there is a way to actually see which files\folder were “infected”


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • Answer
  • February 1, 2021

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik


Forum|alt.badge.img+5
  • Author
  • Byte
  • 13 replies
  • February 2, 2021

Tnx Karthik

can u pls ahre what means each number and their order… “ 0,0,0,9 “ i guess its  - created, deleted, renamed, modified ? yes?


Forum|alt.badge.img
  • Vaulter
  • 1 reply
  • February 2, 2021

Hi Avior,

Yes, That is correct.  Below are the fields in log file.

Time, Path, Creates, Deletes, Renames, Modifications


Sean Crifasi
Vaulter
Forum|alt.badge.img+9

Hi,

 

I would like to add that we also have a KB article that steps through how to read this and correlate the detection timestamps to specific files/directories.

 

https://ma.commvault.com/Article/Details/49297


Anthony.Hodges
Commvault Certified Expert
Forum|alt.badge.img+10
  • Commvault Certified Expert
  • 88 replies
  • February 3, 2021
Sri Karthik wrote:

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

Hi @Sri Karthik, do you know if the report will cover laptop clients which only have File System Core loaded, as currently the Commvault Log Monitoring policies will only pull the logs from clients that have a full agent like the non-Core “File System” Agent? 


Forum|alt.badge.img+15
  • Byte
  • 382 replies
  • February 3, 2021

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • February 3, 2021

@Anthony.Hodges Yes. The report will cover laptop clients as well

@Laurent We will check this internally and make necessary adjustments to the algorithm


MFasulo
Vaulter
Forum|alt.badge.img+12
  • Vaulter
  • 175 replies
  • February 3, 2021
Laurent wrote:

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 

 

If its weekly, at some point it should not be anomalous.  We will look into it.


Henke
Byte
Forum|alt.badge.img+13
  • Byte
  • 124 replies
  • March 19, 2021

I was just about to ask the question,so thanks for the answers,

 

I downloaded the report and ran it, a few systems that have the “issue”.
I didn’t look more closely on them, but I did click the “clear” button on one of them. I assume it just removes that system from the list.

But I did get a mail “subjected: File Activity Anomaly Cleared” that confuses me. The mail body is “Data aging activity on client xyz-files1 is enabled by user xxx\zzzz. File activity anomaly is also cleared for this client.“

I didn’t do anything with the data againg part on the client, as far as I know it’s been enabled already. Is that just a bad wording in the mail itself?

 

I checked one other client where this happened and that still have the data aging enabled.

@Sri Karthik@MFasulo 

BR

Henke

 


MFasulo
Vaulter
Forum|alt.badge.img+12
  • Vaulter
  • 175 replies
  • March 19, 2021
MFasulo wrote:
Laurent wrote:

This is a bit out of the topic, but a remark regarding that alert. 

When windows servers are beeing windows-updated and server is rebooted right after, this alert is almost always generated. 

In my case, we have weekly patch sessions, and I receive those alerts each week after the sessions are complete. I almost ignore them, which is bad, because a real relevant alarm would be drowned into the hundreds of other ‘normal’ notifications of this kind.. 

 

If its weekly, at some point it should not be anomalous.  We will look into it.

Follow up.   We will adjust the algo when it pertains to the windows directory, for this scenario.

 

Henke wrote:

I was just about to ask the question,so thanks for the answers,

 

I downloaded the report and ran it, a few systems that have the “issue”.
I didn’t look more closely on them, but I did click the “clear” button on one of them. I assume it just removes that system from the list.

But I did get a mail “subjected: File Activity Anomaly Cleared” that confuses me. The mail body is “Data aging activity on client xyz-files1 is enabled by user xxx\zzzz. File activity anomaly is also cleared for this client.“

I didn’t do anything with the data againg part on the client, as far as I know it’s been enabled already. Is that just a bad wording in the mail itself?

 

I checked one other client where this happened and that still have the data aging enabled.

@Sri Karthik@MFasulo 

BR

Henke

 

Henke, thanks for the ping.  I’ve been buried over the past couple of weeks, but Friday mornings are always good for a quick forum break!   

The reason this happens is because if you need to recover, we want to ensure we arent pruning jobs off that may have data that you need to recover from.   You can see on this page we describe the clearing of the action from the alert.  I’ll bring Cunningham into this convo to provide more details

https://documentation.commvault.com/11.22/essential/38587_data_views_for_file_activity_anomaly_report.html


Henke
Byte
Forum|alt.badge.img+13
  • Byte
  • 124 replies
  • March 19, 2021

Thanks, I woulden’t mind an update. We never really used the feature.

//Henke


MFasulo
Vaulter
Forum|alt.badge.img+12
  • Vaulter
  • 175 replies
  • March 19, 2021
Henke wrote:

Thanks, I woulden’t mind an update. We never really used the feature.

//Henke

Sure thing.  Cunningham is off today, so sometime monday or tuesday, he will provide additional details.  


Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+19
Sri Karthik wrote:

Hi,

We have the data present in the log file “CVIOMonitor.log” on the client machine. We are working on a report for the same in future release.

 

Thanks,

Karthik

@Sri Karthik why again a separate report???? can't you blend it into the file activity monitor that is introduced in FR23?


Henke
Byte
Forum|alt.badge.img+13
  • Byte
  • 124 replies
  • March 19, 2021

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • March 19, 2021

@Onno van den Berg Yes. I was talking about the FR23 dashboard. You can see the folder listing where changes have happened in the dashboard now.


Henke
Byte
Forum|alt.badge.img+13
  • Byte
  • 124 replies
  • March 26, 2021

@MFasulo bump :-)

And do you have a recommendation on my last question?

Thanks

//Henke


MFasulo
Vaulter
Forum|alt.badge.img+12
  • Vaulter
  • 175 replies
  • March 26, 2021
Henke wrote:

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 

Elaborate on this, I want to ensure I answer this correctly.   DC will be responding today.

 


Forum|alt.badge.img+8
  • Vaulter
  • 53 replies
  • March 26, 2021

@Henke When we originally built the feature we would disable data aging automatically when an anomaly was detected, and when the anomaly was cleared it would re-enable data aging.  We removed this as default behavior, but I believe the email response wasn't updated.  I think we fixed this already in a later release.  Nontheless the new dashboard in 1123+ is what we will be using moving forward which wont exhibit this behavior.


Henke
Byte
Forum|alt.badge.img+13
  • Byte
  • 124 replies
  • March 26, 2021
MFasulo wrote:
Henke wrote:

One more thing, since I never really paid this any attention, would you recommend me to do the “clean” process and start from scratch on all clients?

//Henke

 

Elaborate on this, I want to ensure I answer this correctly.   DC will be responding today.

 

We enabled the feature or if it is on by default I don’t remember.

But we get alerts for File Anomaly and have since it was turned on. Now when I look on the report I see multiple clients in the list, ranging from recent to a few years old. Since they are old, would you recommend to just clear them? As far as I know we havent had any issues on the clients that was reported on.

For us to start fresh now that we know what it is.

 

//Henke

 


Forum|alt.badge.img+2
  • Bit
  • 5 replies
  • August 25, 2021

I have a question, does the CVIOMonitor.log only get created when there is an anomaly?


Mike Struening
Vaulter
Forum|alt.badge.img+23

@Sri Karthik , do you know when the log file is created?  Upon an anomaly being detected, or once the alert is created/enabled?


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • August 25, 2021

@Mike Struening Yes. The log is generated when we see an anomaly


Mike Struening
Vaulter
Forum|alt.badge.img+23

Thanks for confirming!!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings