How to exclude replicated data from onaccess AVscan
206 views
Skip to first unread message
Gumar K
Sep 16, 2014, 4:11:26 PM9/16/14
to isilon-u...@googlegroups.com
How to exclude replicated data from onaccess AVscan ? It looks like the AVscan process is also sending files sent by remote host for av-scanning. Is there a way to exclude scans for replicated data ?
The OnAccess AVscan (scan on close) is configured on two Isilon cluster to scan the production SMB data it hosts and the clusters replicates to each other (syncIQ) for DR. The OnAccess "Directories to be scanned:" is set for /ifs/clusterA production data folder on ClusterA and "/ifs/clusterB" folder on ClusterB. So theoretically it should scan on close for files stored in the production data folder only as per the settins ?
Example:
ClusterA ClusterB
/ifs/clusterA ---> syncs to ----> /ifs/clusterA
/ifs/clusterB <--- syncs to <---- /ifs/clusterB
The ClusterA nodes were running high CPU and the "top" shows high CPU utilization by "isi_avscan_d" process. Did a "tail -f /var/log/isi_avscan_d.log" on the avscan logs and it shows "Scan request timeout exceeded and dropped for" messages for files sent by SyncIQ process from remote cluster.
ClusterA# tail -3 /var/log/isi_avscan_d.log
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:0ca4:60bd::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:1605:4bd1::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:0d7b:30d2::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
ClusterA#
ClusterA#
ClusterA# isi get -L 1:0d7b:30d2
A valid path for LIN 0x10d7b30d2 is /ifs/clusterB/UsersCHN02/hollasc/LIASION/Mailboxes_Clean_Data/Mailboxes/2034830221/Drafts/041003131253.doc
ClusterA# isi get -L 1:1605:4bd1
A valid path for LIN 0x116054bd1 is /ifs/clusterB/DepartmentDataCHE01/PSNH-ED-CO/Deptdata/Transmission/Transmission Project Management/Transmission Projects/T1290A 3135 Line Fiber Repair/Test Report/313539.S13
ClusterA# isi get -L 1:0ca4:60bd
A valid path for LIN 0x10ca460bd is /ifs/clusterB/UsersCHN03/tajmac/Asset Management/SQLLIB/thnsetup/de_DE/db2thinr.dll
ClusterA#
So the above commands shows the ClusterA is sending files sent by remote array to store it in replicated folder /ifs/clusterB to AVscan servers for processing and since the scan load is more it is timing out. There is no scheduled policy based scans currently running on the clusters. How to exclude avscan of files sent by remote cluster ? any idea guys?
thanks.The OnAccess AVscan (scan on close) is configured on two Isilon cluster to scan the production SMB data it hosts and the clusters replicates to each other (syncIQ) for DR. The OnAccess "Directories to be scanned:" is set for /ifs/clusterA production data folder on ClusterA and "/ifs/clusterB" folder on ClusterB. So theoretically it should scan on close for files stored in the production data folder only as per the settins ?
Example:
ClusterA ClusterB
/ifs/clusterA ---> syncs to ----> /ifs/clusterA
/ifs/clusterB <--- syncs to <---- /ifs/clusterB
The ClusterA nodes were running high CPU and the "top" shows high CPU utilization by "isi_avscan_d" process. Did a "tail -f /var/log/isi_avscan_d.log" on the avscan logs and it shows "Scan request timeout exceeded and dropped for" messages for files sent by SyncIQ process from remote cluster.
ClusterA# tail -3 /var/log/isi_avscan_d.log
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:0ca4:60bd::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:1605:4bd1::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
2014-09-16T15:06:05-04:00 <3.6> ClusterA(id15) isi_avscan_d[97156]: [0x803f28690] Scan request timeout exceeded and dropped for 1:0d7b:30d2::HEAD, policy id: SCAN_ON_CLOSE, report id: SCAN_ON_CLOSE.
ClusterA#
ClusterA#
ClusterA# isi get -L 1:0d7b:30d2
A valid path for LIN 0x10d7b30d2 is /ifs/clusterB/UsersCHN02/hollasc/LIASION/Mailboxes_Clean_Data/Mailboxes/2034830221/Drafts/041003131253.doc
ClusterA# isi get -L 1:1605:4bd1
A valid path for LIN 0x116054bd1 is /ifs/clusterB/DepartmentDataCHE01/PSNH-ED-CO/Deptdata/Transmission/Transmission Project Management/Transmission Projects/T1290A 3135 Line Fiber Repair/Test Report/313539.S13
ClusterA# isi get -L 1:0ca4:60bd
A valid path for LIN 0x10ca460bd is /ifs/clusterB/UsersCHN03/tajmac/Asset Management/SQLLIB/thnsetup/de_DE/db2thinr.dll
ClusterA#
So the above commands shows the ClusterA is sending files sent by remote array to store it in replicated folder /ifs/clusterB to AVscan servers for processing and since the scan load is more it is timing out. There is no scheduled policy based scans currently running on the clusters. How to exclude avscan of files sent by remote cluster ? any idea guys?
Alexandra Harker
Jun 18, 2015, 1:14:16 PM6/18/15
to isilon-u...@googlegroups.com
I know this is stale, but I'm curious as to your cluster configuration. Every time we tried on-access scans it crippled out cluster, even with an 1:1 on ICAP servers to nodes.
Daniel Chee
Oct 19, 2015, 5:44:00 PM10/19/15
to Isilon Technical User Group
Other than not putting the path in a scan path, there is no option to exclude.
Daniel Chee
Oct 19, 2015, 5:45:04 PM10/19/15
to Isilon Technical User Group
If you have Oplocks enabled, it does not play well with Scan On Open. This is improved in a newer OneFS revision 7.2.1.1.
Reply all
Reply to author
Forward
0 new messages