Author Topic: "How to" use Forensic  (Read 1984 times)

Offline vletroye

  • Hero Member
  • *****
  • Posts: 714
  • Karma: +7/-0
    • View Profile
"How to" use Forensic
« on: October 11, 2014, 05:50:09 am »
I thought forensic was enabled on my configuration, but I am not sure anymore...
I did install the plugin (a long time ago) and did set Statistics Raid = true in my RAID options.




I know that data are only available after a failed "Verify".
But are they also available after a "Verify and Sync"

I had a failed "Verify and Sync" this morning (started on Fri Oct 10 23:04 as you can see on the screenshot).
However I see not data within the Forensic ?!



I really would like to investigate why I had out-of-sync blocks (with increased salt, no Defrag, ...).

Quote
Verify Sync RAID [Storage] started at Fri Oct 10 23:04:09 GMT+200 2014
Name: Verify Sync RAID [Storage]
Start Date: Fri Oct 10 23:04:09 GMT+200 2014
End Date: Sat Oct 11 12:13:10 GMT+200 2014
Duration: 13:09:01
Throughput: 483.569MB/s
Total Size: 21.832TB
19 4KB blocks successfully updated
First byte updated at 3199155200
Last byte updated at 3240269824
Verify Sync RAID [Storage] ended at Sat Oct 11 12:13:10 GMT+200 2014

Offline Brahim

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8,547
  • Karma: +204/-16
    • View Profile
Re: "How to" use Forensic
« Reply #1 on: October 11, 2014, 09:05:34 am »
Indeed, it the data is available after a failed Verify+/Sync.
When there is no file being listed as it is in your case, it simply means that no file was affected.

Offline vletroye

  • Hero Member
  • *****
  • Posts: 714
  • Karma: +7/-0
    • View Profile
Re: "How to" use Forensic
« Reply #2 on: October 12, 2014, 05:49:24 am »
I guess that this happens when I have deleted (or moved ??) a file and that blocks at equivalent address on the PPU were not all recomputed correctly ?



Offline Brahim

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8,547
  • Karma: +204/-16
    • View Profile
Re: "How to" use Forensic
« Reply #3 on: October 12, 2014, 07:36:55 am »
I guess that this happens when I have deleted (or moved ??) a file and that blocks at equivalent address on the PPU were not all recomputed correctly ?

...
It is not about deleted or moved files. Remember that only the MFT is updated in those cases and not the actual data blocks.
There is no telling what caused the sync issue. The most common cause are hardware hiccups.

Offline vletroye

  • Hero Member
  • *****
  • Posts: 714
  • Karma: +7/-0
    • View Profile
Re: "How to" use Forensic
« Reply #4 on: October 12, 2014, 08:16:02 am »
And indeed, I still have hardware issues from time to time with my controllers   :-\
And I am not the only one : https://social.technet.microsoft.com/Forums/windowsserver/en-US/e11ba3c3-a383-4c99-9702-0c7de692a19f/the-io-operation-at-logical-block-address-for-disk-was-retried?forum=winserverfiles

I have warnings like : The IO operation at logical block address # for Disk # was retried
They are not "visibly" fatal... but under the hood, it's possibly/probably the cause of my "Out-Of-Sync" blocks  :'(

V.

Offline vletroye

  • Hero Member
  • *****
  • Posts: 714
  • Karma: +7/-0
    • View Profile
Re: "How to" use Forensic
« Reply #5 on: October 13, 2014, 11:49:21 am »
I run another "Verify and Sync" early this "morning" and it ended with

Quote
Verify Sync RAID [Storage] started at Mon Oct 13 00:35:54 GMT+200 2014
Name: Verify Sync RAID [Storage]
Start Date: Mon Oct 13 00:35:54 GMT+200 2014
End Date: Mon Oct 13 13:24:12 GMT+200 2014
Duration: 12:48:18
Throughput: 496.608MB/s
Total Size: 21.832TB
1454 4KB blocks successfully updated
First byte updated at 3144771584
Last byte updated at 1642478724096
Verify Sync RAID [Storage] ended at Mon Oct 13 13:24:12 GMT+200 2014

And I still have no "Raw Data" presented by the Forensic plugin ?!
It's quite amazing that no files are impacted within such a range and 1454 x 4KB
Especially as my Storage is quite full...


I  was expecting really many hardware errors reported in the Event Logs but I din't find any "relevant" since the last "Verify".
It's probably due to the 2 BSOD I had yesterday  ::)

I am just wondering... As information for Forensic, do you log all the blocks that are out-of-sync ?
If you log them in real-time, can one implement a plugin to monitor and display them in Real-Time too ?

V.

Offline Brahim

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8,547
  • Karma: +204/-16
    • View Profile
Re: "How to" use Forensic
« Reply #6 on: October 13, 2014, 01:53:21 pm »
You won't get any file impacted if those blocks have been re-allocated. Are you checking your disk SMART?

If you are doubting the plugin and want to see that the plugin works as expected, you can play with the API (through JavaScript).

1. Call: public ActionStatus<List<String>> getDiskVolumesByDiskID(String sessionUUID, Long hostId, int diskId, boolean skipCache);
Here the diskId is the Windows disk index for the tRAID disk (look at the Windows Disk Manager). Set skipCache to false.

2. Call: public ActionStatus<FileByByteRangeInfo> getFilesByByteRange(String sessionUUID, Long hostId, GetFilesByByteRangeCMD cmd);
In GetFilesByByteRangeCMD set the path to the volume name and set the StartEndRange to something you are sure a file resides on.
The method getFilesByByteRange simply gets you a list of files that reside on a given disk byte range.

Offline vletroye

  • Hero Member
  • *****
  • Posts: 714
  • Karma: +7/-0
    • View Profile
Re: "How to" use Forensic
« Reply #7 on: October 13, 2014, 02:10:26 pm »
Thx! I will have a look asap on those API...

I have enabled "SMART monitoring", yes.. for all drives in my Array.
I "skip if standby" and Frequency is 4 Hours.

Also, I found "Information" entries in the event logs from my NVRAIDSERVICE reporting about "Disk(s) were polled for SMART status." and all are about "SMART status for disk WDC WD1500AHFD-00RAR5 returned OK." But this disk is not in the Array ! And therefore not monitored by tRAID.

V.