Chat now with support
Chat mit Support

Change Auditor for NetApp 7.1.1 - User Guide

Introduction

You must define a separate NetApp auditing template for each NetApp filer to be audited by Change Auditor. The NetApp Auditing page on the Administration Tasks tab displays details about each NetApp Auditing template created and allows you to add new auditing templates.

 

NetApp Auditing page

The NetApp Auditing page displays when you select NetApp from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can launch the NetApp Auditing wizard to specify the NetApp filer to audit, the auditing scope, and the agents to receive the events. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The NetApp Auditing page contains an expandable view of all the NetApp Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
Filer
Displays the name of the NetApp filer specified in the wizard.
Status
Indicates whether the auditing template is enabled or disabled.
Paths
This field is used for filtering data.

Click the expansion box to the left of the Filer name to expand this view and display the following details:

Path
* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.
Displays the name of the audit paths included in the NetApp Auditing template.
Status
Indicates whether auditing for the selected audit path is enabled or disabled.
Include Mask
Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard.
Scope
Indicates the scope of coverage specified for each audit path in the selected template:
This object only
This object and child objects only
This object and all child objects
Exclude
Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard.
Operations
Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template.
Agent
Lists the Change Auditor agents assigned to monitor the selected NetApp filer.
User
Displays the name of the user account that has access to the NetApp filer. This information is only displayed when Set Credentials is used on the second page of the wizard to specify the NetApp filer credentials to be used by a Change Auditor agent.

NetApp Auditing templates

To enable NetApp filer auditing, create a NetApp Auditing template for each NetApp filer to audit. Each auditing template defines the NetApp filer to be audited, the auditing scope, and the agents that are to receive the NetApp events.

* 
NOTE: There can be only one NetApp Auditing template per NetApp filer. Therefore, if you want to audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected NetApp filer.
* 
NOTE: For NetApp 7-mode, you must enable TLS communication on the filer to allow secure communication with the Change Auditor client using the following command: options tls.enable on
To audit a file:
1
Open the NetApp Auditing wizard (Click Add or Edit on NetApp Auditing page).
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp filer from the drop-down or enter the NetBIOS name or IP address of the NetApp filer to be audited.
File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode...to determine which mode you have deployed.
If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer. Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select File and enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list (middle of the page).
Events tab - Select the file events to be audited for the file selected in the selection list.
Repeat this step to add additional files to this auditing template.
* 
NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.
Click Next to proceed to the next page.
3
On the second page of the wizard, select the agents to use to connect to the NetApp filer to capture the NetApp events.To add an agent to the NetApp Auditing template, click Add, select one or more agents from the list and click OK.
4
Click Finish to close the wizard and create the template.
5
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
6
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To audit a folder:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
Open the NetApp Auditing wizard. (Click Add or Edit on the NetApp Auditing page.)
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.
File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode to determine which mode you have deployed.
If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer.
Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select Folder and enter a folder name and path (<ShareName>\<FolderName>) to be audited or click the browse button to locate and select a folder.
* 
NOTE: In order to audit changes to a share under a QTree share, you must add both the QTree share AND the share to be audited as audit paths in the NetApp Auditing template.

For example, if you want to audit file changes when users access a share called ‘folder1’, which resides under a QTree share named ‘c$’, you need to specify the following two paths:
c$\folder1
folder1
Click Add to add the specified folder to the selection list.
3
By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:
This object only - select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders.
In addition, when the folder entry is selected in the Selection list, the tabs across the bottom of the page are activated. The settings specified on these tabs apply to the entry selected.
4
On the Events tab, select the file and folder events to be audited.
5
On the Inclusions tab, enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:
* 
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).
* 
NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.
For example, entering * will include all subfolders and files in the selected audit path.
You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will not receive events for operations performed against any child objects under the specified subfolder.
Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.
Repeat this step to add additional subfolders and files to the Inclusion list.
6
(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.
Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
You can also enter the name and path of an individual subfolder or file to be excluded.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
* 
IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Repeat this step to add additional subfolders and files to the Exclusion list.
7
Click Next.
8
On the second page of the wizard, select the agents to be used to monitor the NetApp filer and click Add. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To audit a volume:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
Open the NetApp Auditing Wizard. (Click Add or Edit on NetApp Auditing page.)
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.
File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode...to determine which mode you have deployed.
If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer.
Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select Volume. Enter a volume name (<VolumeName>) to be audited. Volume names can be determined by logging into the NetApp server and using the command: vol status.
Click Add to add the specified volume to the selection list (middle of the page).
* 
NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.
3
By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.
Select the volume entry in the Selection list to activate the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected.
4
On the Events tab, select the file and folder events to be audited.
5
On the Inclusions tab, specify the file masks to audit.
* 
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).
* 
NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.
For example, entering * will include all subfolders and files in the selected audit path.
You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.
Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.
Repeat this step to add additional subfolders and files to the Inclusion list.
6
(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.
Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
You can also enter the name of an individual subfolder or file to be excluded.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
* 
IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Repeat this step to add additional subfolders and files to the Exclusion list.
7
Click Next.
8
On the second page of the wizard, click Add to select the agents to monitor the NetApp filer. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the Change Auditor agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To disable an auditing template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

Disabling a template allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

1
On the NetApp Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
Right-click the template to be disabled and select Disable.
The entry in the Status column for the template will change to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of an audit path in a template:
1
On the NetApp Auditing page, use one of the following methods to disable an audit path in an auditing template:
Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.
Right-click the audit path to be disabled and select Disable.
The entry in the Status column for the selected file path will change to ‘Disabled’.
2
To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.
To delete an auditing template:
1
On the NetApp page, select the template to be deleted and click Delete | Delete Template.
2
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
To delete an audit path from a template:
* 
NOTE: In Auditing templates, you cannot delete the last audit path.
1
On the NetApp page, select the audit path to be deleted and click Delete | Delete File Path.
2
A dialog will be displayed confirming that you want to delete the selected file path from the template. Click Yes.
To delete a Change Auditor agent from a template:
* 
NOTE: In Part Number or Rev Auditing templates, you cannot delete the last Change Auditor agent.
1
On the NetApp Auditing page, select the agent to be deleted and click Delete | Delete Agent.
2
A dialog will be displayed confirming that you want to delete the selected agent from the template. Click Yes.

NetApp Auditing wizard

The NetApp Auditing wizard is displayed when you click Add on the NetApp Auditing page. This wizard steps you through the process of creating a new NetApp auditing template, identifying the NetApp filer to audit, the auditing scope, and the agents to receive the events.

* 
NOTE: For NetApp 7-mode, you must enable TLS communication on the filer to allow secure communication with the client using the following command: options tls.enable on

The following table provides a description of the fields and controls in the NetApp Auditing wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.
 
Table 2. NetApp Auditing wizard
Create or modify a NetApp Auditing Template page

Use the first page of the wizard to specify the NetApp filer to be audited and the file, folder, volume or all volumes to be audited on that filer.

NetApp Filer

Use the drop-down control to the far right of this field to select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode...to determine which mode you have deployed.

If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.

NOTE: There can be only one NetApp Auditing template per NetApp filer. The wizard will not allow you to create a duplicate template using the same NetApp filer name.

Audit Path

Select one of the following options to define auditing for a file, folder or volume:
File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file.
Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) to be audited.
Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) to be audited or click the browse button to locate and select a volume.
NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.
All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk (*) which cannot be changed.

Once you have entered the audit path to be audited, click Add to add it to the selection list.

Click the browse button to locate and select the file or folder to be audited.

NOTE: This button is not available when All Volumes is selected as the audit path.

Add

Use Add to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Selection list

The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage.
This object only- select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab

Use the Events tab to select vital file and/or folder events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the selected audit path is to be audited. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all folders and files in the selected audit path. See File and Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders and files to be included, select Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.
Add - Click Add to move the entry in the text box to the Inclusions list.
Remove - Select an entry in the Inclusions list and click Remove to remove it.

Exclusions tab (Optional)

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File and Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file to be excluded, select the appropriate Add button to add the file or folder to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Remove - Select an entry in the Exclusions list and click Remove to remove it.
Select Change Auditor Agents page

Use this page to select the agents to receive the audit events captured on the selected NetApp filer.

NOTE: You can improve performance by assigning a template to more than one agent. When multiple agents are assigned to the same template, events will be load balanced between these agents. However the downside is that the ‘where’ field for NetApp events may contain any one of these agents. In addition, if NetApp event logging is enabled, events will be written on multiple agent servers.

Add

Use Add to assign one or more agents to the NetApp Auditing template.

Clicking this button displays the Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Use Remove to remove the selected agent from the list.

Set Credentials

If you did not add the agent accounts to the local Administrators group on the NetApp filer, select the agent from the list and click Set Credentials. Enter the NetApp filer credentials to be used.

See the Release Notes for required rights and permission.

Clear Credentials

Use Clear Credentials to clear the NetApp filer credentials that were previously entered for the selected agent.

NOTE: Credentials are required when monitoring a filer in cluster mode.

Change Auditor Agent list

The list box on this page lists the agents selected to capture audit events from the selected NetApp filer.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen