Change Auditor for Fluid File System 7.0.3

FluidFS Auditing templates

To enable FluidFS auditing, you must first create an auditing template for each cluster to audit. Each auditing template defines the location of the cluster to be audited, the auditing scope, and the agents that are to receive the events.


	NOTE: There can be only one FluidFS auditing template per cluster. If you want to audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected cluster.

To audit a volume:

Create a FluidFS auditing template. See FluidFS Auditing wizard for details.

Once you have configured your template, the associated event notifications will be set in Enterprise Manager. (Within Enterprise Manager, right-click the volume and select Edit File Access Notification).

On the Administration Tasks tab, click Configuration and select Agent in the Configuration task list to open the Agent Configuration page.

Select the Change Auditor agents assigned to the FluidFS template and click Refresh Configuration to ensure the agents are using the latest configuration.To disable an auditing template:


	NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

The disable feature allows you to temporarily stop auditing the specified volume without having to remove the auditing template or individual volume from a template.

On the Auditing page, use one of the following methods to disable an auditing template:

•

Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.

•

Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

To delete an auditing template:

On the Auditing page, select the template to be deleted and click the Delete | Delete Template tool bar button.

A dialog will be displayed confirming that you want to delete the selected template. Click Yes.


	NOTE: To delete the template when a connection cannot be made with the FluidFS cluster, use the Clear-CAFluidFSTemplate command. Auditing settings must be removed from the cluster using Enterprise Manager.

FluidFS Auditing wizard

The FluidFS Auditing wizard displays when you click the Add tool bar button on the FluidFS Auditing page. This wizard steps you through creating a new FluidFS auditing template, specifying the volume to audit, and configuring the agents to receive the events.

The following table provides a description of the fields and controls in the FluidFS Auditing wizard.


	NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.

Table 2. FluidFS Auditing wizard

Create or modify a FluidFS Auditing Template page: On the first page of the wizard, specify the FluidFS cluster to audit and define the auditing scope.

FluidFS cluster

Enter or select the FluidFS cluster from the drop-down list to be audited.

NOTE: IP Addresses are not supported at this time.

NOTE: The drop-down list contains the clusters published in Active Directory.

Volume

To select or enter a volume to be audited, you must enter the Change Auditor Configuration Service for Dell FluidFS location and an account that has administrative privileges to access Enterprise Manager. This allows the Coordinator to connect with the service and populate the list of available volumes to audit. The credentials are case sensitive.

Add

Use to move the volume to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Events tab

Use the Events tab to select vital file and/or folder events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab

Use the Inclusions tab to specify what in the selected volume will be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the volume to audit. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

For example, entering * will include all folders and files in the selected audit path. See File/Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders or files to be included, click Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use to move the entry in the text box to the Inclusions list.

Remove

Select an entry in the Inclusions list and click Remove to remove it.

Exclusions Tab (Optional)

The Exclusions tab allows you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected volume to exclude from auditing.

NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File/Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have selected a subfolder or file to be excluded, select the appropriate Add button to add it to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use one of the following Add commands to move the entry in the text box to the Exclusions list:

•

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

•

Add | File - use this option to exclude activity against any files that match the exclusion string.

Remove

Select an entry in the Exclusions list and click Remove to remove it.

Select Change Auditor agents page: Use this page to select the Change Auditor agents that are to receive the events captured on the selected FluidFS cluster.

NOTE: The domain of the configuration service must have a two-way trust with the domain of the auditing agent and trust the domain of the coordinator (one-way trust).

NOTE: You may improve performance by assigning an auditing template to more than one Change Auditor agent. When multiple agents are assigned to the same template, events will be load balanced between these agents. However, the downside is that the ‘where’ field for events may contain any one of the agents being monitored by this single auditing template. In addition, if FluidFS event logging is enabled in Change Auditor, events will be written on multiple agent servers.

Add

Click Add to assign one or more Change Auditor agents to the FluidFS auditing template.

Selecting this button displays the eligible Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Click Remove to remove the selected agent from the list.

Change Auditor Agent list

The list across the bottom of the page lists the Change Auditor agents selected to capture events from the selected FluidFS cluster.

(Optional) Encryption settings page:

Turn encryption on to protect the data as it passes between the FluidFS cluster and the agents.

Refresh status

Click Refresh status to see the encryption status.

Turn on encryption for auditing

To enable encryption, select Turn on encryption for auditing, click the Set credentials for encryption, and enter the service account credentials for the FluidFS cluster to use when encrypting events.

NOTE: The domain of the coordinator must trust the domain of the specified user account (one-way trust).

NOTE: When required, you can turn off the encryption through the Enterprise Manager client. If you turn off encryption, you need to refresh Change Auditors’ configuration so that it is synchronized with the FluidFS cluster. To refresh the configuration, save the FluidFS template after the change or run the UpdateCAFluidFSConfiguration PowerShell command found in the installation directory of the Change Auditor Configuration Service for Dell FluidFS.

NOTE: Encryption settings are not maintained when a template is exported. You will need to re-configure this setting on any previously deleted templates after it has been imported.


NOTE: To reduce the number of events generated by document File \| Save operations in Microsoft Word, Excel, Visio, and PowerPoint, Change Auditor uses event consolidation rules. Excluding .tmp files will remove the ability to consolidate these events and you will lose file modified events.