Change Auditor 7.1.1 - Web Client User Guide

Specify the EMC File Server (CIFS) to be audited.

Click Auditing.

Select EMC (under the NAS heading in the Auditing task list) to open the EMC Auditing page.

Click Add to launch the EMC Auditing wizard.

Table 42. EMC Auditing Wizard: File auditing

Select the EMC File Server (CIFS) from the drop-down list, or enter the NetBIOS name or IP address of the EMC file server (CIFS) to be audited.

Click Next.

File Path Selection (File)

Provide the name and path of a file(s) to be audited. Use the Events tab to select vital file events.

For the audit path, select File.

Enter the file name and path (i.e., <ShareName>\<Path>\<FileName>) to be audited.

Isilon file server auditing: When specifying a file path to be audited, you should use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template.

Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page.

Click Add to add it to the selection list.

On the Events tab, select individual file events to be audited or select the File Events check box to select all listed file events.

Click Next.

Select the Change Auditor agents to be used to monitor the EMC file server.

If the Change Auditor agents are not already specified in the cepp.conf file (pool namesakes servers entry), use Set Credentials to provide the credentials and create the cepp.conf file.

Click Add to open the Eligible Change Auditor Agents dialog.

Select one or more agents from the list.

Click OK and continue to Step 8. If the list appears empty, click Cancel to return to the Agent Selection page.

If there are no Change Auditor agents available on the Eligible Change Auditor Agents dialog, click Set Credentials and enter the following information:

•

Control Station - IP address of the EMC Control Station.

•

User - user name of an account with Administrative rights on the EMC Control Station.

•

Password - password associated with the user name.

•

Data Mover - use the drop-down to select the Data mover that hosts the CIFS file server specified on the first wizard page.

Click Test to validate the credentials. Once the credentials have been validated, click OK.

Click Add to open the Eligible Change Auditor Agents dialog.

Select one or more agents from the list. Click OK.

Click Next.

Configuration

(Optional) From this page you can also deploy the proposed configuration file, check the status of the cepp service and audit the cepp.conf file.

To audit a folder or volume:

(Optional) Click Update File to deploy the proposed configuration file on the EMC Control Station.

(Optional) Click Check Status to check the status of the cepp service.

(Optional) Click Audit File to enable/disable the auditing of the cepp.conf file for changes made to this configuration file by third-party applications.

Click Finish to save the template and close the wizard.

Specify the EMC File Server (CIFS) to be audited.

Click Auditing.

Select EMC (under the NAS heading in the Auditing task list) to open the EMC Auditing page.

Click Add to open the EMC Auditing wizard.

Table 43. EMC Auditing Wizard: Folder/Volume auditing

Select the EMC File Server (CIFS) from the drop-down list, or enter the NetBIOS name or IP address of the EMC file server (CIFS) to be audited.

Click Next.

File Path Selection (Folder/Volume/All Volumes)

Provide the name and path of a folders/volumes to be audited. Use the available tabs to select specific events and file masks to audit. You can also exclude certain subfolders and files from auditing.

NOTE: Volume names are case sensitive.

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, it will NOT be excluded from auditing.

For the audit path, select Folder, Volume or All Volumes.

If Folder is selected, enter the folder name and path (<ShareName>\<FolderName>) to audit, and click Add.

If Volume is selected, enter a volume name (<VolumeName>), and click Add.

If All Volumes is selected, click Add to add all volumes.

Click in the Scope cell to change the scope of coverage.

On the Events tab, select individual file and folder events to audit, or select the File Events and Folder Events check boxes to select all listed events.

On the Inclusions tab, enter a file mask to specify what is to be included in the audit using the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

Click Add to add it to the inclusion list.

(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files to exclude. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

Use Add | Folder to exclude activity against any matching files/subfolders or Add | File to exclude activity against matching files.

Click Next.

Select the agents to be used to monitor the EMC file server.

If the Change Auditor agents are not already specified in the cepp.conf file (pool name=quest servers entry), you will need to provide credentials.

Click Add to open the Eligible Change Auditor Agents dialog.

Select one or more agents from the list.

Click OK and continue to Step 8. If the list appears empty, click Cancel to return to the Agent Selection page.

If there are no agents available on the Eligible Change Auditor Agents dialog, click Set Credentials and enter the following information:

•

Control Station - IP address of the EMC Control Station.

•

User - user name of an account with Administrative rights on the EMC Control Station.

•

Password - password associated with the user name.

•

Data Mover - use the drop-down to select the Data mover that hosts the CIFS file server specified on the first wizard page.

Click Test to validate the credentials. Once the credentials have been validated, click OK.

Click Add to open the Eligible Change Auditor Agents dialog.

Select one or more agents from the list. Click OK.

Click Next.

Configuration

(Optional) From this page you can also deploy the proposed configuration file, check the status of the cepp service and audit the cepp.conf file.

To enable NetApp filer auditing, you must first create a NetApp auditing template for each NetApp filer to be audited. Each auditing template defines the NetApp filer to be audited, the auditing scope, and the agents that are to receive the events.

(Optional) Click Update File to deploy the proposed configuration file on the EMC Control Station.

(Optional) Click Check Status to check the status of the cepp service.

(Optional) Click Audit File to enable/disable the auditing of the cepp.conf file for changes made to this configuration file by third-party applications.

Click Finish to save the template and close the wizard.

NetApp auditing


	NOTE: There can be only one NetApp Auditing template per NetApp filer. Therefore, if you want to audit multiple audit paths, use the same template to specify the audit paths to be audited on the selected NetApp filer.


	NOTE: For NetApp 7-mode, you must enable TLS communication on the filer to allow secure communication with the Change Auditor client using the following command: options tls.enable on


	NOTE: NetApp events initiated through the NFS protocol are not supported.

NetApp Auditing page

The NetApp Auditing page is displayed when NetApp is selected from the Auditing task list in the navigation pane of the Administration Tasks page. From this page you can open the NetApp Auditing wizard to specify the NetApp filer to audit, the auditing scope, and the agents that are to receive the NetApp events. You can also edit existing templates, disable/enable templates, and remove templates that are no longer being used.


	NOTE: For more information, including a full description of the page, refer to the Quest Change Auditor for NetApp User Guide.

To audit a file:

Specify the NetApp filer to be audited.

Click Auditing.

Select NetApp (under the NAS heading in the Auditing task list) to open the NetApp Auditing page.

Click Add to open NetApp Auditing wizard.

Table 44. NetApp Auditing Wizard: File auditing

Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode to determine which mode you have deployed.

If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer. Enter the credentials and click OK.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.

Click Next.

File Path Selection (File)

Provide the name and path of a files to be audited. Use the Events tab to select vital file events.

For the audit path, select File.

Enter the file name and path
(<ShareName>\<Path>\<FileName>) to audit and click Add to add it to the selection list.

On the Events tab, select individual file events to be audited or select the File Events check box to select all listed file events.

Click Next.

Select the Change Auditor agents to be used to monitor the NetApp filer test.

(Optional) Supply NetApp filer credentials.

Click Add to open the Eligible Change Auditor Agents dialog. Select the agents to be used. (Use the Shift or Ctrl keys to select multiple agents.)

Click OK to close the dialog and add the agents to the selection list.

(Optional) If you did NOT add the agent accounts to the local Administrators group on the NetApp filer, select the agent from the list and click Set Credentials to enter the NetApp filer credentials.

Click Clear Credentials to clear any previously entered NetApp filer credentials for the selected agent.

Click Finish to save the template and close the wizard.

To audit a folder/volume:

Specify the NetApp filer to be audited.

Click Auditing.

Select NetApp (under the NAS heading in the Auditing task list) to open the NetApp Auditing page.

Click Add to open the NetApp Auditing wizard.

Table 45. NetApp Auditing Wizard: Folder/Volume auditing

Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

Click Next.

File Path Selection (Folder/
Volume/
All Volumes)

NOTE: Volume names are case sensitive.

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, it will NOT be excluded from auditing.

NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For the audit path, select Folder, Volume or All Volumes.

If Folder is selected, enter the folder name and path (<ShareName>\<FolderName>) to audit and click Add.

If Volume is selected, enter a volume (<VolumeName>) and click Add.

If All Volumes is selected, click Add.

Click in the Scope cell to change the scope of coverage.

On the Events tab, select individual file and folder events to be audited, or select the File Events and Folder Events check boxes to select all listed events.

On the Inclusions tab, enter a file mask to specify what is to be included in the audit using the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Click Add to add it to the inclusion list.

(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files to exclude. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

Use Add | Folder to exclude activity against any matching files/subfolders or Add | File to exclude activity against matching files.

Click Next.

Select the agents to be used to monitor the NetApp filer test.

(Optional) Supply NetApp filer credentials.

Click Add to open the Eligible Change Auditor Agents dialog. Select the agents to be used. (Use the Shift or Ctrl keys to select multiple agents.)

Click OK to close the dialog and add the agent(s) to the selection list.

(Optional) If you did NOT add the agent accounts to the local Administrators group on the NetApp filer, select the agent from the list and click Set Credentials to enter the NetApp filer credentials.

Click Clear Credentials to clear any previously entered NetApp filer credentials for the selected agent.

Click Finish to save the template and close the wizard.

Fluid File System (FluidFS) auditing

To enable FluidFS auditing, you must first create an auditing template for each cluster to audit. Each auditing template defines the location of the cluster to be audited, the auditing scope, and the agents that are to receive the events.


	NOTE: There can be only one FluidFS auditing template per cluster. If you want to audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected cluster.


	NOTE: Auditing is supported only for the CIFS/SMB protocol. Events initiated through the NFS or FTP protocols are not supported.

Before you begin:

•

Verify that Dell Enterprise Manager (and Data Collector service) is properly installed and configured.

•

Verify that the FluidFS cluster you plan to audit is registered with Enterprise Manager.

•

Ensure you have Administrator rights to Enterprise Manager.

•

Ensure that the Change Auditor Configuration Service for Dell FluidFS is installed.

For installation and configuration details, see the Change Auditor for Fluid File System User Guide.

FluidFS Auditing page

The FluidFS Auditing page displays when you select FluidFS from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can open the FluidFS Auditing wizard to specify the FluidFS cluster to be audited, the auditing scope and the agents that are to receive the events. You can also edit existing templates, disable/enable templates, and remove templates that are no longer being used.


	NOTE: For more information, including a full description of the page, refer to the Quest Change Auditor for Fluid File System User Guide.

To audit a file:

Specify the FluidFS cluster to be audited, and the credentials required to configure auditing.

Click Auditing.

Select FluidFS (under the NAS heading in the Auditing task list) to open the FluidFS Auditing page.

Click Add to open the Auditing wizard.

Table 46. FluidFS Auditing Wizard

Enter or select the FluidFS cluster name from the drop-down list to be audited.

NOTE: The drop-down list contains the clusters published in Active Directory.

NOTE: IP Addresses are not supported at this time.

To select a volume to be audited, you will need to enter the Change Auditor Configuration Service for Dell FluidFS location and an account that has administrative privileges to access Enterprise Manager. This allows the Coordinator to connect with the service and populate the list of available volumes to audit.

Click the Provide FluidFS Credentials button to be prompted for the credentials. The credentials are case sensitive.

Click Next.

File Path Selection

Provide the name and path of a volume to be audited. Use the available tabs to select specific events and file masks to audit. You can also exclude certain subfolders and files from auditing.

Use the Events tab to select vital events.

Enter the volume to audit and click Add to add it to the selection list.

On the Events tab, select individual file and folder events to be audited, or select the File Events and Folder Events check boxes to select all listed events.

On the Inclusions tab, enter a file mask to specify what is to be included in the audit using the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Click the Add button to add it to the Included Names list.

On the Exclusions tab, specify the names and paths of any subfolders or files to exclude. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

Click Add and select File or Folder to add it to the exclusions list.

Click Next.