-
Title
EMC Isilon file contents written events are not getting audited by Change Auditor. -
Description
EMC Isilon file contents written events are not getting audited by Change Auditor.. All other Isilon events are being recorded in Change Auditor (ex. file delete, file move, etc) except for file contents written. -
Cause
Auditing "Close" operations on Isilon are not enabled. -
Resolution
To check and enable the auditing of "Close" operations:
1. Run the following command in the command line interface (CLI) to view the Global Audit settings:
isi audit settings global view
2. Based on the output, record the value for "Audited Zones"
3. View settings for the "Audited Zones" by running the following command:
isi audit settings view --zone='value_from_step_2'
4. From the output confirm if "close" is listed in "Audit failure", "Audit Success", or both.
5. If "close" is missing from either "Audit failure", "Audit Success", or both, It can be added by running the following command(s):
-Add to "Audit Success"
isi audit settings modify --add-audit-success close --zone='value_from_step_2'
- Add to Audit Failure
isi audit settings modify --add-audit-failure close --zone='value_from_step_2'
6. Confirm the "close" events were added to auditing by running the following command:
isi audit settings view --zone='value_from_step_2'
For example the output should resemble this:
Audit Success: close, delete, rename, set_security, write