Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

NetApp Auditing page

Previous Next

NetApp Auditing page

The NetApp Auditing page displays when you select NetApp from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can launch the NetApp Auditing wizard to specify the NetApp filer to audit, the auditing scope, and the agents to receive the events. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The NetApp Auditing page contains an expandable view of all the NetApp Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
Filer

Displays the name of the NetApp filer specified in the wizard.

Status

Indicates whether the auditing template is enabled or disabled.

Paths

This field is used for filtering data.

Click the expansion box to the left of the Filer name to expand this view and display the following details:

Path
* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Displays the name of the audit paths included in the NetApp Auditing template.

Status

Indicates whether auditing for the selected audit path is enabled or disabled.

Include Mask

Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard.

Scope

Indicates the scope of coverage specified for each audit path in the selected template:
This object only
This object and child objects only
This object and all child objects
Exclude

Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard.

Operations

Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template.

Agent

Lists the Change Auditor agents assigned to monitor the selected NetApp filer.

User

Displays the name of the user account that has access to the NetApp filer. This information is only displayed when Set Credentials is used on the second page of the wizard to specify the NetApp filer credentials to be used by a Change Auditor agent.

NetApp Auditing templates

Previous Next

NetApp Auditing templates

To enable NetApp filer auditing, create a NetApp Auditing template for each NetApp filer to audit. Each auditing template defines the NetApp filer to be audited, the auditing scope, and the agents that are to receive the NetApp events.

* 
NOTE: There can be only one NetApp Auditing template per NetApp filer. Therefore, if you want to audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected NetApp filer.
To audit a file:
1
Open the NetApp Auditing wizard (Click Add or Edit on NetApp Auditing page).
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp filer from the drop-down or enter the NetBIOS name or IP address of the NetApp filer to be audited.

The following application access must be assigned to all accounts that are assigned to agents for the auditing template:
NetApp version 9.9 and before require ONTAPI and HTTP.
NetApp versions later than version 9.9 require HTTP only.

See the system requirements in the Release Notes for additional information.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select File and enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list (middle of the page).
Events tab - Select the file events to be audited for the file selected in the selection list.

Repeat this step to add additional files to this auditing template.

* 
NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.

Click Next to proceed to the next page.

3
On the second page of the wizard, select the agents to use to connect to the NetApp filer to capture the NetApp events.To add an agent to the NetApp Auditing template, click Add, select one or more agents from the list and click OK.
4
Click Finish to close the wizard and create the template.
5
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
6
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To audit a folder:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
Open the NetApp Auditing wizard. (Click Add or Edit on the NetApp Auditing page.)
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

The following application access must be assigned to all accounts that are assigned to agents for the auditing template:
NetApp version 9.9 and before require ONTAPI and HTTP.
NetApp versions later than version 9.9 require HTTP only.

See the system requirements in the Release Notes for additional information.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select Folder and enter a folder name and path (<ShareName>\<FolderName>) to be audited or click the browse button to locate and select a folder.
* 
NOTE: In order to audit changes to a share under a QTree share, you must add both the QTree share AND the share to be audited as audit paths in the NetApp Auditing template.

For example, if you want to audit file changes when users access a share called ‘folder1’, which resides under a QTree share named ‘c$’, you need to specify the following two paths:
c$\folder1
folder1

Click Add to add the specified folder to the selection list.

3
By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:
This object only - select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders.

In addition, when the folder entry is selected in the Selection list, the tabs across the bottom of the page are activated. The settings specified on these tabs apply to the entry selected.

4
On the Events tab, select the file and folder events to be audited.
5
On the Inclusions tab, enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:
* 
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).
* 
NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will not receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

6
(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name and path of an individual subfolder or file to be excluded.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:

* 
IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

7
Click Next.
8
On the second page of the wizard, select the agents to be used to monitor the NetApp filer and click Add. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To audit a volume:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
Open the NetApp Auditing Wizard. (Click Add or Edit on NetApp Auditing page.)
2
On the first page of the wizard, enter the following information:
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

The following application access must be assigned to all accounts that are assigned to agents for the auditing template:
NetApp version 9.9 and before require ONTAPI and HTTP.
NetApp versions later than version 9.9 require HTTP only.

See the system requirements in the Release Notes for additional information.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.
Audit Path - Select Volume. Enter a volume name (<VolumeName>) to be audited. Volume names can be determined by logging into the NetApp server and using the command: vol status.

Click Add to add the specified volume to the selection list (middle of the page).

* 
NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.
3
By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.

Select the volume entry in the Selection list to activate the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected.

4
On the Events tab, select the file and folder events to be audited.
5
On the Inclusions tab, specify the file masks to audit.
* 
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).
* 
NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

6
(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name of an individual subfolder or file to be excluded.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:

* 
IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

7
Click Next.
8
On the second page of the wizard, click Add to select the agents to monitor the NetApp filer. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the Change Auditor agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
To disable an auditing template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

Disabling a template allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

1
On the NetApp Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of an audit path in a template:
1
On the NetApp Auditing page, use one of the following methods to disable an audit path in an auditing template:
Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.
Right-click the audit path to be disabled and select Disable.

The entry in the Status column for the selected file path will change to ‘Disabled’.

2
To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.
To delete an auditing template:
1
On the NetApp page, select the template to be deleted and click Delete | Delete Template.
2
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
To delete an audit path from a template:
* 
NOTE: In auditing templates, you cannot delete the last audit path.
1
On the NetApp page, select the audit path to be deleted and click Delete | Delete File Path.
2
A dialog will be displayed confirming that you want to delete the selected file path from the template. Click Yes.
To delete a Change Auditor agent from a template:
* 
NOTE: In auditing templates, you cannot delete the last Change Auditor agent.
1
On the NetApp Auditing page, select the agent to be deleted and click Delete | Delete Agent.
2
A dialog will be displayed confirming that you want to delete the selected agent from the template. Click Yes.

NetApp Auditing wizard

Previous Next

NetApp Auditing wizard

The NetApp Auditing wizard is displayed when you click Add on the NetApp Auditing page. This wizard steps you through the process of creating a new NetApp auditing template, identifying the NetApp filer to audit, the auditing scope, and the agents to receive the events.

The following table provides a description of the fields and controls in the NetApp Auditing wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.
 

Table 2. NetApp Auditing wizard

Create or modify a NetApp Auditing Template page

Use the first page of the wizard to specify the NetApp filer to be audited and the file, folder, volume or all volumes to be audited on that filer.

NetApp Filer

Use the drop-down control to the far right of this field to select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

The following application access must be assigned to all accounts that are assigned to agents for the auditing template:
ONTAPI
HTTP
NOTE:  
NetApp version 9.9 and before require ONTAPI and HTTP.
NetApp versions later than version 9.9 require HTTP only.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.

NOTE: There can be only one NetApp Auditing template per NetApp filer. The wizard will not allow you to create a duplicate template using the same NetApp filer name.

Audit Path

Select one of the following options to define auditing for a file, folder or volume:
File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file.
Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) to be audited.
Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) to be audited or click the browse button to locate and select a volume.
NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.
All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk (*) which cannot be changed.

Once you have entered the audit path to be audited, click Add to add it to the selection list.

Click the browse button to locate and select the file or folder to be audited.

NOTE: This button is not available when All Volumes is selected as the audit path.

Add

Use Add to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Selection list

The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage.
This object only- select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab

Use the Events tab to select vital file and/or folder events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the selected audit path is to be audited. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all folders and files in the selected audit path. See File and Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders and files to be included, select Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.
Add - Click Add to move the entry in the text box to the Inclusions list.
Remove - Select an entry in the Inclusions list and click Remove to remove it.

Exclusions tab (Optional)

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File and Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file to be excluded, select the appropriate Add button to add the file or folder to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Remove - Select an entry in the Exclusions list and click Remove to remove it.

Select Change Auditor Agents page

Use this page to select the agents to receive the audit events captured on the selected NetApp filer.

NOTE: You can improve performance by assigning a template to more than one agent. When multiple agents are assigned to the same template, events will be load balanced between these agents. However the downside is that the ‘where’ field for NetApp events may contain any one of these agents. In addition, if NetApp event logging is enabled, events will be written on multiple agent servers.

Add

Use Add to assign one or more agents to the NetApp Auditing template.

Clicking this button displays the Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Use Remove to remove the selected agent from the list.

Set Credentials

If you did not add the agent accounts to the local Administrators group on the NetApp filer, select the agent from the list and click Set Credentials. Enter the NetApp filer credentials to be used.

See the Release Notes for required rights and permission.

The following application access must be assigned to all accounts that are assigned to agents for the auditing template:
ONTAPI
HTTP
NOTE:  
NetApp version 9.9 and before require ONTAPI and HTTP.
NetApp versions later than version 9.9 require HTTP only.

 

Clear Credentials

Use Clear Credentials to clear the NetApp filer credentials that were previously entered for the selected agent.

NOTE: Credentials are required when monitoring a filer in cluster mode.

Change Auditor Agent list

The list box on this page lists the agents selected to capture audit events from the selected NetApp filer.

File System events settings

Previous Next

File System events settings

From the Agent Configuration page on the Administration Tasks tab you can view and/or modify the File System settings for handling duplicate events.

Use the File System tab at the top of the Configuration Setup dialog to define how to process duplicate file system events.

Discard duplicates that occur within nn seconds

This option is selected by default and will discard file system events that occur within 10 seconds of each other. You can enter a value between 1 and 600 (or use the arrow controls) to increase or decrease this interval.

Audit all configured, including duplicates (Not Recommended)

Select this option to audit all configured file system events including duplicate events. This is NOT recommended and therefore is disabled by default.

 
To set the File System Events settings:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Configurations.
5
On the Configuration Setup dialog, select an agent configuration from the left-hand pane (for example, the configuration that is being used by the agents assigned to receive NetApp events).
6
Open the File System tab and set the File System Events settings as defined above.
7
Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.
8
On the Agent Configuration page, select the Change Auditor agents assigned to the NetApp Auditing template (Auditing appears in the NetApp column) and click Refresh Configuration.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating