Change Auditor for EMC 7.1.1

EMC Auditing

•

Introduction

•

EMC Auditing page

•

EMC auditing templates

•

EMC Auditing wizard

•

File System events settings

•

EMC event logging

Introduction

You must define a separate EMC Auditing template for each EMC file server (CIFS) to audit. The EMC Auditing page on the Administration Tasks tab displays details about each EMC Auditing template created and allows you to add new auditing templates.

EMC Auditing page

The EMC Auditing page displays when you select EMC from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can open the EMC Auditing wizard to specify the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive the EMC events. You can also edit existing templates, disable/enable templates, and remove templates that are no longer being used.The EMC Auditing page contains an expandable view of all the EMC Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:


	NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.

File Server (CIFS)

Displays the name of the EMC file server (CIFS) specified in the wizard.

Status

Indicates whether the auditing template is enabled or disabled.

Paths

This field is used for filtering data.

Audit cepp.conf

Indicates whether you have selected to audit the cepp.conf file for changes made by other third-party applications.


	NOTE: This field does not apply to Isilon file server auditing.

Auditing Agent

Displays the name of the agent assigned to audit the cepp.conf file.


	NOTE: This field will be blank if the Audit cepp.conf field is set to No.

Polling Interval Minutes

Displays the polling interval specified when auditing of the cepp.conf file is enabled.


	NOTE: This field will be blank if the Audit cepp.conf field is set to No.


	NOTE: This field does not apply to Isilon file server auditing.

Click the expansion box to the left of the EMC file server (CIFS) name to expand this view and display the following details:

Path

Displays the name of the audit paths included in the EMC Auditing template.

Status

Indicates whether auditing for the selected audit path is enabled or disabled.

Include Mask

Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard.

Scope

Indicates the scope of coverage specified for each audit path in the selected template:

•

This object only

•

This object and child objects only

•

This object and all child objects

Exclude

Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard.

Operations

Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template.

Agent

Lists the agents assigned to receive the EMC events from the selected EMC file server (CIFS).

EMC auditing templates


	NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

To enable EMC auditing, create a template for each EMC file server (CIFS) to audit. Each template defines the location of the EMC file server to be audited, the auditing scope, and the agents to receive the events.


	NOTE: There can be only one EMC Auditing template per EMC file server (CIFS). To audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected EMC file server.


	NOTE: Auditing file contents written event on EMC Isilon: To audit the "File contents written" operations, you must audit "Close" operations on Isilon. To audit close operations, use isi zone zones modify command in the command line interface (CLI). For example: To audit a successful close operation for the 'System' zone run the following command: isi zone zones modify system --add-audit-success close. To review all currently audited operations for the System zone, use the following command: isi zone zones view system

To audit a file:

Select View | Administration.

Select Auditing.

Select EMC in the Auditing | NAS task list to open the EMC Auditing page.

Click Add.

This opens the EMC Auditing wizard, which steps you through the process of defining the EMC file server (CIFS) to be audited, the auditing scope, and the agents that are to receive the EMC events.

Enter the following information:

•

EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.


	NOTE: When creating a template for Isilon, you must use the FQDN. If you select the NetBios name or IP address, the template will not function.

•

Audit Path - Select File. Enter a file name and path (i.e., <ShareName>\<Path>\<FileName>) to audit or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list.


	NOTE: Isilon file server auditing When specifying a file path to audit, use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template. Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, specify the new share name to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page. Volume auditing is not supported and should not be used. Select File or Folder as the Audit Path.

•

Events tab - Select the file events to audit for the file selected in the selection list.

Repeat this step to add additional files to this auditing template.


	NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.

Click Next.

On the second page of the wizard, select the agents used to connect to the EMC file server to capture the EMC events.


	TIP: Specifying multiple agents may provide better performance because the EMC server will load balance audit events and send each assigned agent events round-robin style. However, the downside is that the ‘where’ field for EMC events may contain any one of these agents. Also, if EMC event logging is enabled, events will be written on multiple agent servers.

To add an agent to the EMC Auditing template:

•

Click Add.

•

Select one or more agents from the list and click OK.

If the agents that are to capture EMC events are not already specified in the cepp.conf file (pool namesakes servers entry), you will need to enter the credentials required to access the EMC Control Station.


	NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 9.

Click Set Credentials and enter the following information:

•

Control Station - enter the IP address of the EMC Control Station.

•

User - enter the user name of an account with Administrative rights (required to create or modify the cepp.conf file) on the selected EMC Control Station.

•

Password - enter the password associated with the user name entered above.

•

Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

The cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

•

To deploy the proposed configuration file, click Update File.

•

To check the current status of the cepp service, click Check Status.

•

To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.

Click Finish to close the wizard and create the template.

On the Administration Tasks tab, click the Configuration task button. Select Agent to open the Agent Configuration page.

To ensure the agents are using the latest configuration, select the Change Auditor agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

To audit a folder:


	NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

Select View | Administration.

Select Auditing.

Select EMC in the Auditing | NAS task list to open the EMC Auditing page.

Click Add.

Enter the following information:

•

EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.

•

Audit Path - Select Folder. Enter a folder name and path (i.e., <ShareName>\<FolderName>) to audit or click the browse button to locate and select a folder.


	NOTE: Isilon file server auditing: When specifying file and folder paths to be audited, the file or folder’s absolute path should be used. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, add the path ‘ifs\test’ in the auditing template to audit changes through the share. Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right hand corner of the page.

Click Add to add the specified folder to the Selection list.

By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:

•

This object only- select this option to audit only the selected folder, not its files or subfolders.

•

This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.

•

This object and all child objects - select this option to audit this folder and all of its files and subfolders.

In addition, when the folder entry is selected in the Selection list, the tabs across the bottom of the page are activated. The settings specified on these tabs apply to the entry selected.

On the Events tab, select the file and folder events to be audited.

On the Inclusions tab, specify file masks to audit.


	NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).


	NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will not receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files to be included, click the Add button to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name of an individual subfolder or file to be excluded.


	IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:

•

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

•

Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

Click Next.

On the second page of the wizard, select the Change Auditor agents to be used to monitor the EMC file server.

•

Click Add.

•

On the Eligible Change Auditor Agents dialog, select one or more agents from the list and select OK.

If the Change Auditor agents that are to capture EMC events are not already specified in the cepp.conf file (pool name=quest servers entry), you will need to enter the credentials to be used to access the EMC Control Station.


	NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 12.

Click the Set Credentials button and enter the following information:

•

Control Station - enter the IP address of the EMC Control Station.

•

User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.

•

Password - enter the password associated with the user name entered above.

•

Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials entered. Once the credentials are validated, select OK to set the credentials as entered and close the dialog.

The required cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

•

To deploy the proposed configuration file, click Update File.

•

To check the current status of the cepp service, click Check Status.

•

Click Finish to close the wizard and create the EMC Auditing template.

On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.

Select the agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration to ensure the agents are using the latest configuration.

To audit a volume:


	NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.


	NOTE: Isilon file server auditing: Volume auditing is not support and should not be used.

Open the EMC Auditing Wizard. (Click Add or Edit on the EMC Auditing page.)

Enter the following information:

•

EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.

•

Audit Path - Select Volume. Enter a volume name (i.e., <VolumeName>) to be audited or click the browse button to locate and select a volume.

Click Add to add the specified volume to the Selection list.


	NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.

By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.

Select the volume entry in the Selection list to activate the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected.

On the Events tab, select the file and folder events to be audited.

On the Inclusions tab, specify the file masks to audit.


	NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).


	NOTE: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files to be included, click Add to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

You can also enter the name of an individual subfolder or file to be excluded.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:


	IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing.

•

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

•

Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

Click Next.

On the second page of the wizard, select the Change Auditor agents to monitor the EMC file server.

•

Click Add.

•

On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.

If the Change Auditor agents that are to capture EMC events are not already specified in the cepp.conf file (pool name=quest servers entry), you’ll need to enter the credentials to be used to access the EMC Control Station.

Click Set Credentials and enter the following information:

•

Control Station - enter the IP address of the EMC Control Station.

•

User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.

•

Password - enter the password associated with the user name entered above.

•

Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.

Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

The required cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.

On the last page of the wizard, review the proposed cepp.conf file, which is displayed in the bottom pane.

Use the buttons above the Current cepp.conf File text box, as described below:

•

To deploy the proposed configuration file, click Update File.

•

To check the current status of the cepp service, click Check Status.

•

Click Finish to close the wizard and create the template.

On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page. This will ensure the agents are using the latest configuration.

Select the Change Auditor agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

To disable an auditing template:


	NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

The disable feature allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

On the Auditing page, use one of the following methods to disable an auditing template:

•

Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.

•

Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

To disable the auditing of an audit path in a template:

On the Auditing page, use one of the following methods to disable an audit path in an auditing template:

•

Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.

•

Right-click the audit path to be disabled and select Disable.

The entry in the Status column for the selected file path will change to ‘Disabled’.

To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.

To delete an auditing template:

On the Auditing page, select the template to be deleted and click Delete | Delete Template.

A dialog displays confirming that you want to delete the selected template. Click Yes.

To delete an audit path from a template:


	NOTE: In Auditing templates, you cannot delete the last audit path.

On the Auditing page, select the audit path to be deleted and click Delete | Delete File Path.

A dialog displays confirming that you want to delete the selected file path from the template. Click Yes.

To delete a Change Auditor agent from a template:


	NOTE: In Auditing templates, you cannot delete the last agent.

On the Auditing page, select the agent to be deleted and click Delete | Delete Agent.

•

Right-click the agent to be deleted and select Delete.

A dialog will be displayed confirming that you want to delete the selected agent from the template. Click Yes.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Change Auditor for EMC 7.1.1 - User Guide

EMC Auditing

Introduction

EMC Auditing page

EMC auditing templates