Change Auditor for EMC 7.1.1

EMC Auditing wizard

The EMC Auditing wizard displays when you click Add on the EMC Auditing page. This wizard steps you through the process of creating a new EMC auditing template, specifying the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive events.

The following table provides a description of the fields and controls in the EMC Auditing wizard:


	NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.

Table 1. EMC Auditing wizard

Create or modify an EMC Auditing Template page: On the first page of the wizard, specify the EMC file server (CIFS) to auditand define the auditing scope.

EMC File Server (CIFS)

Select the EMC file server (CIFS) from the list or enter the name of the EMC file server to audit.

NOTE: The drop-down list contains the CIFS servers published in Active Directory.

NOTE: Isilon servers are not listed in the drop-down list but can be entered manually.

Audit Path

Select one of the following options to define auditing for a file, folder or volume:

•

File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) or click the browse button to locate and select the file to be audited.

•

Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) or click the browse button to locate and select the folder to be audited.

NOTE: Isilon file server auditing: When specifying a file path to be audited, you should use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template.

NOTE: Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page.

•

Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) or click the browse button to locate and select the volume to be audited.

NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field.

•

All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk which cannot be changed.

NOTE: Isilon file server auditing: Volume auditing is not supported and should not be used.

Once you have entered the audit path to be audited, use the Add button to add it to the selection list.

Click the browse button to locate and select the file, folder or volume to be audited. If you select an invalid file, folder or volume a red flashing icon appears explaining that your selection is invalid.

NOTE: This button is not available when All Volumes is selected as the audit path.

Add

Use the Add button to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Selection list

The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage for the folder.

•

This object only - select this option to audit only the selected folder, not its files or subfolders.

•

This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.

•

This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab: Use the Events tab to select vital file and/or folder events.

NOTE: The process for capturing ACL events is extremely slow. See Performance Considerations for more details on the process used to capture ACL events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab: When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the audit path is to be audited. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters.

•

Question mark (?) wildcard character to substitute a single character.

•

A double asterisk (**) to specify a recursive match. (find match in the folder and all subfolders in audit path).

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all folders and files in the selected audit path. See File/Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders or files to be included, click Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use Add to move the entry in the text box to the Inclusions list.

Remove

Select an entry in the Inclusions list and click Remove to remove it.

Exclusions Tab (Optional): When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

•

Fixed characters such as letters, numbers and other characters that are allowed in file names.

•

Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).

•

Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File/Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

IMPORTANT: If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will not exclude it from auditing.

Once you have selected a subfolder or file to be excluded, select the appropriate Add button to add it to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use one of the following Add commands to move the entry in the text box to the Exclusions list:

•

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.

•

Add | File - use this option to exclude activity against any files that match the exclusion string.

Remove

Select an entry in the Exclusions list and click the Remove button to remove it.

Select Change Auditor agents page: Use this page to select the agents that are to receive the events captured on the selected EMC file server (CIFS).

NOTE: You may improve performance by assigning an EMC Auditing template to more than one Change Auditor Agent. When multiple agents are assigned to the same EMC Auditing template, events will be load balanced between these agents. However, the downside is that the ‘where’ field for EMC events may contain any one of the agents being monitored by this single auditing template. In addition, if EMC event logging is enabled in Change Auditor, events will be written on multiple agent servers.

Add

Click Add to assign one or more agents to the EMC Auditing template.

Selecting this button displays the Eligible Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Click Remove to remove the selected agent from the list.

Set Credentials

Click the Set Credentials button to enter the credentials to be used to access the selected EMC Control Station:

•

Control Station - enter the IP address of the EMC Control Station.

•

User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.

•

Password - enter the password associated with the user name entered above.

•

Data Mover - select the data mover that hosts the EMC file server (CIFS) specified on the first page of the wizard.

Click the Test button to validate the credentials entered. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

NOTE: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server.

Change Auditor Agent list

The list across the bottom of the page lists the Change Auditor agents selected to capture events from the selected EMC file server (CIFS).

CEPP.CONF file page: If you have changed or added agents to your template, use this page to review the changes you are proposing to make to the cepp.conf file. This page displays the current and proposed cepp.conf files. In addition to viewing the current and proposed cepp.conf files, you can optionally make changes to the proposed cepp.conf file or deploy the proposed cepp.conf file on the selected EMC Control Station.

NOTE: Isilon file server auditing: This information is not required; click Finish to create the EMC Auditing template.

Update File

Click Update File to deploy the proposed configuration file on the EMC Control Station.

Check Status

Click Check Status to run the following command to check the status of the cepp service:

server_cepp <Data Mover Name> -pool -info

NOTE: The information provided in the status check window can be used for troubleshooting. For example, a red Connection Disconnected entry could indicate one of the following scenarios:

•

CAVA service is not connected

•

Change Auditor agent is offline

•

Shared EMC Connector service is not running

Audit File

Click the Audit File button to enable or disable the auditing of the cepp.conf file for changes made by other third-party applications.

NOTE: When this configuration file is being audited, an event is generated whenever another application modifies the configuration file. Modifications made to this configuration file by another application may prevent Change Auditor from capturing EMC events.

Clicking this button displays the Configure cepp.conf Auditing dialog. To enable the auditing of this file, select the Enable Auditing check box and select a Change Auditor agent that is to poll for changes. Click OK to save your selections and close the dialog.

Current cepp.conf File

Displays the contents of the current cepp.conf file on the selected EMC Control Station.

Proposed cepp.conf File

Displays the proposed content of the cepp.conf file based on the selections made in the EMC Auditing wizard.

NOTE: You can manually edit the contents of the proposed cepp.conf file from this page.

File System events settings

From the Agent Configuration page on the Administration Tasks tab you can view and/or modify the File System settings for handling duplicate events.

Use the File System tab at the top of the Configuration Setup dialog to define how to process duplicate file system events.

Discard duplicates that occur within nn seconds

This option is selected by default and will discard file system events that occur within 10 seconds of each other. You can enter a value between 1 and 600 (or use the arrow controls) to increase or decrease this interval.

Audit all configured, including duplicates (Not Recommended)

Select this option to audit all configured file system events including duplicate events. This is NOT recommended and therefore is disabled by default.

To set the File System events settings:

Open the Administration Tasks tab.

Click Configuration.

Select Agent to display the Agent Configuration page.

Click Configurations.

On the Configuration Setup dialog, select an agent configuration from the left pane (i.e., the configuration that is being used by the Change Auditor agents assigned to receive EMC® events).

Open the File System tab and modify the settings to define how to process duplicate file system events as defined above.

Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.

On the Agent Configuration page, select the Change Auditor agent(s) assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

EMC event logging


	NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

In addition to real-time event auditing, you can enable event logging to capture EMC events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

Event logging is disabled by default. When enabled, only configured activities are sent to the EMC event log. See the Change Auditor for EMC Event Reference Guide for a list of the events that can be sent to the event log.

To enable event logging:

Open the Administration Tasks tab.

Click Configuration.

Select Agent in the Configuration task list to display the Agent Configuration page.

Click Event Logging.

On the Event Logging dialog, select EMC Events.

Click OK to save your selection and close the dialog.

The EMC events configured in the EMC Auditing template will then be sent to the ChangeAuditor for EMC event log.