Chat now with support
Chat with Support

Change Auditor for EMC 7.2 - Event Reference Guide

Log Events

When event logging for EMC is enabled on the Agent Configuration page of the Administration Tasks tab in Change Auditor, EMC audited events will also be written to a Windows event log, named ChangeAuditor for EMC event log. These log events can then be gathered by InTrust and Quest Knowledge Portal for further processing and reporting.

NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration Tasks tab), and the type of event logging to enable.

The following table lists the log events captured when EMC event logging is enabled. They are listed in numeric order by event ID.

500

EMC Folder Created

501

EMC Folder Deleted

502

EMC Folder Moved

503

EMC Folder Renamed

504

EMC Folder Ownership Changed

EMC Folder Ownership Changed (no from-value)

505

EMC Folder Access Rights Changed

EMC Folder Access Rights Changed (no from-value)

506

EMC File Created

507

EMC File Deleted

508

EMC File Moved

509

EMC File Renamed

510

EMC File Ownership Changed

EMC File Ownership Changed (no from-value)

511

EMC File Access Rights Changed

EMC File Access Rights Changed (no from-value)

512

EMC File Opened

513

EMC File Contents Written

Notes and Performance Considerations

This section contains a numerical list of notes for Change Auditor for EMC events.

Only EMC events initiated via a Common Internet File System (CIFS) are captured. EMC events initiated via FTP, NFS or other protocols are not captured.

Events are generated as described below when actions are taken on folders that have subordinate files and folders:

Moving a parent folder: For a ‘Move’ operation, only one event will be generated for the parent folder because action is only on the parent folder’s path, none of the child folders or files are physically moved.
Deleting a parent folder: For a ‘Delete’ operation, an event will be generated for each folder or file because each object will be removed separately.
Copying a parent folder: For a ‘Copy’ operation, an event will be generated for each folder and file because a new object will be created within the target folder.

If a parent folder is copied to a target folder that is not being monitored, no event will be generated. The target folder must be monitored in order for an event to be generated.

Security events do not return a ‘From’ value. The security events that return a ‘From’ value require synchronous event exchange and can have a negative impact on performance. Whereas, the ‘no from-value’ events allow Change Auditor to connect and use asynchronous interfaces.

You may improve performance by assigning an EMC Auditing template to more than one Change Auditor Agent. When multiple agents are assigned to the same EMC Auditing template, events will be load balanced between these agents. However, the downside is that the ‘where’ field for EMC events may contain any one of the agents being monitored by this single auditing template. In addition, if EMC event logging is enabled in Change Auditor, events will be written on multiple agent servers.

Change Auditor access control list (ACL) events (that is, discretionary access control list (DACL) and system access control list (SACL) changes) will not report inherited access control entry (ACE) changes.

For performance and limitations in EMC APIs, the ‘from’ value is not available for the following events when auditing EMC file servers:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating