Chat now with support
Chat with Support

Change Auditor for EMC 7.3 - User Guide

EMC Auditing

Introduction

You must define a separate EMC Auditing template for each EMC file server (CIFS) to audit. The EMC Auditing page on the Administration Tasks tab displays details about each EMC Auditing template created and allows you to add new auditing templates.

 

EMC Auditing page

The EMC Auditing page displays when you select EMC from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can open the EMC Auditing wizard to specify the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive the EMC events. You can also edit existing templates, disable/enable templates, and remove templates that are no longer being used.The EMC Auditing page contains an expandable view of all the EMC Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

NOTE: This field will be blank if the Audit cepp.conf field is set to No.
NOTE: This field will be blank if the Audit cepp.conf field is set to No.

Click the expansion box to the left of the EMC file server (CIFS) name to expand this view and display the following details:

EMC auditing templates

To enable EMC auditing, create a template for each EMC file server (CIFS) to audit. Each template defines the location of the EMC file server to be audited, the auditing scope, and the agents to receive the events.

 

To audit the "File contents written" operations, you must audit "Close" operations on Isilon. To audit close operations, use isi zone zones modify command in the command line interface (CLI).

For example:
To audit a successful close operation for the 'System' zone run the following command:
isi zone zones modify system --add-audit-success close.

To review all currently audited operations for the System zone, use the following command:
isi zone zones view system

1
Select View | Administration.
2
Select Auditing.
3
Select EMC in the Auditing | NAS task list to open the EMC Auditing page.
4
Click Add.
EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.
Audit Path - Select File. Enter a file name and path (i.e., <ShareName>\<Path>\<FileName>) to audit or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list.

When specifying a file path to audit, use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template.

Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, specify the new share name to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right corner of the page.

Volume auditing is not supported and should not be used. Select File or Folder as the Audit Path.

Events tab - Select the file events to audit for the file selected in the selection list.
NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.
6
Click Next.
Click Add.
NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 9.
Click Set Credentials and enter the following information:
Control Station - enter the IP address of the EMC Control Station.
User - enter the user name of an account with Administrative rights (required to create or modify the cepp.conf file) on the selected EMC Control Station.
Password - enter the password associated with the user name entered above.
Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.
Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.
The cepp.conf file will be created based on the information specified in the EMC Auditing wizard. Click Next to view the current and proposed settings for the cepp.conf file.
Use the buttons above the Current cepp.conf File text box, as described below:
To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click the Configuration task button. Select Agent to open the Agent Configuration page.
1
Select View | Administration.
2
Select Auditing.
3
Select EMC in the Auditing | NAS task list to open the EMC Auditing page.
4
Click Add.
EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.
Audit Path - Select Folder. Enter a folder name and path (i.e., <ShareName>\<FolderName>) to audit or click the browse button to locate and select a folder.
NOTE: Isilon file server auditing:

When specifying file and folder paths to be audited, the file or folder’s absolute path should be used. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, add the path ‘ifs\test’ in the auditing template to audit changes through the share.

Change Auditor uses the default ‘ifs’ share for Isilon file/folder permission change events. If you have renamed this share, please specify the new share name on this page to continue support for these events. To change the default ifs share name, click the "Isilion admin share name" link on the top right hand corner of the page.
Click Add to add the specified folder to the Selection list.
6
By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:
This object only- select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders.
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
For example, entering * will include all subfolders and files in the selected audit path.
Once you have specified the subfolders/files to be included, click the Add button to add it to the Inclusion list at the bottom of the page.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Click Next.
Click Add.
NOTE: Isilon file server auditing: There is no need to enter the EMC Control Station credentials when configuring auditing on an Isilon server. Skip to Step 12.
Click the Set Credentials button and enter the following information:
Control Station - enter the IP address of the EMC Control Station.
User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.
Password - enter the password associated with the user name entered above.
Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.
Click Test to validate the credentials entered. Once the credentials are validated, select OK to set the credentials as entered and close the dialog.
Use the buttons above the Current cepp.conf File text box, as described below:
To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.
12
Click Finish to close the wizard and create the EMC Auditing template.
13
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
14
Select the agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration to ensure the agents are using the latest configuration.
NOTE: Isilon file server auditing: Volume auditing is not support and should not be used.
1
Open the EMC Auditing Wizard. (Click Add or Edit on the EMC Auditing page.)
EMC File Server (CIFS) - Select the EMC file server (CIFS) from the drop-down list. Or enter the Netbios name or IP address of the EMC file server (CIFS) to be audited.
Audit Path - Select Volume. Enter a volume name (i.e., <VolumeName>) to be audited or click the browse button to locate and select a volume.
Click Add to add the specified volume to the Selection list.
3
By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
For example, entering * will include all subfolders and files in the selected audit path.
Once you have specified the subfolders/files to be included, click Add to add it to the Inclusion list at the bottom of the page.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Click Next.
Click Add.
Click Set Credentials and enter the following information:
Control Station - enter the IP address of the EMC Control Station.
User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.
Password - enter the password associated with the user name entered above.
Data Mover - select the data mover that hosts the CIFS file server specified on the first page of the wizard.
Click Test to validate the credentials. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.
Use the buttons above the Current cepp.conf File text box, as described below:
To audit the cepp.conf file checking for modifications made by another application, click Audit File. Select the Enable Auditing check box, review (and if necessary change) the polling interval, and select the Change Auditor agent to be used to poll this configuration file. Click OK to save your selections and close the dialog.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page. This will ensure the agents are using the latest configuration.
11
Select the Change Auditor agents assigned to the EMC Auditing template (Auditing appears in the EMC column) and click Refresh Configuration.

The disable feature allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the template will change to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the selected file path will change to ‘Disabled’.
2
To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating