Chat now with support
Chat with Support

Change Auditor for EMC 7.3 - User Guide

EMC Auditing wizard

The EMC Auditing wizard displays when you click Add on the EMC Auditing page. This wizard steps you through the process of creating a new EMC auditing template, specifying the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive events.

The following table provides a description of the fields and controls in the EMC Auditing wizard:

Create or modify an EMC Auditing Template page: On the first page of the wizard, specify the EMC file server (CIFS) to auditand define the auditing scope.

EMC File Server (CIFS)

Select the EMC file server (CIFS) from the list or enter the name of the EMC file server to audit.

Audit Path

Select one of the following options to define auditing for a file, folder or volume:

File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) or click the browse button to locate and select the file to be audited.
Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) or click the browse button to locate and select the folder to be audited.
NOTE: Isilon file server auditing: When specifying a file path to be audited, you should use the file’s absolute path. Path values in Isilon events captured by Change Auditor are also represented in absolute paths. For example, if a share called ‘MyTestShare’ is sharing the path ‘\\isilon\ifs\test’, and you want to audit the file MyDoc.docx inside that share, add the path ‘ifs\test\MyDoc.docx’ in the auditing template.
Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) or click the browse button to locate and select the volume to be audited.
All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk which cannot be changed.
NOTE: Isilon file server auditing: Volume auditing is not supported and should not be used.

Once you have entered the audit path to be audited, use the Add button to add it to the selection list.

Click the browse button to locate and select the file, folder or volume to be audited. If you select an invalid file, folder or volume a red flashing icon appears explaining that your selection is invalid.

NOTE: This button is not available when All Volumes is selected as the audit path.

Add

Use the Add button to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Selection list

The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage for the folder.

This object only - select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab: Use the Events tab to select vital file and/or folder events.

NOTE: The process for capturing ACL events is extremely slow. See Performance Considerations for more details on the process used to capture ACL events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab: When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the audit path is to be audited. The file mask can contain any combination of the following:

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all folders and files in the selected audit path. See File/Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders or files to be included, click Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use Add to move the entry in the text box to the Inclusions list.

Remove

Select an entry in the Inclusions list and click Remove to remove it.

Exclusions Tab (Optional): When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File/Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

Once you have selected a subfolder or file to be excluded, select the appropriate Add button to add it to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.

Add

Use one of the following Add commands to move the entry in the text box to the Exclusions list:

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.

Remove

Select an entry in the Exclusions list and click the Remove button to remove it.

Select Change Auditor agents page: Use this page to select the agents that are to receive the events captured on the selected EMC file server (CIFS).

Add

Click Add to assign one or more agents to the EMC Auditing template.

Selecting this button displays the Eligible Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Click Remove to remove the selected agent from the list.

Set Credentials

Click the Set Credentials button to enter the credentials to be used to access the selected EMC Control Station:

Control Station - enter the IP address of the EMC Control Station.
User - enter the user name of an account with Administrative rights (rights to create or modify the cepp.conf file) on the selected EMC Control Station.
Password - enter the password associated with the user name entered above.
Data Mover - select the data mover that hosts the EMC file server (CIFS) specified on the first page of the wizard.

Click the Test button to validate the credentials entered. Once the credentials are validated, click OK to set the credentials as entered and close the dialog.

Change Auditor Agent list

The list across the bottom of the page lists the Change Auditor agents selected to capture events from the selected EMC file server (CIFS).

CEPP.CONF file page: If you have changed or added agents to your template, use this page to review the changes you are proposing to make to the cepp.conf file. This page displays the current and proposed cepp.conf files. In addition to viewing the current and proposed cepp.conf files, you can optionally make changes to the proposed cepp.conf file or deploy the proposed cepp.conf file on the selected EMC Control Station.
NOTE: Isilon file server auditing: This information is not required; click Finish to create the EMC Auditing template.

Update File

Click Update File to deploy the proposed configuration file on the EMC Control Station.

Check Status

Click Check Status to run the following command to check the status of the cepp service:

server_cepp <Data Mover Name> -pool -info

Audit File

Click the Audit File button to enable or disable the auditing of the cepp.conf file for changes made by other third-party applications.

Clicking this button displays the Configure cepp.conf Auditing dialog. To enable the auditing of this file, select the Enable Auditing check box and select a Change Auditor agent that is to poll for changes. Click OK to save your selections and close the dialog.

Current cepp.conf File

Displays the contents of the current cepp.conf file on the selected EMC Control Station.

Proposed cepp.conf File

Displays the proposed content of the cepp.conf file based on the selections made in the EMC Auditing wizard.

File System events settings

From the Agent Configuration page on the Administration Tasks tab you can view and/or modify the File System settings for handling duplicate events.

Use the File System tab at the top of the Configuration Setup dialog to define how to process duplicate file system events.

2
Click Configuration.
3
Select Agent to display the Agent Configuration page.
4
Click Configurations.
7
Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.

EMC event logging

In addition to real-time event auditing, you can enable event logging to capture EMC events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

Event logging is disabled by default. When enabled, only configured activities are sent to the EMC event log. See the Change Auditor for EMC Event Reference Guide for a list of the events that can be sent to the event log.

2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
6
Click OK to save your selection and close the dialog.

EMC Searches/Reports

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating