Change Auditor for NetApp 7.0.2 - Event Reference Guide

Introduction

Change Auditor for NetApp tracks, audits and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by native auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can also include or exclude certain files or folders from the audit scope in order to ensure a faster and more efficient audit process.

In addition to real-time event auditing, you can also enable event logging to capture NetApp filer events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

This guide lists the events that can be captured by Change Auditor for NetApp. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Change Auditor for NetApp Events

Change Auditor for NetApp queries NetApp filers for modifications made to files and folders. This auditing functionality is based on NetApp’s Data ONTAP file screening policy (FPolicy), which allows third-party screening software to interact with the NetApp filer. This section lists the audited events captured by Change Auditor when Change Auditor for NetApp is licensed and a NetApp auditing template is created for each NetApp filer to be audited. These events are listed in alphabetical order by facility.

See Notes and Performance Considerations for strategies to help minimize performance issues.

Table 1. NetApp events

NetApp File Access Rights Changed (no from-value)

Created when file access rights have changed on a NetApp filer.

Medium

NetApp File Contents Written

Created when the contents of a file was written on a NetApp filer.

Medium

NetApp File Created

Created when a file is created on a NetApp filer.

Medium

NetApp File Deleted

Created when a file is deleted on a NetApp filer.

Medium

NetApp File Moved

Created when a file is moved on a NetApp filer.

Medium

NetApp File Opened

Created when a file is opened on a NetApp filer.

Medium

NetApp File Ownership Changed (no from-value)

Created when the ownership of a file is changed on a NetApp filer.

Medium

NetApp File Renamed

Created when a file is renamed on a NetApp filer.

Medium

NetApp Folder Access Rights Changed (no from-value)

Created when the access rights of a folder have changed on a NetApp filer.

Medium

NetApp Folder Created

Created when a folder is created on a NetApp filer.

Medium

NetApp Folder Deleted

Created when a folder is removed from a NetApp filer.

Medium

NetApp Folder Moved

Created when a folder is moved on a NetApp filer.

Medium

NetApp Folder Ownership Changed (no from-value)

Created when the ownership of a folder has changed on a NetApp filer.

Medium

NetApp Folder Renamed

Created when a folder is renamed on a NetApp filer.

Medium

 

Log Events

When event logging for NetApp is enabled in Change Auditor, NetApp filer events will also be written to a Windows® event log, named ChangeAuditor for NetApp. This event log can then be gathered by InTrust and Quest Knowledge Portal for further processing and reporting.

NOTE: To enable event logging, select Event Logging on on the Agent Configuration page (Administration Tasks tab), and select the type of event logging to enable.

The following table lists the log events captured when NetApp event logging is enabled. They are listed in numeric order by event ID.

500

NetApp Folder Created

501

NetApp Folder Deleted

502

NetApp Folder Moved

503

NetApp Folder Renamed

504

NetApp Folder Ownership Changed (no from-value)

505

NetApp Folder Access Rights Changed (no from-value)

506

NetApp File Created

507

NetApp File Deleted

508

NetApp File Moved

509

NetApp File Renamed

510

NetApp File Ownership Changed (no from-value)

511

NetApp File Access Rights Changed (no from-value)

512

NetApp File Opened

513

NetApp File Contents Write

Notes and Performance Considerations

This section contains a numerical list of notes for Short Product Name events.

File changes to a NetApp filer initiated from the server hosting the Change Auditor agent responsible for capturing NetApp events will NOT be reported by the filer. This is a limitation of the NetApp filer’s FPolicy and not a limitation of Change Auditor.

 

ONTAP 7.3 (or later) is required to monitor permission change events.

Events are generated as described below when actions are taken on folders that have subordinate files and folders:

Moving a parent folder: For a ‘Move’ operation, only one event will be generated for the parent folder because action is only on the parent folder’s path, none of the child folders or files are physically moved.
Deleting a parent folder: For a ‘Delete’ operation, an event will be generated for each folder or file because each object will be removed separately.
Copying a parent folder: For a ‘Copy’ operation, an event will be generated for each folder and file because a new object will be created within the target folder.

If a parent folder is copied to a target folder that is not being monitored, no event will be generated. The target folder must be monitored in order for an event to be generated.

For better performance:

Security events do not return a ‘From’ value. The security events that return a ‘From’ value require synchronous event exchange and can have a negative impact on performance. Whereas, the ‘no from-value’ events allow Change Auditor to connect and use asynchronous interfaces.

You may improve performance by assigning a NetApp Auditing template to more than one agent. When multiple agents are assigned to the same template, events are load-balanced between these agents. However, the downside is that the ‘where’ field for NetApp events may contain any one of the agents being monitored by this single auditing template. In addition, if NetApp event logging is enabled in Change Auditor, events will be written on multiple agent servers.

 

If a NetApp filer is not available, the agent will retry the connection every 10 minutes.

 

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
联系我们
获得许可 帮助
技术支持
查看全部
相关文档