Change Auditor for NetApp 7.0.2 - User Guide

Introduction

You must define a separate NetApp auditing template for each NetApp filer to be audited by Change Auditor. The NetApp Auditing page on the Administration Tasks tab displays details about each NetApp Auditing template created and allows you to add new auditing templates.

 

NetApp Auditing page

The NetApp Auditing page displays when you select NetApp from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can launch the NetApp Auditing wizard to specify the NetApp filer to audit, the auditing scope, and the agents to receive the events. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The NetApp Auditing page contains an expandable view of all the NetApp Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

Click the expansion box to the left of the Filer name to expand this view and display the following details:

Displays the name of the user account that has access to the NetApp filer. This information is only displayed when Set Credentials is used on the second page of the wizard to specify the NetApp filer credentials to be used by a Change Auditor agent.

NetApp Auditing templates

To enable NetApp filer auditing, create a NetApp Auditing template for each NetApp filer to audit. Each auditing template defines the NetApp filer to be audited, the auditing scope, and the agents that are to receive the NetApp events.

1
Open the NetApp Auditing wizard (Click Add or Edit on NetApp Auditing page).
NetApp Filer - Select the NetApp filer from the drop-down or enter the NetBIOS name or IP address of the NetApp filer to be audited.
Audit Path - Select File and enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file. Click Add to move the specified audit path to the selection list (middle of the page).
Events tab - Select the file events to be audited for the file selected in the selection list.
NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.
Click Next to proceed to the next page.
4
Click Finish to close the wizard and create the template.
5
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
6
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
1
Open the NetApp Auditing wizard. (Click Add or Edit on the NetApp Auditing page.)
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.
Audit Path - Select Folder and enter a folder name and path (<ShareName>\<FolderName>) to be audited or click the browse button to locate and select a folder.

For example, if you want to audit file changes when users access a share called ‘folder1’, which resides under a QTree share named ‘c$’, you need to specify the following two paths:

Click Add to add the specified folder to the selection list.
3
By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:
This object only - select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders.
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
7
Click Next.
8
On the second page of the wizard, select the agents to be used to monitor the NetApp filer and click Add. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.
1
Open the NetApp Auditing Wizard. (Click Add or Edit on NetApp Auditing page.)
NetApp Filer - Select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.
Audit Path - Select Volume. Enter a volume name (<VolumeName>) to be audited. Volume names can be determined by logging into the NetApp server and using the command: vol status.
Click Add to add the specified volume to the selection list (middle of the page).
3
By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed.
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
For example, entering * will include all subfolders and files in the selected audit path.
Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.
For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.
Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
7
Click Next.
8
On the second page of the wizard, click Add to select the agents to monitor the NetApp filer. On the Eligible Change Auditor Agents dialog, select one or more agents from the list and click OK.
9
Click Finish to close the wizard and create the template.
10
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the Change Auditor agents assigned to the template (Auditing appears in the NetApp column) and click Refresh Configuration.

Disabling a template allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template.

Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the template will change to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
Place your cursor in the Status cell for the audit path to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the selected file path will change to ‘Disabled’.
2
To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu.

NetApp Auditing wizard

The NetApp Auditing wizard is displayed when you click Add on the NetApp Auditing page. This wizard steps you through the process of creating a new NetApp auditing template, identifying the NetApp filer to audit, the auditing scope, and the agents to receive the events.

The following table provides a description of the fields and controls in the NetApp Auditing wizard:

Use the first page of the wizard to specify the NetApp filer to be audited and the file, folder, volume or all volumes to be audited on that filer.

NetApp Filer

Use the drop-down control to the far right of this field to select the NetApp CIFS server from the drop-down menu. If the NetApp CIFS server not appear in the list, enter the server’s NetBIOS name.

File and folder auditing is supported in both 7-mode (non-cluster mode) and cluster mode. Select Detect filer mode...to determine which mode you have deployed.

If you are operating in cluster mode, credentials must be set for all agents. The credentials set must be for users with ONTAPI access on the filer.

Once entered, Change Auditor verifies that the specified account can access the filer. If there is an issue, re-enter valid credentials and the verification will run again.

Audit Path

Select one of the following options to define auditing for a file, folder or volume:

File - select this option to audit a single file. Then enter a file name and path (<ShareName>\<Path>\<FileName>) to be audited or click the browse button to locate and select a file.
Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (<ShareName>\<FolderName>) to be audited.
Volume - select this option to audit a single volume. Then enter the volume name (<VolumeName>) to be audited or click the browse button to locate and select a volume.
All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk (*) which cannot be changed.

Once you have entered the audit path to be audited, click Add to add it to the selection list.

Click the browse button to locate and select the file or folder to be audited.

NOTE: This button is not available when All Volumes is selected as the audit path.

Add

Use Add to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still click Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the list.

Selection list

The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage.

This object only- select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab

Use the Events tab to select vital file and/or folder events.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

Inclusions tab

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the selected audit path is to be audited. The file mask can contain any combination of the following:

Note: The slash (\) and double asterisk (**) characters can only be used with volumes.

For example, entering * will include all folders and files in the selected audit path. See File and Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file that is to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against the specified subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders and files to be included, select Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.

Add - Click Add to move the entry in the text box to the Inclusions list.
Remove - Select an entry in the Inclusions list and click Remove to remove it.

Exclusions tab (Optional)

When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File and Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file that is to be excluded from auditing.

If you enter the name of a subfolder or file that is outside of the audited path, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file to be excluded, select the appropriate Add button to add the file or folder to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.

Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.
Remove - Select an entry in the Exclusions list and click Remove to remove it.

Use this page to select the agents to receive the audit events captured on the selected NetApp filer.

Add

Use Add to assign one or more agents to the NetApp Auditing template.

Clicking this button displays the Change Auditor Agents dialog. From this dialog, select one or more agents and then click OK.

Remove

Use Remove to remove the selected agent from the list.

Set Credentials

If you did not add the agent accounts to the local Administrators group on the NetApp filer, select the agent from the list and click Set Credentials. Enter the NetApp filer credentials to be used.

See the Release Notes for required rights and permission.

Clear Credentials

Use Clear Credentials to clear the NetApp filer credentials that were previously entered for the selected agent.

Change Auditor Agent list

The list box on this page lists the agents selected to capture audit events from the selected NetApp filer.

相关文档