Unsolved
This post is more than 5 years old
121 Posts
0
10194
File Auditing in isilon
Hello Folks,
I got a request from business asking that one of the user "read / write" activity on isilon SMB share.
We have 9 node cluster in our environment with Auditing Capability. Can some get me through the step by step procedure to check if the user did any reads or writes on folder in specific time frame (April 1st - till date).
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
1
April 12th, 2016 07:00
explore isi_audit_viewer command
Sathish Dodda
121 Posts
0
April 12th, 2016 09:00
Thanks dynamox,
When i try to explore the above said command i aam not getting any out or help for syntax. Am getting out put "done".
Any idea what is this meant.
Sathish Dodda
121 Posts
0
April 12th, 2016 09:00
Thanks,
Can you get me the guide where i can get the commands to explore auditing commands with examples. Since i am new to this array i need the doc. Thank you very much for your support!!
Stdekart
104 Posts
0
April 12th, 2016 09:00
Sathish_Chanti,
"isi_" commands are considered internal (Support commands) and have no documentation beyond the --help page supplied from the CLI:
Only two exceptions I can find are: isi_for_array, isi_gather_info these two commands have outlines in the CLI Admin guide for the respective OneFS version.
milpool-2# isi_audit_viewer --help
isi_audit_viewer: illegal option -- -
Usage: isi_audit_viewer [ -n | -t | -s |
-e | -v ]
-n : Specify node id to browse (default: local node)
-t : Choose topic to browse.
Topics are "config" and "protocol" (default: "config")
-s : Browse audit logs starting at
-e : Browse audit logs ending at
-v verbose : Prints out start / end time range before printing
records
Start and End times are expressable as a
date format "YYYY-MM-DD HH:MM:SS", where
fields represent year/month/day/hours/minutes/seconds.
Time can also be expressed as HH:MM:SS;
in this case the date is set to the current day.
Time prefixes can also be used, in which case missing values are
assumed to be 0.
E.g. "05:15" represents "05:15:00".
If not specified, end time defaults to now and
start time to 24 hours before end time.
Keep in mind these audit logs are held per node, so running the isi_aduit_viewer command on node 1 for someone connected to node 3 will not yield any results.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
April 12th, 2016 09:00
this assumes that you have auditing enabled
Sathish Dodda
121 Posts
0
April 27th, 2016 12:00
Hi Shane,
Thanks for your response.
Do you have any idea of Isilon Audit logging integration with SUMOLOGIC.
scott_owens
60 Posts
0
May 3rd, 2016 11:00
In reviewing the Sumologic web pages, it appears to have the ability to accept messages via Syslog. In that case, you can setup the Isilon to forward audit events via syslog.
Page 12 of the following documents provide an example of setting up syslog forwarding for audit events
http://www.emc.com/collateral/white-papers/h12428-wp-best-practice-guide-isilon-file-system-auditing.pdf
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
February 14th, 2017 11:00
This guide may prove useful to you: https://support.emc.com/docu50353_White-Paper:-File-System-Auditing-with-EMC-Isilon,-EMC-CEE,-and-Varonis-DatAdvantage.p…