This post is more than 5 years old
114 Posts
0
11667
Isilon SMB auditing
I'm trying to configure auditing for file deletion. As per emc14002345, I enabled
#isi smb settings global view
...
Audit Fileshare: success
Audit Global SACL Failure:
Audit Global SACL Success: generic_all
Audit Logon: all
....
it seems to work for logins :
tail -5 /var/log/audit/smb.log
2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|home
2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|test1
2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGOFF|STATUS_SUCCESS
2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGON|STATUS_LOGON_FAILURE|10.250.16.224|10.246.12.191|UNKNOWN
2013-02-07T10:23:38-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|LOGOFF|STATUS_SUCCESS
but not for file acces, file delete etc.
I'm running 7.0.1.2
bhalilov1
114 Posts
0
April 23rd, 2013 15:00
7.0.1.5 fixes the auditing for delete
MRWA
83 Posts
0
February 8th, 2013 14:00
Hello,
This appears to be a documented issue. It was identified internally and has been resolved.
Reference SMB Auditing: audit-global-success and audit-global-sacl logging issue when you engage support.
I do not have insight to see if it will made it into the next maintenance release.
bhalilov1
114 Posts
0
February 8th, 2013 18:00
I have a case but its not getting anywhere. Are you saying that the SACL auditing is not implemented in 7 ?
MRWA
83 Posts
1
February 11th, 2013 11:00
Hello,
It is implemented but there was an issue where it was only logging auditing events associated to FILESHARE or LOGON/LOGOFF events, and not showing the file open, file close ect events.Send me a PM with your case number and I will make sure the technician working your case has then information I was looking at.
Thanks!
bhalilov1
114 Posts
0
February 22nd, 2013 06:00
7.0.1.3 was released yesterday and bug #100899 (SMB file operations were not logged as expected when audit logging was enabled ) was supposed to fix this. It is still not working for file delete, it logs OPEN, ACCESS,CLOSE but not DELETE.
2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|OPEN|STATUS_SUCCESS|0x5B46120|0x110080|DIR|FILE_OPEN|test1|/ifs/test1/test3/New folder (3)/New folder (2)
2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|ACCESS|STATUS_SUCCESS|0x5B46120|0x10000
2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|CLOSE|STATUS_SUCCESS|0x5B4612
bhalilov1
114 Posts
0
January 22nd, 2014 07:00
There is a bug that affects all SMB If the auditing is enabled as per above on versions up to 7.0 and cluster is later upgraded to 7.1
See my post at :
ISILON Users Audit