Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

bhalilov1

114 Posts

11484

February 7th, 2013 08:00

Isilon SMB auditing

I'm trying to configure auditing for file deletion. As per emc14002345, I enabled

#isi smb settings global view

...

  Audit Fileshare: success

  Audit Global SACL Failure:

  Audit Global SACL Success: generic_all

  Audit Logon: all

....

it seems to work for logins :

tail -5 /var/log/audit/smb.log

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|home

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|test1

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGOFF|STATUS_SUCCESS

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGON|STATUS_LOGON_FAILURE|10.250.16.224|10.246.12.191|UNKNOWN

2013-02-07T10:23:38-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|LOGOFF|STATUS_SUCCESS

but not for file acces, file delete etc.

I'm running 7.0.1.2

bhalilov1

114 Posts

April 23rd, 2013 15:00

7.0.1.5 fixes the auditing for delete

MRWA

83 Posts

February 8th, 2013 14:00

Hello,

This appears to be a documented issue. It was identified internally and has been resolved.

Reference SMB Auditing: audit-global-success and audit-global-sacl logging issue when you engage support.

I do not have insight to see if it will made it into the next maintenance release.

bhalilov1

114 Posts

February 8th, 2013 18:00

I have a case but its not getting anywhere. Are you saying that the SACL auditing is not implemented in 7 ?

MRWA

83 Posts

February 11th, 2013 11:00

Hello,

It is implemented but there was an issue where it was only logging auditing events associated to FILESHARE or LOGON/LOGOFF events,  and not showing the file open, file close ect events.Send me a PM with your case number and I will make sure the technician working your case has then information I was looking at.

Thanks!

bhalilov1

114 Posts

February 22nd, 2013 06:00

7.0.1.3 was released yesterday and bug #100899 (SMB file operations were not logged as expected when audit logging was enabled ) was supposed to fix this. It is still not working for file delete, it logs OPEN, ACCESS,CLOSE but not DELETE.

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|OPEN|STATUS_SUCCESS|0x5B46120|0x110080|DIR|FILE_OPEN|test1|/ifs/test1/test3/New folder (3)/New folder (2)

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|ACCESS|STATUS_SUCCESS|0x5B46120|0x10000

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|CLOSE|STATUS_SUCCESS|0x5B4612

bhalilov1

114 Posts

January 22nd, 2014 07:00

There is a bug that affects all SMB If the auditing is enabled as per above on versions up to 7.0 and cluster is later upgraded to 7.1

See my post at :

ISILON Users Audit

View More

View All

No Events found!

Top