bhalilov1
2 Iron

Isilon SMB auditing

Jump to solution

I'm trying to configure auditing for file deletion. As per emc14002345, I enabled

#isi smb settings global view

...

  Audit Fileshare: success

  Audit Global SACL Failure:

  Audit Global SACL Success: generic_all

  Audit Logon: all

....

it seems to work for logins :

tail -5 /var/log/audit/smb.log

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|home

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|test1

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGOFF|STATUS_SUCCESS

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGON|STATUS_LOGON_FAILURE|10.250.16.224|10.246.12.191|UNKNOWN

2013-02-07T10:23:38-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|LOGOFF|STATUS_SUCCESS

but not for file acces, file delete etc.

I'm running 7.0.1.2

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
bhalilov1
2 Iron

Re: Isilon auditing

Jump to solution

7.0.1.5 fixes the auditing for delete

0 Kudos
6 Replies
MRWA
2 Iron

Re: Isilon auditing

Jump to solution

Hello,

This appears to be a documented issue. It was identified internally and has been resolved.

Reference SMB Auditing: audit-global-success and audit-global-sacl logging issue when you engage support.

I do not have insight to see if it will made it into the next maintenance release.

0 Kudos
bhalilov1
2 Iron

Re: Isilon auditing

Jump to solution

I have a case but its not getting anywhere. Are you saying that the SACL auditing is not implemented in 7 ?

0 Kudos
MRWA
2 Iron

Re: Isilon auditing

Jump to solution

Hello,

It is implemented but there was an issue where it was only logging auditing events associated to FILESHARE or LOGON/LOGOFF events,  and not showing the file open, file close ect events.Send me a PM with your case number and I will make sure the technician working your case has then information I was looking at.

Thanks!

Highlighted
bhalilov1
2 Iron

Re: Isilon auditing

Jump to solution

7.0.1.3 was released yesterday and bug #100899 (SMB file operations were not logged as expected when audit logging was enabled ) was supposed to fix this. It is still not working for file delete, it logs OPEN, ACCESS,CLOSE but not DELETE.

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|OPEN|STATUS_SUCCESS|0x5B46120|0x110080|DIR|FILE_OPEN|test1|/ifs/test1/test3/New folder (3)/New folder (2)

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|ACCESS|STATUS_SUCCESS|0x5B46120|0x10000

2013-02-22T09:31:33-05:00 <33.6> nyst0087-2(id2) lwiod[8006]: S-1-5-21-1266704185-1068072124-262303683-80728|0x5B0FC00|CLOSE|STATUS_SUCCESS|0x5B4612

0 Kudos
bhalilov1
2 Iron

Re: Isilon auditing

Jump to solution

7.0.1.5 fixes the auditing for delete

0 Kudos
bhalilov1
2 Iron

Re: Isilon SMB auditing

Jump to solution

There is a bug that affects all SMB If the auditing is enabled as per above on versions up to 7.0 and cluster is later upgraded to 7.1

See my post at :

ISILON Users Audit

0 Kudos