Unsolved
This post is more than 5 years old
7 Posts
0
3522
Issue with audit protocol loggind to syslog
Hi all,
I have another issue with my test environment on OneFS 8.1.0.0 ( on virtual machines ).
I'm trying to setup auditing for the test zone to a remote syslog.
I ( think ) have followed the configuration from almost every EMC doc around, but can't get the protocol audit sent out.
My config is, actually:
IsilonTest-1# isi audit settings global view
Protocol Auditing Enabled: Yes
Audited Zones: TestAccessZone
CEE Server URIs: -
Hostname: -
Config Auditing Enabled: Yes
Config Syslog Enabled: Yes
IsilonTest-1# isi audit settings view --zone TestAccessZone
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security, close
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: Yes
In /etc/mcp/override/syslog.conf I have added:
IsilonTest-1# cat /etc/mcp/override/syslog.conf
!audit_config
*.* @10.100.20.5
!audit_protocol
*.* @10.100.20.5
and if I look ( after some seconds ) in /etc/syslog.conf I see:
IsilonTest-1# cat /etc/syslog.conf | grep -A2 audit_
!audit_config
*.* @10.100.20.5
!audit_protocol
*.* @10.100.20.5
--
!audit_config
*.* /var/log/audit_config.log
!audit_protocol
*.* /var/log/audit_protocol.log
when looking at files in /var/log I see:
IsilonTest-1# isi_for_array -s "ls -l /var/log/audit_*"
IsilonTest-1: -rw-rw-r-- 1 root wheel 3102 Apr 11 10:21 /var/log/audit_config.log
IsilonTest-1: -rw-rw-r-- 1 root wheel 55 Dec 14 13:31 /var/log/audit_protocol.log
IsilonTest-2: -rw-rw-r-- 1 root wheel 1689 Apr 11 10:21 /var/log/audit_config.log
IsilonTest-2: -rw-rw-r-- 1 root wheel 55 Dec 14 12:46 /var/log/audit_protocol.log
IsilonTest-3: -rw-rw-r-- 1 root wheel 55 Dec 14 12:46 /var/log/audit_config.log
IsilonTest-3: -rw-rw-r-- 1 root wheel 55 Dec 14 12:46 /var/log/audit_protocol.log
that shows that audit_protocol is not even logging on files, while audit_config is.
The node where actually host the smartconnect IP for the zone is LNN 2 and if I do
IsilonTest-1# isi_audit_viewer -t protocol -n 2 | tail -5
[643: Wed Apr 11 11:41:16 2018] {"id":"7b19e800-3d6c-11e8-b4ae-005056a10781","timestamp":1523439676585795,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":2,"zoneName":"TestAccessZone","eventType":"create","createResult":"OPENED","isDirectory":false,"desiredAccess":128,"clientIPAddr":"10.100.8.120","createDispo":1,"userSID":"S-1-5-21-4173488626-1412151292-1632754385-500","userID":1000001,"fileName":"\\ifs\\TestAccessZone\\AllShares\\OkShare1\\Shares\\sharedup.exe","ntStatus":0,"fsId":1,"partialPath":"OkShare1\\Shares\\sharedup.exe","rootInode":4296572238,"inode":4298186570}}
[644: Wed Apr 11 11:41:16 2018] {"id":"7b1a1205-3d6c-11e8-b4ae-005056a10781","timestamp":1523439676586862,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":2,"zoneName":"TestAccessZone","eventType":"close","isDirectory":false,"clientIPAddr":"10.100.8.120","fileName":"\\ifs\\TestAccessZone\\AllShares\\OkShare1\\Shares\\sharedup.exe","userSID":"S-1-5-21-4173488626-1412151292-1632754385-500","userID":1000001,"bytesRead":0,"bytesWritten":0,"numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"fsId":1,"partialPath":"OkShare1\\Shares\\sharedup.exe","rootInode":4296572238,"inode":4298186570}}
[645: Wed Apr 11 11:41:16 2018] {"id":"7b1a5472-3d6c-11e8-b4ae-005056a10781","timestamp":1523439676588563,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":2,"zoneName":"TestAccessZone","eventType":"create","createResult":"OPENED","isDirectory":false,"desiredAccess":1179785,"clientIPAddr":"10.100.8.120","createDispo":1,"userSID":"S-1-5-21-4173488626-1412151292-1632754385-500","userID":1000001,"fileName":"\\ifs\\TestAccessZone\\AllShares\\OkShare1\\Shares\\sharedup.exe","ntStatus":0,"fsId":1,"partialPath":"OkShare1\\Shares\\sharedup.exe","rootInode":4296572238,"inode":4298186570}}
[646: Wed Apr 11 11:41:27 2018] {"id":"8180e212-3d6c-11e8-b4ae-005056a10781","timestamp":1523439687326988,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":2,"zoneName":"TestAccessZone","eventType":"close","isDirectory":false,"clientIPAddr":"10.100.8.120","fileName":"\\ifs\\TestAccessZone\\AllShares\\OkShare1\\Shares\\sharedup.exe","userSID":"S-1-5-21-4173488626-1412151292-1632754385-500","userID":1000001,"bytesRead":22528,"bytesWritten":0,"numberOfReads":8,"numberOfWrites":0,"ntStatus":0,"fsId":1,"partialPath":"OkShare1\\Shares\\sharedup.exe","rootInode":4296572238,"inode":4298186570}}
done
so the audit_protocol is ( at least ) loggin to the internal viewer.
When looking at the syslog server ( 10.100.20.5 ) I can see messages from the cluster reguarding the audit_config but not the audit_protocol, so at least a minial part of my configuration seems to be fine.
What I'm doing wrong ?
Thanks in advance
Pierluigi
Vieira1
25 Posts
0
April 12th, 2018 17:00
Hi!
Try to restart the syslogd!
isi_for_array 'pkill -SIGUSR1 syslogd'
Regards,
Vieira1
25 Posts
0
April 12th, 2018 17:00
Or you can use "isi_for_array -s "killall -HUP syslogd"
Regards,
P_frullani
7 Posts
0
April 13th, 2018 08:00
I have already tried, but nothing changed.
No one had this behavior ?
Pierluigi
akashS1
2 Posts
0
April 16th, 2018 02:00
The /var/log/audit_protocol.log file should be getting updated once you enable syslog forwarding.
Syslog forwarding should be enabled per access zone also. Hope you did that. If not, command to do that is,
isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=close,create,delete --zone=zone3
Once enabled, protocol syslog will start getting written to /var/log/audit_protocol.log
Also, you can check for audit logs using
isi_for_array -s 'isi_audit_viewer -t protocol'
The syslog forwarding settings look fine. Hope it works after this.
P_frullani
7 Posts
0
April 16th, 2018 05:00
Thanks akashS for your answer.
I think there should be something strange in 8.1.0.0 as my settings seems to be fine:
IsilonTest-1# isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security, close
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: Yes
IsilonTest-1# isi audit settings view --zone TestAccessZone
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security, close
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: Yes
and the isi_audit_viewer reports everything I do on my shares but either the /var/log/audit_protocol.log than the syslog don't get any lines.
I will try to get an 8.0.0.x virtual machine to see if is some sort of regression or similar.
Thanks.
Pierluigi
dkeith55
6 Posts
0
September 26th, 2018 11:00
We thought that we had the same issue and what we determined was that the audit_protocol.log on the auditing node (node 1 in our case) was the only place that the audit_protocol.log(s) were updated. The Master node did have them in there as long as we had an entry in the //etc/mcp/override/syslog.conf file for logging to the file (we had two entries one for a logging host and one for the file locally). We then got rid of the local files as we didn't need them on the box and they turned over pretty quickly.
The other command I issued was :
isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=close,create,delete,rename,set_security --zone={zone name] and this "kicked off" the logging.