Highlighted
nekavs
1 Nickel

SMB File Auditing on Isilon OneFS

How can I audit files and directories on the Isilon cluster?

0 Kudos
1 Reply
nekavs
1 Nickel

Re: SMB File Auditing on Isilon OneFS

Currently auditing in OneFS 6.5.x and 7.0.x is limited to CIFS / SMB file audits per node for user actions such as open, access, close and delete. The audit function  leverages SIDs and not usernames so currently searching through audit trails is challenging. Clients can leverage the isi smb settings global modify --audit-global-sacl-success=std_delete to monitor file delete actions. The log file is stored in each node in the /var/log/audit directory and rotates every 50GBs. The audit log can fill up rapidly on busy clusters so in order to facilitate auditing, the client may have to dig through multiple autid logs on each individual Isilon node. Some EMC personnel have recommended the use of EMC RSA Envision to scour through the audit logs while other EMC personnel have suggested to wait until Q4 2013 when file auditing will become a feature available in OneFS 7.x release. In this new release OneFS will leverage the same API set that EMC leverages called CEE or better known as the common event enabler. The Common Event Enabler will allow third party software vendors to create solutions for Isilon customers that enable extensive file auditing capabilities without the hassle of un-intuitive log scouring. The current vendor of choice is an EMC select partner named VARONIS.

0 Kudos