Issue with audit protocol loggind to syslog

Question

Hi all, I have another issue with my test environment on OneFS 8.1.0.0 ( on virtual machines ). I'm trying to setup auditing for the test zone to a remote syslog. I ( think ) have followed the configuration from almost every EMC doc around, but can't get the protocol audit sent out. My config is, actually: IsilonTest-1# isi audit settings global view               Protocol Auditing Enabled: Yes             Audited Zones: TestAccessZone           CEE Server URIs: -                  Hostname: -   Config Auditing Enabled: Yes     Config Syslog Enabled: Yes IsilonTest-1# isi audit settings view --zone TestAccessZone             Audit Failure: create, delete, rename, set_security, close             Audit Success: create, delete, rename, set_security, close       Syslog Audit Events: create, delete, rename, set_security Syslog Forwarding Enabled: Yes In /etc/mcp/override/syslog.conf I have added: IsilonTest-1# cat /etc/mcp/override/syslog.conf !audit_config *.*                                             @10.100.20.5 !audit_protocol *.*                                             @10.100.20.5 and if I look ( after some seconds ) in /etc/syslog.conf I see: IsilonTest-1# cat /etc/syslog.conf | grep -A2 audit_ !audit_config *.*                                             @10.100.20.5 !audit_protocol *.*                                             @10.100.20.5 -- !audit_config *.*                                             /var/log/audit_config.log !audit_protocol *.*                                             /var/log/audit_protocol.log when looking at files in /var/log I see: IsilonTest-1# isi_for_array -s 'ls -l /var/log/audit_*' IsilonTest-1: -rw-rw-r-- 1 root  wheel  3102 Apr 11 10:21 /var/log/audit_config.log IsilonTest-1: -rw-rw-r-- 1 root  wheel    55 Dec 14 13:31 /var/log/audit_protocol.log IsilonTest-2: -rw-rw-r-- 1 root  wheel  1689 Apr 11 10:21 /var/log/audit_config.log IsilonTest-2: -rw-rw-r-- 1 root  wheel    55 Dec 14 12:46 /var/log/audit_protocol.log IsilonTest-3: -rw-rw-r-- 1 root  wheel  55 Dec 14 12:46 /var/log/audit_config.log IsilonTest-3: -rw-rw-r-- 1 root  wheel  55 Dec 14 12:46 /var/log/audit_protocol.log that shows that audit_protocol is not even logging on files, while audit_config is. The node where actually host the smartconnect IP for the zone is LNN 2 and if I do IsilonTest-1# isi_audit_viewer -t protocol -n 2 | tail -5 [643: Wed Apr 11 11:41:16 2018] {'id':'7b19e800-3d6c-11e8-b4ae-005056a10781','timestamp':1523439676585795,'payloadType':'c411a642-c139-4c7a-be58-93680bc20b41','payload':{'protocol':'SMB2','zoneID':2,'zoneName':'TestAccessZone','eventType':'create','createResult':'OPENED','isDirectory':false,'desiredAccess':128,'clientIPAddr':'10.100.8.120','createDispo':1,'userSID':'S-1-5-21-4173488626-1412151292-1632754385-500','userID':1000001,'fileName':'\ifs\TestAccessZone\AllShares\OkShare1\Shares\sharedup.exe','ntStatus':0,'fsId':1,'partialPath':'OkShare1\Shares\sharedup.exe','rootInode':4296572238,'inode':4298186570}} [644: Wed Apr 11 11:41:16 2018] {'id':'7b1a1205-3d6c-11e8-b4ae-005056a10781','timestamp':1523439676586862,'payloadType':'c411a642-c139-4c7a-be58-93680bc20b41','payload':{'protocol':'SMB2','zoneID':2,'zoneName':'TestAccessZone','eventType':'close','isDirectory':false,'clientIPAddr':'10.100.8.120','fileName':'\ifs\TestAccessZone\AllShares\OkShare1\Shares\sharedup.exe','userSID':'S-1-5-21-4173488626-1412151292-1632754385-500','userID':1000001,'bytesRead':0,'bytesWritten':0,'numberOfReads':0,'numberOfWrites':0,'ntStatus':0,'fsId':1,'partialPath':'OkShare1\Shares\sharedup.exe','rootInode':4296572238,'inode':4298186570}} [645: Wed Apr 11 11:41:16 2018] {'id':'7b1a5472-3d6c-11e8-b4ae-005056a10781','timestamp':1523439676588563,'payloadType':'c411a642-c139-4c7a-be58-93680bc20b41','payload':{'protocol':'SMB2','zoneID':2,'zoneName':'TestAccessZone','eventType':'create','createResult':'OPENED','isDirectory':false,'desiredAccess':1179785,'clientIPAddr':'10.100.8.120','createDispo':1,'userSID':'S-1-5-21-4173488626-1412151292-1632754385-500','userID':1000001,'fileName':'\ifs\TestAccessZone\AllShares\OkShare1\Shares\sharedup.exe','ntStatus':0,'fsId':1,'partialPath':'OkShare1\Shares\sharedup.exe','rootInode':4296572238,'inode':4298186570}} [646: Wed Apr 11 11:41:27 2018] {'id':'8180e212-3d6c-11e8-b4ae-005056a10781','timestamp':1523439687326988,'payloadType':'c411a642-c139-4c7a-be58-93680bc20b41','payload':{'protocol':'SMB2','zoneID':2,'zoneName':'TestAccessZone','eventType':'close','isDirectory':false,'clientIPAddr':'10.100.8.120','fileName':'\ifs\TestAccessZone\AllShares\OkShare1\Shares\sharedup.exe','userSID':'S-1-5-21-4173488626-1412151292-1632754385-500','userID':1000001,'bytesRead':22528,'bytesWritten':0,'numberOfReads':8,'numberOfWrites':0,'ntStatus':0,'fsId':1,'partialPath':'OkShare1\Shares\sharedup.exe','rootInode':4296572238,'inode':4298186570}} done so the audit_protocol is ( at least ) loggin to the internal viewer. When looking at the syslog server ( 10.100.20.5 ) I can see messages from the cluster reguarding the audit_config but not the audit_protocol, so at least a minial part of my configuration seems to be fine. What I'm doing wrong ? Thanks in advance Pierluigi

Vieira1 · Answer

Hi!            Try to restart the syslogd!            isi_for_array 'pkill -SIGUSR1 syslogd' Regards,

Vieira1 · Answer

Or you can use 'isi_for_array -s 'killall -HUP syslogd' Regards,

P_frullani · Answer

I have already tried, but nothing changed. No one had this behavior ? Pierluigi

akashS1 · Answer

The /var/log/audit_protocol.log file should be getting updated once you enable syslog forwarding.

Syslog forwarding should be enabled per access zone also. Hope you did that. If not, command to do that is,

isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=close,create,delete --zone=zone3

Once enabled, protocol syslog will start getting written to /var/log/audit_protocol.log

Also, you can check for audit logs using

isi_for_array -s 'isi_audit_viewer -t protocol'

The syslog forwarding settings look fine. Hope it works after this.

P_frullani · Answer

Thanks akashS for your answer.

I think there should be something strange in 8.1.0.0 as my settings seems to be fine:

IsilonTest-1# isi audit settings view

Audit Failure: create, delete, rename, set_security, close

Audit Success: create, delete, rename, set_security, close

Syslog Audit Events: create, delete, rename, set_security

Syslog Forwarding Enabled: Yes

IsilonTest-1# isi audit settings view --zone TestAccessZone

Audit Failure: create, delete, rename, set_security, close

Audit Success: create, delete, rename, set_security, close

Syslog Audit Events: create, delete, rename, set_security

Syslog Forwarding Enabled: Yes

and the isi_audit_viewer reports everything I do on my shares but either the /var/log/audit_protocol.log than the syslog don't get any lines.

I will try to get an 8.0.0.x virtual machine to see if is some sort of regression or similar.

Thanks.

Pierluigi

dkeith55 · Answer

We thought that we had the same issue and what we determined was that the audit_protocol.log on the auditing node (node 1 in our case) was the only place that the audit_protocol.log(s) were updated. The Master node did have them in there as long as we had an entry in the //etc/mcp/override/syslog.conf file for logging to the file (we had two entries one for a logging host and one for the file locally). We then got rid of the local files as we didn't need them on the box and they turned over pretty quickly.

The other command I issued was :

isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=close,create,delete,rename,set_security --zone={zone name] and this "kicked off" the logging.

Isilon

Was this post helpful?