bhalilov1
2 Iron

Isilon SMB auditing

I'm trying to configure auditing for file deletion. As per emc14002345, I enabled

#isi smb settings global view

...

  Audit Fileshare: success

  Audit Global SACL Failure:

  Audit Global SACL Success: generic_all

  Audit Logon: all

....

it seems to work for logins :

tail -5 /var/log/audit/smb.log

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|home

2013-02-07T10:23:14-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|FILESHARE|STATUS_SUCCESS|0x0|test1

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGOFF|STATUS_SUCCESS

2013-02-07T10:23:27-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: UNKNOWN|0x5B14400|LOGON|STATUS_LOGON_FAILURE|10.250.16.224|10.246.12.191|UNKNOWN

2013-02-07T10:23:38-05:00 <33.6> nyst0087-3(id3) lwiod[8242]: S-1-22-1-0|0x5B14C00|LOGOFF|STATUS_SUCCESS

but not for file acces, file delete etc.

I'm running 7.0.1.2

Tags (1)
0 Kudos