Isilon SMB Auditing Events Selection

Question

Hello, OneFS: v9.3.0.4CEE: 8.9.8.2Aggregator: Splunk I was able to configure CEE correctly and it's now forwarding Isilon audit logs to Splunk. However, the amount of data is exceedingly large. I would like to limit the log events, either during the capture or when forwarding. For example, we don't need to log file open/close, etc. The Dell whitepaper titled 'File System Auditing With Dell EMC PowerScale and Dell EMC Common Event Enabler' section 2.4.3 shows that it is possible to forward only those events. However, it doesn't explain how to, or where (i.e. OneFS, CEE, or Splunk before it sends to indexers) to make this configuration. I've not been able to locate a document where this is explained. Any help or suggestions greatly appreciated.

jpalmero · Accepted Answer

Hello,

Finally located a document titled "PowerScale OneFS 9.3.0.0 CLI Command Reference", Starting on page 59 it shows the various commands for changing what will be audited.

In my case, for each zone, I selected only:

Audit Failure: delete_directory, delete_file, rename_directory, rename_file
Audit Success: delete_directory, delete_file, rename_directory, rename_file

Hope this helps someone.

Isilon

Was this post helpful?