Protocol Auditing was  revamped in OneFS 7.1. With the release of 7.1.0, protocol auditing can be enabled cluster wide and it is access zone aware.  In 7.1.0,  SMB protocol audit logs can be forwarded using the Common Event Enabler Framework. NFS Protocol support is added with OneFS 7.2.

 

The CEE Framework provides third-party audit software solutions a way to consume the Isilon Auditing Events.

 

The up-to-date list of compatibile Auditing Software solutions is maintained in the

Isilon Third-Party Software and HardwareCompatibility Guide
https://support.emc.com/docu45932_Isilon-Third-Party-Software-and-Hardware-Compatibility-Guide.pdf

 

At this time, Isilon works with the following Audit Software

Dell Change Auditor for EMC
STEALTHbits StealthAUDIT
Symantec Data Insight
Varonis DatAdvantage

 

 

Since OneFS 7.1, Auditing Feature has been enhanced

 

OneFS 7.1.1

  • Support added to forward audit events to a syslog server

                    The functionality is enabled on a per access zone basis.

                    Example: Enable Protocol Audit to Syslog

                   'isi zone zones modify <zonename> --syslog-audit-events <action>

                    Valid Actions
                    {close | create | delete | get_security | logoff | logon | read | rename | set_security | tree_connect | write | all}]

 

                    'isi zone zones modify <zonename> --syslog-forwarding-enabled  yes

 

 

               Afterward, the audit events will be visible in plaintext in the /var/log/audit_protocol.log

  • Audit logs are automatically compressed
    Audit logs are compressed on file roll over. The active audit log file rolls over when it reaches
    1GB in size. As part of the audit log roll over, a new audit log file is actively written to, while the previous
    log file is compressed. The estimated space savings for the audit logs is 90%

 

OneFS 7.2.0

  • NFS Audit Support
    The transition of NFS to User Space in OneFS 7.2 allows for protocol auditing of NFS

 

  • New Audit Configurable Items
    --cee-log-time
    --syslog-log-time

                         The above options allow for manual setting to time to begin forwarding log events. The options
                          are useful for the scenario where auditing was configured on the cluster prior to a third-party
                          auditing solution. By setting the --cee-log-time or --syslog-log-time, you can advance the
                          point of time from where to start to forward events.

 

           Example: The following will update the pointer to forward events newer than Nov 19, 2014 at 2pm

         isi audit settings modify --cee-log-time "Protocol@2014-11-19 14:00:00"

          isi audit settings modify --syslog-log-time "Protocol@2014-11-19 14:00:00"

 

OneFS 7.2.0.1

  • Support HTTP 1.1 Persistent Connections
    • Use a persistent TCP connection to CEE instead of a new connection per event

 

OneFS 8.0.0.0

  • Supported Protocols
    • SMB
    • NFS
    • HDFS
      • Events logged locally. Will be sent to CEE in future.
  • CLI
    • All configuration moved from "isi zone" to "isi audit"
  • Event Protocol
    • NFS event stream now sends inodes.
  • Syslog Protocol
    • Send inodes and partial file paths.

 

OneFS 8.0.0.0

  • Support concurrent delivery to multiple CEE servers.

 

How to Enable Audit:

 

OneFS Webui:

audit_enable.png

 

To enable protocol auditing in the OneFS WebUI

1. Select “Cluster Management”

2. Select “Auditing”

3. Click “Enable Protocol Access Auditing”

4. Add Access Zone(s) that need to be audited

5. In the Event Forwarding Section, enter the uniform resource identifier for the server where the Common Event Enabler is installed.

               The format for the entry will be:

                http://fullyqualifieddomain:port/cee

                For example: http://cee.example.com:12228/chttp://cee.example.com:12228/cee

                Port 12228 is the default CEE HTTP listen port.

 

 

OneFS CLI


Enable Protocol Auditing

isi audit settings modify --protocol-auditing-enabled on

 

Add CEE URI

isi audit settings modify --cee-server-uris http://cee.example.com:12228/cee

 

Add a Zone for Auditing

isi audit settings global modify --add-audited-zones System 

Configuring a Zone for All Audit Events

isi audit settings modify --audit-success all --audit-failure all --zone System 

Configuring a Zone for Specific Audit Events (successful: rename, delete) (failed: delete)

isi audit settings modify --audit-success rename,delete --audit-failure delete --zone System