Enable protocol access auditing

You can audit SMB, NFS, and HDFS protocol access on a per-access zone basis and optionally forward the generated events to the Common Event Enabler (CEE) for export to third-party products.

About this task

Because each audited event consumes system resources, we recommend that you only configure zones for events that are needed by your auditing application. In addition, we recommend that you install and configure third-party auditing applications before you enable the OneFS auditing feature. Otherwise, the large backlog performed by this feature may cause results to not be updated for a considerable amount of time.

Procedure

Click Cluster Management > Auditing.
In the Settings area, select the Enable Protocol Access Auditing checkbox.
In the Audited Zones area, click Add Zones.
In the Select Access Zones dialog box, select the check box for one or more access zones, and then click Add Zones.
Optional: In the Event Forwarding area, specify one or more CEE servers to forward logged events to.
1. In the CEE Server URIs field, type the URI of each CEE server in the CEE server pool.
  The OneFS CEE export service uses round-robin load balancing when exporting events to multiple CEE servers. Valid URIs start with http:// and include the port number and path to the CEE server if necessary—for example, http://example.com:12228/cee.
2. In the Storage Cluster Name field, specify the name of the storage cluster to use when forwarding protocol events.
  This name value is typically the SmartConnect zone name, but in cases where SmartConnect is not implemented, the value must match the hostname of the cluster as the third-party application recognizes it. If the field is left blank, events from each node are filled with the node name (clustername + lnn). This setting is required only if needed by your third-party audit application.
  
  Although this step is optional, be aware that a backlog of events will accumulate regardless of whether CEE servers have been configured. When configured, CEE forwarding begins with the oldest events in the backlog and moves toward newest events in a first-in-first-out sequence.
Click Save Changes.

Results

The following protocol events are collected for audited access zones by default: create, close, delete, rename, and set_security. You can modify the set of events that are audited in an access zone by running the isi audit settings modify command in the command-line interface. Because each audited event consumes system resources, it is recommended that you only configure zones for events that are needed by your auditing application.

What to do next

You can modify the types of protocol access events to be audited by running the isi audit settings modify command. You can also enable forwarding of protocol access events to syslog by running the isi audit settings modify command with the --syslog-forwarding-enabled option. These procedures are available only through the command-line interface.