Configuring EMC Isilon auditing

This section outlines the steps to configure audit settings in EMC Isilon nodes, and to forward event data to ADAudit Plus. The commands to configure the required settings vary based on the OneFS version, but they all involve three steps:

Step 1: Enable protocol auditing and configure audit settings

These commands enable protocol auditing in the target zones, and also configure the auditing of required access events.

Step 2: Enable syslog forwarding

ADAudit Plus requires syslog data to report on file activities in your EMC Isilon storage environment. These commands enable syslog forwarding from your Isilon nodes.

Step 3: Configure the IP address of the ADAudit Plus server

Add the IP address of the ADAudit Plus server to the list of entities to which syslog data should be forwarded to.

Follow the steps listed under your OneFS version to configure EMC Isilon auditing.

For OneFS Version 7.x:

1. Execute these commands to enable protocol auditing and configure audit settings:
   • isi audit settings modify --protocol-auditing-enabled yes --audited-zones <zone_names>
   • isi zone zones modify <zone_name> --audit-success create,delete,read,rename,set_security,write
   • isi zone zones modify <zone_name> --audit-failure create,delete,read,rename,set_security,write
   • isi zone zones modify <zone_name> --syslog-audit-events create,delete,read,rename,set_security,write
2. To enable syslog forwarding, execute this command:
   • isi zone zones modify <zone_name> --syslog-forwarding-enabled=yes
3. To configure the IP address of the ADAudit Plus server, follow these steps:
   • Connect to any one of your Isilon nodes using an SSH client.
   • Open the syslog.conf file, which can be found at the /etc/mcp/templates directory.
   • Locate the !audit_protocol line and add the below entry, providing the correct value in place of hostname or IP address:
     *.* @<hostname/IP Address of the ADAuditPlus server>
   • Save the syslog.conf file.

For OneFS Versions 8.0 and 8.1:

1. Execute these commands to enable protocol auditing and configure audit settings:
   • isi audit settings global modify --protocol-auditing-enabled yes --audited-zones <zone_names>
   • isi audit settings modify --zone <zone_name> --audit-success create,delete,read,rename,set_security,write
   • isi audit settings modify --zone <zone_name> --audit-failure create,delete,read,rename,set_security,write
   • isi audit settings modify --zone <zone_name> --syslog-audit-events create,delete,read,rename,set_security,write
2. To enable syslog forwarding, execute this command:
   • isi audit settings modify --syslog-forwarding-enabled=yes --zone=<zone_name>
3. To configure the IP address of the ADAudit Plus server, follow these steps:
   • Connect to any one of your Isilon nodes using an SSH client.
   • Open the syslog.conf file, which can be found at the /etc/mcp/templates directory.
   • Locate the !audit_protocol line and add the below entry, providing the correct value in place of hostname or IP address:
     *.* @<hostname/IP Address of the ADAuditPlus server>
   • Save the syslog.conf file.

For OneFS Versions 8.2 and 9.1:

1. To enable protocol auditing, configure audit settings, and configure the IP address of the ADAudit Plus server, execute this command:
   • isi audit settings global modify --protocol-auditing-enabled yes --audited-zones <zone_name> --protocol-syslog-servers <IP_of_ADAuditPlus_server>
   • isi audit settings modify --zone <zone_name> --audit-success create,delete,read,rename,set_security,write
   • isi audit settings modify --zone <zone_name> --audit-failure create,delete,read,rename,set_security,write
   • isi audit settings modify --zone <zone_name> --syslog-audit-events create,delete,read,rename,set_security,write
2. To enable syslog forwarding, execute this command:
   • isi audit settings modify --syslog-forwarding-enabled yes --zone <zone_name>