Eyeglass Easy Auditor Admin Guide


Eyeglass Easy Auditor Admin Guide

Administration Guide



Abstract:

This guide covers configuration, setup and monitoring of  Easy Auditor.

Release: 2.5.1

December, 2017


.

Contents

  1. 1 Administration Guide
    1. 1.1 Abstract:
  2. 2 What's New
  3. 3 Chapter 1 - Introduction to this Guide
    1. 3.1 Overview
  4. 4 Key Features
    1. 4.1 Active Auditing - Real time audit features
    2. 4.2 Report Query Builder
    3. 4.3 Report
    4. 4.4 Role based Login
    5. 4.5 Scalability
    6. 4.6 Availability
    7. 4.7 Where to go for Support
    8. 4.8 Where to get Professional Services
  5. 5 Abbreviations
  6. 6 Installation Guide
  7. 7 Feature Limits
  8. 8 How to get started with Auditing
  9. 9 Who Audits the Auditor?
  10. 10 Planning and Design
    1. 10.1 Overview
    2. 10.2 Planning
      1. 10.2.1 Deployment Topology Recommendation:
      2. 10.2.2 Query Performance Configuration
    3. 10.3 Expanding ECA cluster Size for performance
      1. 10.3.1 Audit Use cases
    4. 10.4 How to Configure and Operate Easy Auditor
      1. 10.4.1 Report Query  Builder
        1. 10.4.1.1 How Queries are Executed
        2. 10.4.1.2 How to search
        3. 10.4.1.3 Analysis of File Access by Active Directory User - Built In Reports
          1. 10.4.1.3.1 Data Access Report
          2. 10.4.1.3.2 Top User Create files Report
          3. 10.4.1.3.3 Top User Deleted files Report
          4. 10.4.1.3.4 Stale User Access Report
          5. 10.4.1.3.5 Access User Report
          6. 10.4.1.3.6 Count
        4. 10.4.1.4 How to load a saved search
        5. 10.4.1.5 How to delete a saved search
      2. 10.4.2 Saved Queries Tab
        1. 10.4.2.1 How to Load a Query and Search
        2. 10.4.2.2 How to Load and Schedule  a Query
        3. 10.4.2.3 How to delete a saved Query
        4. 10.4.2.4 How to delete run a Query as a report
      3. 10.4.3 Running Reports Tab
        1. 10.4.3.1 Operations   
      4. 10.4.4 Finished Reports
        1. 10.4.4.1 Filter Reports tab
      5. 10.4.5 Report Schedule Tab
        1. 10.4.5.1 How to delete a saved Scheduled Query
        2. 10.4.5.2 How to load  a Query and set a  Schedule
        3. 10.4.5.3 How to edit a saved Scheduled Query
      6. 10.4.6 Active Auditor Tab
        1. 10.4.6.1 Active Auditing Tab Overview
        2. 10.4.6.2 How to configure Mass Delete protection
        3. 10.4.6.3 How to configure Data Loss Prevention
      7. 10.4.7 WireTap
        1. 10.4.7.1 How to configure Wiretaps for users or paths
        2. 10.4.7.2 How to delete a saved Wiretap
        3. 10.4.7.3 How to Monitor a saved Wiretap
        4. 10.4.7.4 How to run  a Wiretap Report
      8. 10.4.8 Where Did My Folder go? Tab
        1. 10.4.8.1 How to Use Where did my folder go Search
      9. 10.4.9 Auditor Role Based Access
  11. 11 How to Use Excel for advanced filtering of CSV Reports
  12. 12 How to Coexist with another CEE application
  13. 13 How to Backup and Restore an Audit Database
    1. 13.1 Backup the Audit Database with SnapshotIQ
    2. 13.2 Restore the Audit Database with SnapshotIQ
  14. 14 Backup and DR for  Audit Database with SyncIQ to a Remote Cluster
    1. 14.1 SyncIQ to replicate Audit Database to a remote Isilon Cluster
    2. 14.2 Restore the Audit Database with SyncIQ  to a remote Data Center
  15. 15 How to check Analytics  database size
  16. 16 How to Implement Typical Audit Use Cases
    1. 16.1 User Reports of missing files in a share path
    2. 16.2 Application Performance Issue for NAS share or export
    3. 16.3 Excessive Permissions Analysis
    4. 16.4 User Behavior Audit  
  17. 17 Audit Message Workflows
    1. 17.1 Audit Message Workflows - SMB
    2. 17.2 Create a File
    3. 17.3 Open a File (Command Line)
    4. 17.4 Open a File (Windows Explorer)
    5. 17.5 Close a File
    6. 17.6 Rename a File (Command Line)
    7. 17.7 Rename a File (Windows Explorer)
    8. 17.8 Write to a File
    9. 17.9 Save a File (After modified)
    10. 17.10 Delete a File (Command Line)
    11. 17.11 Delete a File (Windows Explorer)
    12. 17.12 Create a Directory (Command Line)
    13. 17.13 Create a Directory (Windows Explorer)
    14. 17.14 Rename a Directory
    15. 17.15 Rename a Directory (Windows Explorer)
    16. 17.16 Delete a Directory (Command Line)
    17. 17.17 Delete a Directory (Windows Explorer)
    18. 17.18 Delete a non-empty Directory
    19. 17.19 Drag and Drop a non-empty folder  to other folder
    20. 17.20 Copy a group of files into a new folder same share
    21. 17.21 Move  a group of files into a new folder same share
    22. 17.22 Copy a group of files into a new folder different  share
    23. 17.23 Move  a group of files into a new folder different  share
    24. 17.24 Set ACL of a file
    25. 17.25 Set ACL of a Directory
    26. 17.26 Set ACL of a Directory and its files
    27. 17.27 Remove Inherited ACL from a File
    28. 17.28 Modify ACL setting of a Directory to not propagate the ACL to files / subfolders
    29. 17.29 Open a lock file (already open by another client)  (in read-only mode)
    30. 17.30 Audit Message Workflows with Turbo Audit - SMB
    31. 17.31 SMB (Turbo Audit): Create a File
    32. 17.32 SMB (Turbo Audit): Rename a File
    33. 17.33 SMB (Turbo Audit): Write to  a File
    34. 17.34 SMB (Turbo Audit): Delete a File
    35. 17.35 SMB (Turbo Audit): Create a Folder
    36. 17.36 SMB (Turbo Audit): Delete a Folder
    37. 17.37 SMB (Turbo Audit): Rename a Folder
    38. 17.38 SMB (Turbo Audit): Set ACL of a file
    39. 17.39 SMB (Turbo Audit): Set ACL of a Directory
    40. 17.40 Audit Message Workflows - NFS
    41. 17.41 NFS: Create a File
    42. 17.42 NFS: Open a File (with editor and swp temp file is created)
    43. 17.43 NFS: Close a File
    44. 17.44 NFS: Rename a File
    45. 17.45 NFS: Write to  a File
    46. 17.46 NFS: Save a File after modified
    47. 17.47 NFS: Delete a File
    48. 17.48 NFS: Create a Directory
    49. 17.49 NFS: Rename a Directory
    50. 17.50 NFS: Delete  a Directory
    51. 17.51 NFS: Delete  a non-empty  Directory
    52. 17.52 NFS: Copy a group of files into a new directory same export
    53. 17.53 NFS: Move a group of files into a new directory same export
    54. 17.54 NFS: Copy a group of files into a new directory different export
    55. 17.55 NFS: Move a group of files into a new directory different export
    56. 17.56 NFS: Change Ownership of a file
    57. 17.57 NFS: Change Ownership of a Directory
    58. 17.58 Audit Message Workflows with Turbo Audit - NFS
    59. 17.59 NFS (Turbo Audit): Create a File
    60. 17.60 NFS (Turbo Audit): Rename a File
    61. 17.61 NFS (Turbo Audit): Write to  a File
    62. 17.62 NFS (Turbo Audit): Delete a File
    63. 17.63 NFS (Turbo Audit): Create a Folder
    64. 17.64 NFS (Turbo Audit): Delete a Folder
    65. 17.65 NFS (Turbo Audit): Rename a Folder
    66. 17.66 NFS (Turbo Audit): Change Ownership of a file
    67. 17.67 NFS (Turbo Audit): Change Ownership of a Directory
  18. 18 Advanced Configuration
    1. 18.1 Filter-Out Event Messages - Turbo Audit



What's New


  1. Quick searching for audit events with filtering and data range

  2. Running reports with csv and summary html reporting with download and email

  3. Scheduled reporting of searches to find specific audit events

  4. Wiretap real-time event monitoring by user or path

  5. Where did my folder go search interface for directory renames

  6. Scalable storage with HDFS and HBASE billions of audit records stored in compressed searchable format

  7. Native Isilon storage for Analytics database protected by snapshotIQ and syncIQ lowers the cost of storing and protecting audit data

  8. Real-time event processing with automatic triggered responses

  9. Integrated with Eyeglass DR and Ransomware Defender into unified single pane of glass

  10. Role based management and login with centralized AD or Isilon user account database

Chapter 1 - Introduction to this Guide

Overview


This guide covers configuration, setup and monitoring of a Easy Auditor install.  The solution is deployed with a 3 VM cluster that process Isilon CEE audit files with an active active design for maximum availability to survive hardware or software failures.  The primary storage of audit data is on Isilon  leveraging HDFS and inline compression to reduce storage costs.  Embedded HA and load balanced CEE servers simplifies deployment and offers high availability monitoring then single point.


The active solution monitors user behaviours with both real time and report based auditing.  The product assists with securing data, identifying performance issues, preventing data loss , audit data for compliance and identify excessive permissions..  

Key Features

Active Auditing - Real time audit features

  1. Mass delete - many files deleted by a user within a timed period

  2. Data loss prevention - detect a user reading data from a path, as a percent of the data on the path.

  3. Configurable actions:

    1. Alerts (email, syslog, SNMP)

    2. Filesystem snapshot of affected path

    3. User SMB share lockout

  4. WireTap - real time file system audit data decoded

    1. Wiretap a path or a user

    2. Raw decode of audit events decoded to open files, file actions by user.

    3. Use cases:

      1. Performance of file activity by user or application

      2. Application IO profiling

      3. File locking

      4. Group share activity monitoring

    4. Real time or historical playback of audit data

  5. Where did my folder go? - quickly find renamed folders by users in group shares

    1. Search by user, path and date range

    2. Identify directory renames by user with old path and new path shown to make reverting data a simple process

Report Query Builder

  1. GUI Search of audit data by cluster, user , path, date range , file action and file type

  2. Save queries for later use or scheduling to run on an interval

  3. Schedule queries to run on a interval to email when the query is satisfied.

Report

  1. Pre-built reports for stale user access and excessive permissions

  2. Top users (create and delete file actions) by file count

  3. Top users by quantity of data written  

  4. Scheduled or on demand reports and queries

Role based Login

  1. Use the built in Auditor role

  2. User is auditor

  3. Default password is 3y3gl4ss

  4. Or create a new role to separate security, auditing and DR roles with AD group based roles customized to your needs with the user roles icon.  See RBAC guide for details.

Scalability

  1. Stores audit data on Isilon

    1. Leverage SnapshotIQ, SyncIQ to protected audit data

    2. Tier audit data with pools

  2. Compresses Audit data approximately 10:1

  3. Leverage scale out nas with HDFS on Isilon and IP pools to expand Disk IO performance

  4. Leverage Eyeglass architecture to scale out compute with 3, 6 and 9 node query clusters for scaling to the largest customer sites.


Availability

  1. Embedded CEE servers load balance and provide clustered availability of audit data processing.  This  reduces audit infrastructure costs without extra CEE servers required (OS, patching, maintenance).

  2. HDFS + Isilon and Easy Auditor allows billions of rows of audit data to be stored.  No aging, pruning is necessary to reduce size of the audit database, providing lossless audit data storage.

Where to go for Support

https://support.superna.net

Where to get Professional Services

  1. To get assistance with auditing configuration and design professional services can be quoted by emailing sales@superna.net

  2. Review Audit Service description

Abbreviations

  • CEE: Common Event Enabler - EMC Specific event protocol (xml based)

  • ECA: Eyeglass Clustered Agent



Installation Guide

The install guide covers ECA cluster installation and requirements.   See the guide here.

Feature Limits


Function

Tested Limit

Comments

Concurrent quick searches

10


Concurrent reports

1

any other report jobs will be queued until a report slot is available to run on the ECA cluster


Concurrent active wiretap monitoring sessions

2

Rate limits are applied on the event rate displayed in the UI

Defined Wiretap configurations (user or path)

2

Rate limits are applied on the event rate displayed in the UI



How to get started with Auditing

Users with auditing permissions are described below.  It should should be determined who should have access to the Easy Auditor icon.  Best practise is separation of duties with a dedicated auditor administrator.  

  1. Admin user does not have audit permissions by default but the administrator role in Users Roles icon can be used to add the auditor permissions to the admin user.

    1. Screen Shot 2017-09-02 at 6.58.29 PM.png

  2. Auditor user is a new user id that allows separation of duties from DR and non security audit functions in eyeglass.

    1. Separation of duties is required for compliance to most industries regulations example HIPPA, PIC

    2. Login as the auditor user with default password 3y3gl4ss

    3. Change the auditor password (steps to change the password)

    4. Screen Shot 2017-09-14 at 8.00.26 AM.png

  3. Configure email reporting for Audit administrators

    1. Login to Eyeglass as admin user

    2. Open notification center

    3. Select recipients tab

    4. Add new email receipt and select auditor only reports from the list.

    5. Screen Shot 2017-09-14 at 8.02.06 AM.png


Who Audits the Auditor?

(Note: 2.5.1 release) Eyeglass will log all login activity and major actions taken within the Easy Auditor UI.  The Eyeglass audit log is stored in the file system and is included in eyeglass appliance backup zip files.

  1. To maintain a copy of the audit data off the appliance

    1. Use Warm standby configuration to mount external export to Eyeglass vm to put a daily copy of the audit log external to eyeglass in a secure location

    2. Configure syslog forwarding feature , the audit log is written to syslog and can be forwarded to an external syslog server.

    3. Advanced filtering feature allows a separate syslog server to receive audit logs from DR or Isilon audit data.   Simple include “Audit”  in the filter criteria to select only audit data to forward.  

      1. See examples of the filter configuration here.

Planning and Design

Overview

The Easy Auditor solution for Isilon requires existing Eyeglass DR cluster licenses for each Isilon cluster plus an Eyeglass clustered agent license.

The Eyeglass Easy Auditor solution allows customers to set policies for both real-time policies and scheduled searches to alert on file actions.  Static reports can also be scheduled for more complex longer running analytics.


Easy Auditor.png




Planning


Several decisions are required to configure auditing for 1 or more clusters


  1. Number of clusters to assign to a single ECA cluster

  2. Number of audit events per second (number of active smb or nfs connections is used to size event rate)

  3. WAN link speed to send CEE audit events over the wan to a centralized ECA cluster

  4. Query performance


Deployment Topology Recommendation:

  1. Centralize the ECA cluster when possible and use the WAN link to send audit events.  Audit data  is xml over NFS and tolerates latency well.  See the installation guide for bandwidth guidelines.



Query Performance Configuration

Two key factors of the Auditor Analytics database is write performance to Isilon over HDFS for storing audit event streams and read performance for queries.

To expand a cluster from 3 to 6 or 9 follow the steps below.


Event Rate Total per ECA Cluster

Number of ECA VM’s

Comments

6000 or greater EVTS

6 to 9 ECA VM cluster

Nodes 4 and on only run containers for read and writing data and analysis.  These VM’s can have memory lowered to 8G

< 6000 EVTS

3 node ECA cluster



Expanding ECA cluster Size for performance


See Install guide expanding cluster size to increase to 6 or 9 nodes.  Increasing cluster size will increase event rate processing and analysis job report speed.


Audit Use cases

The following use cases can be addressed by Easy Auditor

  1. Find file deletes in the file system using searches

  2. Configure a scheduled query to find deletes or other file actions and get alerts real time

  3. Quickly find renamed directories using “Where did my folder go?” And revert the files to the previous location

  4. Monitor secure shares for users copying data from the share

  5. Report on user activity for  compliance with HIPPA , PCI

  6. Identify the top users for creates and deletes

  7. Performance monitoring paths in the file system to profile application workflows or users

  8. Track user activity for security audits

  9. Find insider threats with advanced search

  10. Store long term audit data for compliance reporting

  11. Identify excessive permissions to data to assist with remove access to users that do not require access



How to Configure and Operate Easy Auditor


Use this section on how the configure and use Easy Auditor to search audit data.

Report Query  Builder

Use this tab to search by user(s), path(s) , file extension ,file action and date range.

How Queries are Executed

Screen Shot 2017-09-12 at 9.06.26 PM.png

How to search

  1. Search by entering data into a field, blank is a wild card meaning match anything  ,  enter a single entry  for a user (user@domain or domain\user) , path and event type filter (blank means all event types).  

  2. NOTE: Extension field will match a string with any part of the file name from right to left.  Example extension entered docx will match a file named  financial.docx,   Example extension entered cial.docx will find any file that matches this string at the end of a file *cial.docx . NOTE: the * is not required and is used to show matching examples only.

  3. NOTE: Use the directory selector to pick the cluster and the path.  Path must begin with \ifs\ and continue with this path format.

  4. NOTE: Email option if enabled will send an email even if the query returns no data.  Disable this check box to skip sending an email if no data is returned.  This option is best used for scheduled queries.

  5. Use the save option to save the query to saved query tab to reload at a later date.

  6. Use the Run Report as Query

  7. Execute a search with the search  button

    1. Group/Sort

      1. Use Group and sort to return the results in the preview screen according to these settings

  8. NOTE:  Search supports first 50000 records.   Saved queries can be run as a report to return more data as csv download files


Analysis of File Access by Active Directory User - Built In Reports

Use this tab to create an analysis job that offers long running analysis of Audit data and compares to Active Directory user and groups.  These reports require parameters to be set and a cluster selected.  All data is analyzed within the time period.


  1. Highest or lowest x %

  2. Cluster

  3. Time period to analyze  


Data Access Report

This report will be used to determine which users write the most data in GB to the cluster.  Use the parameters to determine the report output.   

Recommendation: Use this report to determine highest load users and help determine node count and smartconnect design.  This report can also assist with tiering policies for paths and users that are consuming the most or the least of the clusters resources.


Report Parameters

  1. Highest or lowest x %

  2. Cluster

  3. Time period to analyze  

Top User Create files Report

This report will be used to determine the users that create the most files regardless of the size of the files.  Use the parameters to determine the report output.   

Recommendation: Use this report to determine highest file creation users and help determine node count and smartconnect design.  This report can also assist with tiering policies for paths and users that are consuming the most or the least of cluster resources.


Report Parameters

  1. Highest or lowest x %

  2. Cluster

  3. Time period to analyze  

Top User Deleted files Report

This report will be used to determine the users that delete the most files regardless of the size of the files.  Use the parameters to determine the report output.   

Recommendation: Use this report to determine highest file deletion by users.  This list of users can be used to track who is deleting content on the file system. This can be used to help determine node count and smartconnect design.  This report can also assist with tiering policies for paths and users that are deleting content that could be tired.

Report Parameters

  1. Highest or lowest x %

  2. Cluster

  3. Time period to analyze  

Stale User Access Report

This report will be used to build a list of users that have accessed data using SMB shares and calculate the last read or write of each share they have access to mount based on AD group membership.  This report will list all users that can mount shares and whether they have accessed data during the reporting time period.  


Recommendation: Use this report to determine which users may not require access to SMB shares based on access patterns. This is a security report that can be shared with departments that manage SMB share access.  

NOTE: This is a long running report that can take hours to complete on a large database.  Large user count Active Directory domains can also cause the report to run longer to analyse data access.  


Report Parameters

  1. Cluster

  2. Time period to analyze  

Access User Report

This report will be used to build a list of users and SMB shares and map out user to share access to determine excessive permissions or validate existing share access that may not be inline with the desired security policies.  The report generates a list of shares and a list of active directory users and groups that have access SMB share.  The AD groups can be expanded to a list of users for NAS administrators that do not have access to Active Directory.


Recommendation: Use this report to determine which users may not require access to SMB shares based AD group membership.. This is a security report that can be shared with departments that manage SMB share access.  

NOTE:  Large user count Active Directory domains can also cause the report to run longer to analyse data access.  


Report Parameters

  1. Cluster

Count

This report will be recommended to run by support to count the rows in each system table in the analytics database.

NOTE:  This report can run for hours on a large database and generate IO to the cluster.  Run in off peak hours example overnight or weekends.  

Report Parameters

  1. None


How to load a saved search

  1. Use the saved query tab and select a query and click load query

  2. Execute the search with search button

How to delete a saved search

  1. Select one or more saved queries with a check box

  2. Click delete


Saved Queries Tab


Screen Shot 2017-09-30 at 6.25.40 PM.png


How to Load a Query and Search

  1. Select checkbox of the query

  2. Click Load Query

  3. Then click search from the search UI

How to Load and Schedule  a Query

  1. Select the checkbox of the query

  2. Click the Load Scheduled Query

  3. On Schedule tab set the interval the query should run and other schedule settings


How to delete a saved Query

  1. Select the checkbox of the query

  2. Click the Delete  Query

How to delete run a Query as a report

Use this option to return all rows and generate a CSV of the results versus preview

  1. Select the checkbox of the query

  2. Click Run Report

  3. Then go to the running reports tab to monitor completion

  4. Results are available on the Report history tab


Running Reports Tab

Shows all active running report jobs and details of the running report along with duration and status.  Use this tab to  monitor a running job and the duration of the running report.  Click the link to see the finished report.

Operations   

  1. Click the cancel link to cancel a running job

  2. Once a job finished a clickable link is displayed to take you to the results on the Finished Report tab.




Best Practice:

  1. Large reports with a lot of data will take longer to complete, use this screen to determine if changing the query should be done to speed up the report for long running reports.

  2. Cancel or view reports that are completed or running from this screen.


Finished Reports

This tab stores all reports and results for download

The saved reports shows completion time, duration, date range covered, job ID,  number of rows of results and a download link to the  report.


Filter Reports tab

Use the Search button and dialog box to filter the list of display reports.

  1. Select all to search and filter any Report ID,  Run type (Manual or scheduled), Status (success or failed)

  2. Example to find all reports that begin with User .  Enter User in the search box.

  3. Example to find all the scheduled reports enter scheduled

  4. NOTE: default filtering will NOT show scheduled reports and only shows manually executed reports



Report Schedule Tab


Use this tab to view , load and delete scheduled queries.


NOTE:  See tested feature limits for scheduled search limits



How to delete a saved Scheduled Query

  1. Select the Schedule checkbox

  2. Click Delete Schedule

How to load  a Query and set a  Schedule

  1. Click the load saved Query

  2. Select a query from the list

  3. Set the schedule

  4. Click Schedule to save


How to edit a saved Scheduled Query

  1. Select the schedule from the list with  the checkbox

  2. Change the schedule

  3. Click the schedule button




Active Auditor Tab

(Requires Release 2.5.1) This tab is for configuring real-time audit features, to secure and protect data from delete and data loss on secure shares.  Any active triggers are displayed on this page with relevant information for the active audit trigger.


Screen Shot 2017-09-30 at 6.28.05 PM.png

Active Auditing Tab Overview


Overview

The policies on this tab  are a policy that the ECA cluster will execute in real-time as events are processed.

The feature allows for per user monitoring of file deletes or data copies upto threshold over a period of time

The main tab indicates if the audit feature is enabled or disabled.


How to configure Mass Delete protection

Overview:

Monitors users deleting files on any share or export upto administrator defined threshold over administrator defined time period.  The feature counts deletes by user using the ECA cluster real-time detectors and raises an alert when the policy is violated.

  • Provide visibility into delete actions on the file system before user cases are opened regarding deleted files.

  • Simplifies recovery of accidental deletes from auto applied snapshots

  • Provides security monitoring of deleted fails in real-time



Screen Shot 2017-09-02 at 4.05.27 PM.png


  1. Click Configure

  2. Enable the audit feature

  3. Click New Response to create policy to set one or more responses to crossing a file delete threshold per user.

  4. Screen Shot 2017-09-02 at 4.08.29 PM.png

    1. Threshold for number of files to be deleted

      1. Best Practice:  100 files to start and adjust higher if too many notifications are sent.

    2. Time period of which the deletes should occur within.

      1. Best Practice:  The rate at which deletes occur does not change the severity of the delete.  The goal is to set at a rate that detects many deletes in a short period of time.  Recommended default is 5 minutes.  This value can be adjusted up or down depending on the number of notifications that are sent.

    3. Possible Response Actions:

      1. Email alert - Sends an alert of the user, path and crossing of the policy criteria

      2. Snapshot the path(s) being deleted to provide a restore point.  The snapshot has a time to live of 48 hours be default.

      3. User Lockout If selected the user that trips this trigger will have SMB access denied on the first share above the path being monitored.

      4. Best Practice:  Enable both email alert and snapshot response for mass delete.

      5. Click Save

      6. Screen Shot 2017-09-02 at 4.11.12 PM.png




How to configure Data Loss Prevention

Overview:

Monitors users copying files on any secure  share or path.  This assists with real-time monitoring of secured data from bulk copy operations that are not authorized or indication of potential data loss scenario.  The feature will monitor the capacity of the file system path, using an auto applied accounting quota and allows administrator to set % of the data any user can read from the path before the audit trigger is detected.

  • Automatically monitors secure data access by users

  • Alerts administrators of access by user with date, time, ip address of the access

  • Protects against bulk copy of secure data

  • Provides visibility into user data access

  • Proactive security measure to simply auditing of secure data.

  • Secures sensitive data from insider threats


  1. Click Configure

  2. Enable the audit feature

  3. Click New Response to Create policy to set per user response actions when crossing data copy % threshold of the total data on the file system path.

  4. Screen Shot 2017-09-02 at 4.17.35 PM.png

    1. Path

      1. Enter the path in the file system to monitor. Best Practise:  Enter a path equal to a share path being monitored.

    2. Threshold % -user the slider bar to select

      1. Best Practice:  5 % is a good starting point to catch copy actions by users.

    3. Time period over which the copy will cross the threshold.

      1. Best Practice:  The rate at which copying occurs can affect the trigger detection.  The goal is to set at a time period low enough to ensure the threshold is crossed.  Recommended default is 5 minutes.  This value can be adjusted up or down depending on results of trigger testing.

    4. Possible Response Actions:

      1. Email alert - Sends an alert of the user, path and crossing of the policy criteria

      2. User Lockout If selected the user that trips this trigger will have SMB access denied on the first share above the path being monitored .

      3. Best Practice:  Enable email alert.  Determine if lockout is desirable for the sensitive data before adding a lockout action.

    5. Click save

    6. Screen Shot 2017-09-02 at 4.20.21 PM.png




WireTap

This feature is a tool to allow security admins and auditors to easily look at a sequence of events by one or more user actions in the file system to build a complete picture of what happened.

NOTE: Due to event rates and system load only 2 Wiretap filters can be created at a time.  If a 3rd wiretap is required one of the existing Wiretaps must be deleted first.

NOTE: Wiretap will only output 25 events per second even if the path or user event rate is higher.  The sampled events should provide enough to view the file actions without overloading the UI at rate that cannot be viewed in real time. This also means that some events will be dropped to meet the event rate, this is expected behaviour to allow visualiation of events as they happen.

The feature relies on the real-time processing of audit events managed by the ECA cluster to decode and stream audit data to Eyeglass wiretap UI.  

  • The feature allows wiretapping a path in the file system to monitor multiple users accessing data in a specific path in the file system or monitor a user anywhere on the file system.

  • Multiple wiretap sessions can be created at the same time for different administrators

  • Wiretap sessions can be created, deleted,  monitored or run a report

  • The main UI lists all saved wiretap sessions that can be monitored with the actions menu

  • NOTE: by defining a wiretap session the ECA cluster is monitoring for events that match the wiretap.  The events are only forwarded to Eyeglass was the wiretap watch window is open.


How to configure Wiretaps for users or paths


  1. Click the New Wiretap button

  2. Choose:

    1. A user to enter a user id syntax domain\userid or userid@<domain-name> (optional).

    2. Use the directory selector to pick the cluster and the path (mandatory).  Path must begin with \ifs\ and continue with this path format.

    3. Screen Shot 2017-10-07 at 9.46.13 AM.png

  3. Click Submit to save

How to delete a saved Wiretap

  1. Select checkbox on a saved wiretap session

  2. Select Action menu and delete to remove from the saved list

  3. NOTE: Saved wiretap sessions do not consume any extra storage and minor cpu impact on ECA clusters that are monitoring wiretap sessions. Events are only sent to Eyeglass UI if a monitor session is open.

How to Monitor a saved Wiretap

  1. Select checkbox on a saved wiretap session

  2. Select Action menu and monitor to open real-time session window

  3. Real-time wiretap session window will open

  4. Screen Shot 2017-10-31 at 9.20.35 PM.png

  5. NOTE: it make take a few seconds for events to appear in the wiretap session window

How to run  a Wiretap Report

  1. Select checkbox on a saved wiretap session

  2. Select Action menu select report

  3. This will run a report job that can be monitored from the running reports tab, once completed the Report History tab will have an entry to download the report




Where Did My Folder go? Tab


Overview

This feature assists with a common issue with folders moved from user drag and drop actions on NAS shares, often resulting in the user and/or other users unable to locate the files.  This turns into a help desk case to locate “missing data”, consuming support staff time and effort to locate the missing files.  

This solution accelerates and simplifies addressing missing data requests.   The Role based access feature in Eyeglass has a read only role that can be assigned to the help desk to lookup user folder names to assist with locating data.


Use Case

  1. A user drags and drops a folder on a share

  2. NOTE: Does not capture drag and drop between SMB shares, since this is a copy event

  3. NOTE: Does not capture cut and paste of a direction on an SMB share or between SMB Shares since this operation triggers a create and delete operation.  This type of action can found using queries and reports to look for file create and delete events.




How to Use Where did my folder go Search

  1. Use the directory selector to pick the cluster and the path (mandatory).  Path must begin with \ifs\ and continue with this path format.

  2. Select a day for the search (mandatory).

  3. The results display

    1. The time of when the directory was moved

    2. The user id that executed the move operation

    3. The original folder path before the move

    4. The new location of the folder path after the move

  4. Using the search results identify the path and user that executed the folder move operation to move the data back to the previous location

  5. Done



Auditor Role Based Access


Easy auditor has 2 permissions the user roles icon that are automatically assigned to the auditor user.  See below.

To create additional access to read only or read/write permissions consult the RBAC guide and use the permissions below.

RBAC guide

Screen Shot 2017-09-02 at 6.58.29 PM.png


How to Use Excel for advanced filtering of CSV Reports


This section covers advanced filtering options with Easy Auditor CSV exports using Microsoft Excel.  Typical date and time filtering and combinations of columns are easily managed with Excel column heading filters.  The following sections walk through how to apply date and time filters to filter event data more precisely.

on date and time can use this date format

  1. Enable column heading row 1 data filter

  2. Time Filtering enter a custom date and time column format as per below to allow advanced time based filtering. example yyyy-mm-dd h:mm:ss AM/PM

    1. Advanced filters can be entered with seconds granularity using before , after or between filters.  See example below.

  3. File Extension filtering

    1. After enabling filtering on the column heading

    2. The file extension column can be used to quickly find all files with an extension

  4. Path or partial path search

    1. Entering contains in the path filter allows matching any partial match to a path

  5. Combined filters - All column headings can be filtered to allow complex filter to find time range, extension, partial path match and filter on access zone.



How to Coexist with another CEE application

Use Turboaudit configuration to coexist with other CEE applications.  This will allow mount of the Isilon logs over NFS allowing existing CEE application URL’s to remain.


How to Backup and Restore an Audit Database

A key advantage to Easy Auditor architecture is using Isilon native features to protect the audit data.   The following sections explains how to backup and restore the Analytics database.

Backup the Audit Database with SnapshotIQ

  1. Create a  scheduled snapshot  of the HDFS root directory that contains the Audit Database directory with Isilon SnapshotIQ . Example:

  2. Recommended schedule daily snapshot at noon 7 days a week, with 30 day retention

Access zone basepath for audit database is  /ifs/data/igls/analyticsdb

HDFS root directory: /ifs/data/igls/analyticsdb/eca

Audit Database directory: /ifs/data/igls/analyticsdb/eca

  1. If creating a manual snapshot by using the Isilon GUI, do not leave the snapshot name blank.

    1. A  default  snapshot name will be applied automatically  (e.g. “Snapshot: 2017Nov09, 10:59 PM"). That name format is not supported for ECA cluster due to special character support with HDFS.

    2. That name format will prevent the ECA cluster to be brought up.  Provide a normal name for the snapshot. Avoid to use name with the “:” character.

  2. If creating a scheduled snapshot,  also avoid to use the name with the “:” character (e.g. ScheduleName_Duration_%Y-%m-%d_%H:%M).  That name format is not supported for ECA cluster. That name format will prevent the ECA cluster to be brought up.  Provide a name pattern without “:” character for the snapshot.

Note: Please refer to Isilon documentation for creating a snapshot, including to create a SnapRevert domain

Restore the Audit Database with SnapshotIQ

  1. Bring down the ECA Cluster.

    1. ssh to ECA master node (node 1). Login as ecaadmin

    2. Run command: ecactl cluster down.

  2. Wait until nodes are down, then shut down the ECA Cluster. On each ECA node:

    1. ssh to each node

    2. Type sudo -s (enter admin password)

    3. Type shutdown

  3. After the ECA cluster VMs are down, restore from snapshot. Isilon command:  isi job jobs start snaprevert --snapid xxxx (verify the correct snapid of the snapshot to revert to)

  4. To verify the snapshot revert job status, Isilon command to list running jobs: isi job jobs list

  5. Once the snapshot revert job has completed, power on ECA Cluster vApp.

  6. After ECA Cluster VMs are up, then bring up ECA Cluster

    1. ssh to ECA master node (node 1)

    2. Login as ecaadmin

    3. Run command: ecactl cluster up.

    4. NOTE: During cluster up uncommitted transactions are replayed to the database, this can be seen from the HBASE Region server GUI logs http://x.x.x.x:16030  this can take longer to startup the cluster

    5. Sample below

  7. Verify that ECA Cluster is up and audit database status return no error. Command: ecactl db shell

2017-11-10 08:59:52,729 WARN  [main] util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

HBase Shell; enter 'help<RETURN>' for list of supported commands.

Type "exit<RETURN>" to leave the HBase Shell

Version 1.2.6, rUnknown, Mon May 29 02:25:32 CDT 2017


hbase(main):001:0> status

1 active master, 2 backup masters, 3 servers, 0 dead, 2.6667 average load

  1. Until the status appears like above, HBASE is not fully operational.

  2. Done


Backup and DR for  Audit Database with SyncIQ to a Remote Cluster


This solution backups the Audit Database to a remote cluster to provide a remote backup and DR copy at the same time.

SyncIQ to replicate Audit Database to a remote Isilon Cluster

  1. Create a SyncIQ Policy to replicate audit database to a directory under  the HDFS root directory with replication schedule . Example:

Access zone basepath for audit database is on source and target cluster  /ifs/data/igls/analyticsdb/.

HDFS root directory: /ifs/data/igls/analyticsdb/eca

SyncIQ Policy Source Path: /ifs/data/igls/analyticsdb/eca/ecahbase

SyncIQ Policy Target Path on remote cluster: /ifs/data/igls/analyticsdb/eca/ecahbase

Recommended policy Schedule:  once a day at noon, 7 days a week


  1. When creating  a  local Hadoop user (eyeglasshdfs)  in the System access zone of the remote Isilon cluster as per Preparation of Analytics Database Cluster documentation, specify the same UID as the local Isilon cluster’s hadoop user. Example:

isi auth users create --name=eyeglasshdfs --provider=local --enabled=yes --password-expires=no --zone=system --uid=eyeglasshdfs_uid_on_local_isilon


  1. The SyncIQ Policy Target path on remote Isilon cluster must have the same  ownership and permission as the source database.

chown -R eyeglasshdfs:'Isilon Users' /ifs/data/igls/analyticsdb/eca/ecahbase

chmod -R 755 /ifs/data/igls/analyticsdb/eca/ecahbase



Restore the Audit Database with SyncIQ  to a remote Data Center


This procedure assumes an ECA cluster will be deployed at the remote location to use the database copy.

The ECA cluster at the remote location must meet the following requirements:

  1. Number of ECA Cluster nodes deployed in remote location must be the same as the local ECA Cluster nodes. Example: if the local ECA Cluster was configured as 3 nodes, the remote ECA cluster also need to be configured as 3 nodes.

  2. The remote ECA Cluster ID must be the same as the local ECA cluster ID.  We can verify that the ECA_CLUSTER_ID setting in /opt/superna/eca/eca-env-common.conf file of this remote ECA cluster has the same ID as the source ECA Cluster. Example:

export ECA_CLUSTER_ID=eca_local_cluster_id


  1. The ISILON_HDFS_ROOT of this remote ECA Cluster must be configured to point to a directory under the HDFS root directory. This is also related to the SyncIQ policy that also need to be configured to replicate the Hbase DB to this directory under the HDFS root directory mentioned in the previous section. Example: configure the /opt/superna/eca/eca-env-common.conf

export ISILON_HDFS_ROOT='hdfs://hdfs_smartconnect_zone_name:8020/ecahbase'



Procedure:


  1. User Eyeglass Per SyncIQ policy failover with DR Assistant to failover the Audit Database policy.  This will automate all steps for the SyncIQ policy

    1. (Manual method) Change SyncIQ Policy for audit database replication  schedule to manual.

    2. (Manual method) Make the SyncIQ path on remote Isilon Cluster as writeable using the allow write option on the local target policy on the remote cluster (see Isilon Documentation)

    3. Ensure that the replicated audit database folder has the correct ownership and permission setting (eyeglasshdfs user)

      1. Login to cluster as root change directory to the database directory and type ‘ls -la’  this wil list file ownership and should show the eyeglasshdfs user listed.

  2. Audit Re-Configuration Steps to get fully operational

    1. The cluster(s) that were monitored by the ECA will need the /ifs/.var export updated to include the new ip addresses of the new ECA nodes.

    2. This procedures assumes NFS automount is enabled and now manual NFS mounts are required to be changed.

  3. Bring up this remote ECA Cluster. Command: ecactl cluster up

    1. ssh to ECA master node (node 1)

    2. Login as ecaadmin

    3. Run command: ecactl cluster up.

    4. Verify the NFS mount is successful

      1. Login to node 1 to 3 and verify the mount is visible by typing ‘mount’

    5. NOTE: During cluster up uncommitted transactions are replayed to the database, this can be seen from the HBASE Region server GUI logs http://x.x.x.x:16030  this can take longer to startup the cluster

    6. Sample below


  1. Verify that ECA Cluster is up and audit database status return no error. Command: ecactl db shell

2017-11-10 01:56:33,254 WARN  [main] util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

HBase Shell; enter 'help<RETURN>' for list of supported commands.

Type "exit<RETURN>" to leave the HBase Shell

Version 1.2.6, rUnknown, Mon May 29 02:25:32 CDT 2017


hbase(main):001:0> status

1 active master, 2 backup masters, 3 servers, 0 dead, 2.6667 average load





How to check Analytics  database size

  1. Open Easy Auditor icon

  2. Click Builtin reports tab

  3. Select Count table report

  4. Click save and provide a name

  5. Click on Saved query tab

  6. Run the saved report

    1. Screen Shot 2017-11-10 at 7.28.13 PM.png

  7. View the row count for the user table from the completed report on the Finished report tab

  8. If the row count exceeds 1 Billion records, recommendation is to follow cluster expansion steps for increased search performance.

How to Implement Typical Audit Use Cases



This section walks through typical audit use cases and assists with suggested features to address the audit requirements.

User Reports of missing files in a share path


Options to audit this use case

  1. Scheduled Query: Create a search with advanced search tab and enter the cluster and path in the file system to monitor.  Save the query and then use the schedule tab to run every hour to alert you on any deletes in that path

    1. Same as above but enter a file extension as well to narrow the delete query and schedule every hour

  2. WireTap: Create a wiretap session to monitor the path in real-time if the delete is a recurring issue on a path.  The wiretap can monitor a path if it unknown who deleted the file(s).   If its a specific user issue, wiretap the user to monitor user activity while they execute a sequence to reproduce the delete issue.


Application Performance Issue for NAS share or export


Users raise issue about performance of an application or data access.  This can be caused by file locking or temp file creation on the NAS share versus local disk or poor application workflow accessing network shares/exports.


Options to audit this use case

  1. Wiretap:  Create a wiretap session for the user or path with performance issue.  Monitor while asking end users to re-attempt the application operations.   Path based wiretap is best when multiple users raise performance issue on a share.  Create use based wiretap when an application performance issue for single users.


Excessive Permissions Analysis


The excessive permissions report assists with identifying users with access to data that is no longer being accessed.  This report can help with compliance and securing access to data.   The report analysis users that have accessed shares and resolves their share access from AD group membership and lists users with access to shares but no actual file activity within the report range.  

This list of users are candidates to have group membership reduced to narrow access to data.


Options to audit this use case

  1. Builtin Excessive Permissions Report:  Open the Report History to open the report.  



User Behavior Audit  


Random user audits or suspicious file access auditing is a common requirement in security departments.    Easy Auditor provides several tools to perform proactive audits of file access.

Options to audit this use case

  1. Wiretap:  Create a wiretap session with per user option. The session can be actively monitored or saved and run a report to build a report of all file access since the creation of the wiretap session.

  2. Search: Build a search based on user id and a date range , that will return all file access on all shares within the data range.   In the preview screen of the search select run report.






Audit Message Workflows


This section shows expected audit messages for typical file action work flows to assist with auditing applications and user file access.


The Turbo audit workflows cover tested file actions with Turbo Audit enabled.  This is the default configuration. The non Turbo audit sections cover CEE audit workflows for lower event rate installations.

Audit Message Workflows - SMB


WorkFlow Description

File Audit messages Expected

Create a File

FILE_CREATE ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_WRITE ..\file_name

FILE_CLOSE_MODIFIED ..\file_name

Open a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_OPEN_READ ..\file_name

FILE_READ ..\file_name

FILE_OPEN_WRITE ..\file_name:Zone.Identifier

FILE_READ ..\file_name

FILE_CLOSE ..\file_name

FILE_READ ..\file_name


Open a File (Windows Explorer)

FILE_OPEN_WRITE ..\desktop.ini

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_WRITE ..\file_name:Zone.Identifier

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_READ ..\file_name

FILE_READ ..\file_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_NOACCESS ..\file_name

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name



Close a File

FILE_CLOSE ..\file_name


Rename a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_RENAME ..\file_name

FILE_CLOSE ..\file_name

DIR_CLOSE ..\dir_name



Rename a File (Windows Explorer)

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_RENAME ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name


Write to a File

FILE_OPEN_WRITE ..\file_name

FILE_READ ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_WRITE ..\file_name


Save a File (After modified)

FILE_WRITE ..\file_name

FILE_CLOSE_MODIFIED ..\file_name

Delete a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_DELETE ..\file_name

FILE_CLOSE ..\file_name

DIR_CLOSE ..\dir_name


Delete a File (Windows Explorer)

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\desktop.ini

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name.\dir_name

DIR_CLOSE..\parent_dir_name

DIR_CLOSE ..\parent_dir_name.\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name.\dir_name\file_name

FILE_DELETE ..\parent_dir_name.\dir_name\file_name

FILE_CLOSE ..\parent_dir_name.\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name




Create a Directory (Command Line)

DIR_CREATE ..\dir_name

DIR_CLOSE ..\dir_name

Create a Directory (Windows Explorer)

DIR_CREATE ..\parent_dir_name\NEW FOLDER

DIR_CLOSE ..\parent_dir_name\NEW FOLDER

FILE_OPEN_WRITE ..\parent_dir_name\NEW FOLDER/desktop.ini

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\NEW FOLDER

DIR_RENAME ..\parent_dir_name\NEW FOLDER

DIR_CLOSE ..\parent_dir_name\NEW FOLDER

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Rename a Directory

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_RENAME ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name


Rename a Directory (Windows Explorer)

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_RENAME ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Delete a Directory (Command Line)

DIR_OPEN ..\dir_name

DIR_DELETE ..\dir_name

DIR_CLOSE ..\dir_name

Delete a Directory (Windows Explorer)

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_DELETE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

Delete a non-empty Directory

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_DELETE ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_DELETE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

Drag and Drop a non-empty folder  to other folder

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_RENAME  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_CLOSE  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_CLOSE  ..\parent_dir_name

Copy a group of files into a new folder same share

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_OPEN_READ ..\parent_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_READ ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_OPEN_READ ..\parent_dir_name\file_name_3

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name/desktop.in

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

FILE_OPEN_READ ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_1

FILE_OPEN_READ ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_2

FILE_OPEN_READ ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_3

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_3


Move  a group of files into a new folder same share

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_folder_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_RENAME ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

DIR_OPEN ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_RENAME ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_RENAME ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

DIR_OPEN ..\parent_dir_name\

DIR_OPEN ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\


Copy a group of files into a new folder different  share

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\desktop.ini

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_3

DIR_OPEN ..\target_parent_dir_name

DIR_CLOSE ..\target_parent_dir_name

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\source_parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name

DIR_OPEN  ..\target_parent_dir_name

DIR_CLOSE  ..\target_parent_dir_name

DIR_OPEN  ..\source_parent_dir_name

DIR_CLOSE  ..\source_parent_dir_name

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_3



Move  a group of files into a new folder different  share

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\desktop.ini

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

FILE_OPEN_WRITE ..\target_parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_OPEN ..\target_parent_dir_name

DIR_CLOSE ..\target_parent_dir_name

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name\source_dir_name

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

DIR_OPEN ..\target_parent_dir_name\target_dir_name

DIR_CLOSE ..\target_parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

DIR_OPEN ..\source_parent_dir_name

DIR_OPEN ..\source_parent_dir_name\source_dir_name

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_3


Set ACL of a file

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE   ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name


Set ACL of a Directory

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name



Set ACL of a Directory and its files

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name1

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name1

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name1

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name1

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name1

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name2

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name2

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name2

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name2

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name2

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name


Remove Inherited ACL from a File

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name


Modify ACL setting of a Directory to not propagate the ACL to files / subfolders

DIR_OPEN ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_WRITE  ..\parent_dir_name\dir_name

FILE_OPEN_WRITE  ..\parent_dir_name\desktop.ini

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Open a lock file (already open by another client)  (in read-only mode)

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\desktop.ini

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name:Zone.Identifier

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\file_name

FILE_READ ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\.-lock.file_name#

FILE_READ ..\parent_dir_name\dir_name\.-lock.file_name#

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\file_name

FILE_READ ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_CLOSE ..\parent_dir_name\dir_name\.-lock.file_name#

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name




Audit Message Workflows with Turbo Audit - SMB

WorkFlow Description

File Audit messages Expected

SMB (Turbo Audit): Create a File

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir



SMB (Turbo Audit): Rename a File

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir


SMB (Turbo Audit): Write to  a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_READ ..\parent_dir\dir_name\file_name

FILE_OPEN_READ ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_READ ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir


SMB (Turbo Audit): Delete a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_DELETE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir


SMB (Turbo Audit): Create a Folder

DIR_CLOSE ..\parent_dir\dir_name\new_dir_name

DIR_CREATE ..\parent_dir\dir_name\new_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name


SMB (Turbo Audit): Delete a Folder

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_DELETE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name


SMB (Turbo Audit): Rename a Folder

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_RENAME ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir


SMB (Turbo Audit): Set ACL of a file

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name


SMB (Turbo Audit): Set ACL of a Directory

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_SET_ACL ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir



Audit Message Workflows - NFS

WorkFlow Description

File Audit messages Expected

NFS: Create a File

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_CREATE ..\dir_name\file_name

FILE_CLOSE ..\dir_name\file_name

DIR_CLOSE ..\dir_name

NFS: Open a File (with editor and swp temp file is created)

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CREATE ..\parent_dir\dir_name\.file_name.swx

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swx

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_DELETE ..\parent_dir\dir_name\.file_name.swx

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_READ ..\parent_dir\dir_name\file_name

FILE_READ ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp


NFS: Close a File

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

DIR_CLOSE ..\parent_dir\dir_name


NFS: Rename a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Write to  a File

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp


NFS: Save a File after modified

DIR_OPEN ..\parent_dir\dir_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\temp_file

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_SET_ACL ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\temp_file

FILE_SET_ACL ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_DELETE ..\parent_dir\dir_name\temp_file

DIR_OPEN ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

FILE_DELETE ..\parent_dir\dir_name\file_name~

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_DELETE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Create a Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CREATE ..\parent_dir\dir_name\new_subdirectory_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\new_subdirectory_name


NFS: Rename a Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_RENAME ..\parent_dir\dir_name\old_sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete  a Directory

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name

DIR_DELETE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete  a non-empty  Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_DELETE ..\parent_dir\dir_name\sub_directory_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_DELETE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Copy a group of files into a new directory same export

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_CREATE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CREATE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\sub_directory_name\file_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\sub_directory_name\file_name


NFS: Move a group of files into a new directory same export

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name


NFS: Copy a group of files into a new directory different export

DIR_OPEN ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_OPEN ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name


NFS: Move a group of files into a new directory different export

DIR_OPEN ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_OPEN ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

DIR_OPEN ..\parent_dir1\dir_name1

FILE_DELETE ..\parent_dir1\dir_name1\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_DELETE ..\parent_dir1\dir_name1\file_name

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2


NFS: Change Ownership of a file

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Change Ownership of a Directory

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_SET_ACL ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name



Audit Message Workflows with Turbo Audit - NFS

WorkFlow Description

File Audit messages Expected

NFS (Turbo Audit): Create a File

FILE_WRITE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CREATE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name


NFS (Turbo Audit): Rename a File

DIR_CLOSE ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS (Turbo Audit): Write to  a File

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_READ ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

FILE_DELETE ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_CREATE ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp


NFS (Turbo Audit): Delete a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_DELETE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS (Turbo Audit): Create a Folder

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CREATE ..\parent_dir\dir_name\new_dir_name

DIR_CLOSE ..\parent_dir\dir_name\new_dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS (Turbo Audit): Delete a Folder

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_DELETE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS (Turbo Audit): Rename a Folder

DIR_CLOSE ..\parent_dir\dir_name

DIR_RENAME ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

NFS (Turbo Audit): Change Ownership of a file

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

NFS (Turbo Audit): Change Ownership of a Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_SET_ACL ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name




Advanced Configuration

Filter-Out Event Messages - Turbo Audit

Event Messages can be filtered out from the Audit Event processing to reduce the storage usage as well as the rate of processing events.

To configure the filter, add the following line in the /opt/superna/eca/eca-env-common.conf file

export BYPASSED_EVENT_TYPES=<list of Events to be filter - comma separated>


Default Events Filtered:

To filter-out DIR_SET_ACL,DIR_OPEN,DIR_CLOSE,DIR_SET_SEC events, add this line in the /opt/superna/eca/eca-env-common.conf file

export BYPASSED_EVENT_TYPES=DIR_SET_ACL,DIR_OPEN,DIR_CLOSE,DIR_SET_SEC


Verify that the Turbo Audit mode is also enabled

export USE_TURBOAUDIT=true


The supported list of events that can be specified in the Filter:

  • FILE_OPEN_NOACCESS

  • FILE_OPEN_READ

  • FILE_OPEN_WRITE

  • FILE_CREATE

  • FILE_RENAME

  • FILE_DELETE

  • FILE_CLOSE

  • FILE_CLOSE_MODIFIED

  • FILE_SET_ACL

  • FILE_READ

  • FILE_WRITE

  • DIR_CREATE

  • DIR_RENAME

  • DIR_DELETE

  • DIR_SET_ACL

  • DIR_OPEN

  • DIR_CLOSE