Eyeglass Easy Auditor Admin Guide


Eyeglass Easy Auditor Admin Guide

Administration Guide



Abstract:

This guide covers configuration, setup and monitoring of  Easy Auditor.

December, 2017


.


Contents

  1. 1 Administration Guide
    1. 1.1 Abstract:
  2. 2 What's New
  3. 3 Chapter 1 - Introduction to this Guide
    1. 3.1 Overview
  4. 4 Key Features
    1. 4.1 Active Auditing - Real time audit features
    2. 4.2 Query
    3. 4.3 Report
    4. 4.4 Role based Login
    5. 4.5 Scalability
    6. 4.6 Availability
    7. 4.7 Where to go for Support
    8. 4.8 Where to get Professional Services
  5. 5 Abbreviations
  6. 6 Installation Guide
  7. 7 Feature Limits
  8. 8 How to get started with Auditing
  9. 9 Who Audits the Auditor?
  10. 10 Planning and Design
    1. 10.1 Overview
    2. 10.2 Planning
      1. 10.2.1 Recommendation:
      2. 10.2.2 Audit Use cases
    3. 10.3 How Configure and Operate Easy Auditor
      1. 10.3.1 Query
        1. 10.3.1.1 How Queries are Executed
        2. 10.3.1.2 How to search
        3. 10.3.1.3 How to load a saved search
        4. 10.3.1.4 How to delete a saved search
      2. 10.3.2 Saved Queries Tab
        1. 10.3.2.1 How to Load a Query and Search
        2. 10.3.2.2 How to Load and Schedule  a Query
        3. 10.3.2.3 How to delete a saved Query
        4. 10.3.2.4 How to delete run a Query as a report
      3. 10.3.3 Running Reports Tab
      4. 10.3.4 Reports
      5. 10.3.5 Schedule Tab
        1. 10.3.5.1 How to delete a saved Scheduled Query
        2. 10.3.5.2 How to load  a Query and set a  Schedule
        3. 10.3.5.3 How to edit a saved Scheduled Query
      6. 10.3.6 Active Auditor Tab
        1. 10.3.6.1 Active Auditing Tab Overview
        2. 10.3.6.2 How to configure Mass Delete protection
        3. 10.3.6.3 How to configure Data Loss Prevention
      7. 10.3.7 WireTap
        1. 10.3.7.1 How to configure Wiretaps for users or paths
        2. 10.3.7.2 How to delete a saved Wiretap
        3. 10.3.7.3 How to Monitor a saved Wiretap
        4. 10.3.7.4 How to run  a Wiretap Report
      8. 10.3.8 Where Did My Folder go? Tab
        1. 10.3.8.1 How to Use Where did my folder go Search
      9. 10.3.9 Auditor Role Based Access
  11. 11 How to Coexist with another CEE application
  12. 12 How to Backup and Restore an Audit Database
    1. 12.1 Backup the Audit Database with SnapshotIQ
    2. 12.2 Restore the Audit Database with SnapshotIQ
    3. 12.3 Backup the Audit Database with SyncIQ
    4. 12.4 Restore the Audit Database with SyncIQ
  13. 13 How to Implement Typical Audit Use Cases
    1. 13.1 User Reports of missing files in a share path
    2. 13.2 Application Performance Issue for NAS share or export
    3. 13.3 Excessive Permissions Analysis
    4. 13.4 User Behavior Audit  
  14. 14 Audit Message Workflows
    1. 14.1 Audit Message Workflows - SMB
    2. 14.2 Create a File
    3. 14.3 Open a File (Command Line)
    4. 14.4 Open a File (Windows Explorer)
    5. 14.5 Close a File
    6. 14.6 Rename a File (Command Line)
    7. 14.7 Rename a File (Windows Explorer)
    8. 14.8 Write to a File
    9. 14.9 Save a File (After modified)
    10. 14.10 Delete a File (Command Line)
    11. 14.11 Delete a File (Windows Explorer)
    12. 14.12 Create a Directory (Command Line)
    13. 14.13 Create a Directory (Windows Explorer)
    14. 14.14 Rename a Directory
    15. 14.15 Rename a Directory (Windows Explorer)
    16. 14.16 Delete a Directory (Command Line)
    17. 14.17 Delete a Directory (Windows Explorer)
    18. 14.18 Delete a non-empty Directory
    19. 14.19 Drag and Drop a non-empty folder  to other folder
    20. 14.20 Copy a group of files into a new folder same share
    21. 14.21 Move  a group of files into a new folder same share
    22. 14.22 Copy a group of files into a new folder different  share
    23. 14.23 Move  a group of files into a new folder different  share
    24. 14.24 Set ACL of a file
    25. 14.25 Set ACL of a Directory
    26. 14.26 Set ACL of a Directory and its files
    27. 14.27 Remove Inherited ACL from a File
    28. 14.28 Modify ACL setting of a Directory to not propagate the ACL to files / subfolders
    29. 14.29 Open a lock file (already open by another client)  (in read-only mode)
    30. 14.30 Audit Message Workflows with Turbo Audit - SMB
    31. 14.31 SMB (Turbo Audit): Create a File
    32. 14.32 SMB (Turbo Audit): Rename a File
    33. 14.33 SMB (Turbo Audit): Write to  a File
    34. 14.34 SMB (Turbo Audit): Delete a File
    35. 14.35 SMB (Turbo Audit): Create a Folder
    36. 14.36 SMB (Turbo Audit): Delete a Folder
    37. 14.37 SMB (Turbo Audit): Rename a Folder
    38. 14.38 SMB (Turbo Audit): Set ACL of a file
    39. 14.39 SMB (Turbo Audit): Set ACL of a Directory
    40. 14.40 Audit Message Workflows - NFS
    41. 14.41 NFS: Create a File
    42. 14.42 NFS: Open a File (with editor and swp temp file is created)
    43. 14.43 NFS: Close a File
    44. 14.44 NFS: Rename a File
    45. 14.45 NFS: Write to  a File
    46. 14.46 NFS: Save a File after modified
    47. 14.47 NFS: Delete a File
    48. 14.48 NFS: Create a Directory
    49. 14.49 NFS: Rename a Directory
    50. 14.50 NFS: Delete  a Directory
    51. 14.51 NFS: Delete  a non-empty  Directory
    52. 14.52 NFS: Copy a group of files into a new directory same export
    53. 14.53 NFS: Move a group of files into a new directory same export
    54. 14.54 NFS: Copy a group of files into a new directory different export
    55. 14.55 NFS: Move a group of files into a new directory different export
    56. 14.56 NFS: Change Ownership of a file
    57. 14.57 NFS: Change Ownership of a Directory
  15. 15 Advanced Configuration
    1. 15.1 Filter-Out Event Messages - Turbo Audit


What's New


  1. Quick searching for audit events with filtering and data range

  2. Running reports with csv and summary html reporting with download and email

  3. Scheduled reporting of searches to find specific audit events

  4. Wiretap real-time event monitoring by user or path

  5. Where did my folder go search interface for directory renames

  6. Scalable storage with HDFS and HBASE billions of audit records stored in compressed searchable format

  7. Native Isilon storage for Analytics database protected by snapshotIQ and syncIQ lowers the cost of storing and protecting audit data

  8. Real-time event processing with automatic triggered responses

  9. Integrated with Eyeglass DR and Ransomware Defender into unified single pane of glass

  10. Role based management and login with centralized AD or Isilon user account database

Chapter 1 - Introduction to this Guide

Overview


This guide covers configuration, setup and monitoring of a Easy Auditor install.  The solution is deployed with a 3 VM cluster that process Isilon CEE audit files with an active active design for maximum availability to survive hardware or software failures.  The primary storage of audit data is on Isilon  leveraging HDFS and inline compression to reduce storage costs.  Embedded HA and load balanced CEE servers simplifies deployment and offers high availability monitoring then single point.


The active solution monitors user behaviours with both real time and report based auditing.  The product assists with securing data, identifying performance issues, preventing data loss , audit data for compliance and identify excessive permissions..  

Screen Shot 2017-09-30 at 6.18.42 PM.png

Key Features

Active Auditing - Real time audit features

  1. Mass delete - many files deleted by a user within a timed period

  2. Data loss prevention - detect a user reading data from a path, as a percent of the data on the path.

  3. Configurable actions:

    1. Alerts (email, syslog, SNMP)

    2. Filesystem snapshot of affected path

    3. User SMB share lockout

  4. WireTap - real time file system audit data decoded

    1. Wiretap a path or a user

    2. Raw decode of audit events decoded to open files, file actions by user.

    3. Use cases:

      1. Performance of file activity by user or application

      2. Application IO profiling

      3. File locking

      4. Group share activity monitoring

    4. Real time or historical playback of audit data

  5. Where did my folder go? - quickly find renamed folders by users in group shares

    1. Search by user, path and date range

    2. Identify directory renames by user with old path and new path shown to make reverting data a simple process

Query

  1. GUI Search of audit data by cluster, user , path, date range , file action and file type

  2. Save queries for later use or scheduling to run on an interval

  3. Schedule queries to run on a interval to email when the query is satisfied.

Report

  1. Pre-built reports for stale user access and excessive permissions

  2. Top users (create and delete file actions)

  3. Scheduled or on demand reports and queries

Role based Login

  1. Use the built in Auditor role

  2. User is auditor

  3. Default password is 3y3gl4ss

  4. Or create a new role to separate security, auditing and DR roles with AD group based roles customized to your needs with the user roles icon.  See RBAC guide for details.

Scalability

  1. Stores audit data on Isilon

    1. Leverage SnapshotIQ, SyncIQ to protected audit data

    2. Tier audit data with pools

  2. Compresses Audit data approximately 10:1

  3. Leverage scale out nas with HDFS on Isilon and IO pools


Availability

  1. Embedded CEE servers load balance and provide clustered availability of audit data processing.  This  reduces audit infrastructure costs without extra CEE servers required (OS, patching, maintenance).

  2. HDFS + Isilon and Easy Auditor allows billions of rows of audit data to be stored.  No aging, pruning is necessary to reduce size of the audit database, providing lossless audit data storage.

Where to go for Support

https://support.superna.net

Where to get Professional Services

  1. To get assistance with auditing configuration and design professional services can be quoted by emailing sales@superna.net

  2. Review Audit Service description

Abbreviations

  • CEE: Common Event Enabler - EMC Specific event protocol (xml based)

  • ECA: Eyeglass Clustered Agent



Installation Guide

The install guide covers ECA cluster installation and requirements.   See the guide here.

Feature Limits


Function

Tested Limit

Comments

Concurrent quick searches

10


Concurrent reports

4

any other report jobs will be queued until a report slot is available to run on the ECA cluster


Concurrent active wiretap monitoring sessions



Defined Wiretap configurations (user or path)





How to get started with Auditing

Login users with auditing permissions are described below.  This should be determined who should be able to access the Easy Auditor icon.  Best practise is separation of duties with a dedicated auditor administrator.  

  1. Admin user does not have audit permissions by default but the administrator role in Users Roles icon can be used to add the auditor permissions to the admin user.

    1. Screen Shot 2017-09-02 at 6.58.29 PM.png

  2. Auditor user is a new user id that allows separation of duties from DR and non security audit functions in eyeglass.

    1. Separation of duties is required for compliance to most industries regulations example HIPPA, PIC

    2. Login as the auditor user with default password 3y3gl4ss

    3. Change the auditor password (steps to change the password)

    4. Screen Shot 2017-09-14 at 8.00.26 AM.png

  3. Configure email reporting for Audit administrators

    1. Login to Eyeglass as admin user

    2. Open notification center

    3. Select recipients tab

    4. Add new email receipt and select auditor only reports from the list.

    5. Screen Shot 2017-09-14 at 8.02.06 AM.png


Who Audits the Auditor?

Eyeglass will log all login activity and major actions taken within the Easy Auditor UI.  The Eyeglass audit log is stored in the file system and is included in eyeglass appliance backup zip files.

  1. To maintain a copy of the audit data off the appliance

    1. Use Warm standby configuration to mount external export to Eyeglass vm to put a daily copy of the audit log external to eyeglass in a secure location

    2. Configure syslog forwarding feature , the audit log is written to syslog and can be forwarded to an external syslog server.

    3. Advanced filtering feature allows a separate syslog server to receive audit logs from DR or Isilon audit data.   Simple include “Audit”  in the filter criteria to select only audit data to forward.  

      1. See examples of the filter configuration here.




Planning and Design

Overview

The Easy Auditor solution for Isilon requires existing Eyeglass DR cluster licenses for each Isilon cluster plus an Eyeglass clustered agent license.

The Eyeglass Easy Auditor solution allows customers to set policies for both real-time policies and scheduled searches to alert on file actions.  Static reports can also be scheduled for more complex longer running analytics.


Easy Auditor.png




Planning


Several decisions are required to configure auditing for 1 or more clusters


  1. Number of clusters to assign to a single ECA cluster

  2. Number of audit events per second (number of active smb or nfs connections is used to size event rate)

  3. WAN link speed to send CEE audit events over the wan to a centralized ECA cluster


Recommendation:

  1. Centralize the ECA cluster when possible and use the WAN link to send audit events.  CEE is xml over http and tolerates latency well, the bandwidth required is < 10Mbps for peak or bursts of CEE data.


Audit Use cases

The following use cases can be addressed by Easy Auditor

  1. Find file deletes in the file system using searches

  2. Configure a scheduled query to find deletes or other file actions and get alerts real time

  3. Quickly find renamed directories using “Where did my folder go?” And revert the files to the previous location

  4. Monitor secure shares for users copying data from the share

  5. Report on user activity for  compliance with HIPPA , PCI

  6. Identify the top users for creates and deletes

  7. Performance monitoring paths in the file system to profile application workflows or users

  8. Track user activity for security audits

  9. Find insider threats with advanced search

  10. Store long term audit data for compliance reporting

  11. Identify excessive permissions to data to assist with remove access to users that do not require access



How Configure and Operate Easy Auditor


Use this section on how the configure and use Easy Auditor

Query

Use this tab to search by user(S), path(S) , file extension ,file action and date range.

How Queries are Executed

Screen Shot 2017-09-12 at 9.06.26 PM.png

How to search

  1. Search by entering data into a field, blank is a wild card meaning match anything  ,  enter a single entry  for a user (user@domain or domain\user) , path and event type filter (blank means all event types).  

  2. NOTE: Extension field will match a string with any part of the file name.  Example docx will match an extension,  financial string will match a file *financial*.  It is a wildcard file matching option.

  3. NOTE: Email option if enabled will send an email even if the query returns no data.  Disable this check box to skip sending an email if no data is returned.  This option is best used for scheduled queries.

  4. Use the save option to save the query to saved query tab to reload at a later date.

  5. Use the Run Report as Query

  6. Execute a search with the search  button

    1. Group/Sort

      1. Use Group and sort to return the results in the preview screen according to these settings

  7. NOTE:  UI Search supports first 5000 records.   Saved queries can be run as a report to return more data as csv download files

How to load a saved search

  1. Use the saved query tab and select a query and click load query

  2. Execute the search with search button

How to delete a saved search

  1. Select one or more saved queries with a check box

  2. Click delete


Saved Queries Tab


Screen Shot 2017-09-30 at 6.25.40 PM.png


How to Load a Query and Search

  1. Select checkbox of the query

  2. Click Load Query

  3. Then click search from the search UI

How to Load and Schedule  a Query

  1. Select the checkbox of the query

  2. Click the Load Scheduled Query

  3. On Schedule tab set the interval the query should run and other schedule settings


How to delete a saved Query

  1. Select the checkbox of the query

  2. Click the Delete  Query

How to delete run a Query as a report

Use this option to return all rows and generate a CSV of the results versus preview

  1. Select the checkbox of the query

  2. Click Run Report

  3. Then go to the running reports tab to monitor completion

  4. Results are available on the Report history tab


Running Reports Tab

Shows all active running report jobs and details of the running report along with duration and status.  Use this tab to  monitor a running job and number of results captured in the report.   




Best Practice:

  1. Large reports with a lot of data will take longer to complete, use this screen to determine if changing the query should be done to speed up the report for long running reports.


Reports

This tab stores all reports and results for download

The saved reports shows completion time, duration, date range covered, number of rows of results and a download link to the  report.




Schedule Tab

Use this tab to view , load and delete schedules

Screen Shot 2017-09-30 at 6.27.35 PM.png



How to delete a saved Scheduled Query

  1. Select the Schedule checkbox

  2. Click Delete Schedule

How to load  a Query and set a  Schedule

  1. Click the load saved Query

  2. Select a query from the list

  3. Set the schedule

  4. Click Schedule to save


How to edit a saved Scheduled Query

  1. Select the schedule from the list with  the checkbox

  2. Change the schedule

  3. Click the schedule button




Active Auditor Tab

This tab is for configuring real-time audit features, to secure and protect data from delete and data loss on secure shares.  Any active triggers are displayed on this page with relevant information for the active audit trigger.


Screen Shot 2017-09-30 at 6.28.05 PM.png

Active Auditing Tab Overview


Overview

The policies on this tab  are a policy that the ECA cluster will execute in real-time as events are processed.

The feature allows for per user monitoring of file deletes or data copies upto threshold over a period of time

The main tab indicates if the audit feature is enabled or disabled.


How to configure Mass Delete protection

Overview:

Monitors users deleting files on any share or export upto administrator defined threshold over administrator defined time period.  The feature counts deletes by user using the ECA cluster real-time detectors and raises an alert when the policy is violated.

  • Provide visibility into delete actions on the file system before user cases are opened regarding deleted files.

  • Simplifies recovery of accidental deletes from auto applied snapshots

  • Provides security monitoring of deleted fails in real-time



Screen Shot 2017-09-02 at 4.05.27 PM.png


  1. Click Configure

  2. Enable the audit feature

  3. Click New Response to create policy to set one or more responses to crossing a file delete threshold per user.

  4. Screen Shot 2017-09-02 at 4.08.29 PM.png

    1. Threshold for number of files to be deleted

      1. Best Practice:  100 files to start and adjust higher if too many notifications are sent.

    2. Time period of which the deletes should occur within.

      1. Best Practice:  The rate at which deletes occur does not change the severity of the delete.  The goal is to set at a rate that detects many deletes in a short period of time.  Recommended default is 5 minutes.  This value can be adjusted up or down depending on the number of notifications that are sent.

    3. Possible Response Actions:

      1. Email alert - Sends an alert of the user, path and crossing of the policy criteria

      2. Snapshot the path(s) being deleted to provide a restore point.  The snapshot has a time to live of 48 hours be default.

      3. User Lockout If selected the user that trips this trigger will have SMB access denied on the first share above the path being monitored.

      4. Best Practice:  Enable both email alert and snapshot response for mass delete.

      5. Click Save

      6. Screen Shot 2017-09-02 at 4.11.12 PM.png




How to configure Data Loss Prevention

Overview:

Monitors users copying files on any secure  share or path.  This assists with real-time monitoring of secured data from bulk copy operations that are not authorized or indication of potential data loss scenario.  The feature will monitor the capacity of the file system path, using an auto applied accounting quota and allows administrator to set % of the data any user can read from the path before the audit trigger is detected.

  • Automatically monitors secure data access by users

  • Alerts administrators of access by user with date, time, ip address of the access

  • Protects against bulk copy of secure data

  • Provides visibility into user data access

  • Proactive security measure to simply auditing of secure data.

  • Secures sensitive data from insider threats


  1. Click Configure

  2. Enable the audit feature

  3. Click New Response to Create policy to set per user response actions when crossing data copy % threshold of the total data on the file system path.

  4. Screen Shot 2017-09-02 at 4.17.35 PM.png

    1. Path

      1. Enter the path in the file system to monitor. Best Practise:  Enter a path equal to a share path being monitored.

    2. Threshold % -user the slider bar to select

      1. Best Practice:  5 % is a good starting point to catch copy actions by users.

    3. Time period over which the copy will cross the threshold.

      1. Best Practice:  The rate at which copying occurs can affect the trigger detection.  The goal is to set at a time period low enough to ensure the threshold is crossed.  Recommended default is 5 minutes.  This value can be adjusted up or down depending on results of trigger testing.

    4. Possible Response Actions:

      1. Email alert - Sends an alert of the user, path and crossing of the policy criteria

      2. User Lockout If selected the user that trips this trigger will have SMB access denied on the first share above the path being monitored .

      3. Best Practice:  Enable email alert.  Determine if lockout is desirable for the sensitive data before adding a lockout action.

    5. Click save

    6. Screen Shot 2017-09-02 at 4.20.21 PM.png




WireTap

This feature is a tool to allow security admins and auditors to easily look at a sequence of events by one or more user actions in the file system to build a complete picture of what happened.

The feature relies on the real-time processing of audit events managed by the ECA cluster to decode and stream audit data to Eyeglass wiretap UI.  

  • The feature allows wiretapping a path in the file system to monitor multiple users accessing data in a specific path in the file system or monitor a user anywhere on the file system.

  • Multiple wiretap sessions can be created at the same time for different administrators

  • Wiretap sessions can be created, deleted,  monitored or run a report

  • The main UI lists all saved wiretap sessions that can be monitored with the actions menu

  • NOTE: by defining a wiretap session the ECA cluster is monitoring for events that match the wiretap.  The events are only forwarded to Eyeglass was the wiretap watch window is open.

Screen Shot 2017-09-30 at 6.29.19 PM.png


How to configure Wiretaps for users or paths


Screen Shot 2017-09-02 at 4.49.40 PM.png

  1. Click the New Wiretap button

  2. Choose:

    1. A user to enter a user id syntax domain\userid or userid@<domain-name>

    2. A file path - Select cluster and enter a path in the file system to monitor

    3. Screen Shot 2017-10-07 at 9.46.13 AM.png

  3. Click Submit to save

How to delete a saved Wiretap

  1. Select checkbox on a saved wiretap session

  2. Select Action menu and delete to remove from the saved list

  3. NOTE: Saved wiretap sessions do not consume any extra storage and minor cpu impact on ECA clusters that are monitoring wiretap sessions. Events are only sent to Eyeglass UI if a monitor session is open.

How to Monitor a saved Wiretap

  1. Select checkbox on a saved wiretap session

  2. Select Action menu and monitor to open real-time session window

  3. Real-time wiretap session window will open

  4. Screen Shot 2017-10-31 at 9.20.35 PM.png

  5. NOTE: it make take a few seconds for events to appear in the wiretap session window

How to run  a Wiretap Report

  1. Select checkbox on a saved wiretap session

  2. Select Action menu select report

  3. This will run a report job that can be monitored from the running reports tab, once completed the Report History tab will have an entry to download the report




Where Did My Folder go? Tab


Overview

This feature assists with a common issue with folders moved from user drag and drop actions on NAS shares, often resulting in the user and/or other users unable to locate the files.  This turns into a help desk case to locate “missing data”, consuming support staff time and effort to locate the missing files.  

This solution accelerates and simplifies addressing missing data requests.   The Role based access feature in Eyeglass has a read only role that can be assigned to the help desk to lookup user folder names to assist with locating data.


Use Case

  1. A user drags and drops a folder on a share

  2. NOTE: Does not capture drag and drop between SMB shares, since this is a copy event

  3. NOTE: Does not capture cut and paste of a direction on an SMB share or between SMB Shares since this operation triggers a create and delete operation.  This type of action can found using queries and reports to look for file create and delete events.




How to Use Where did my folder go Search

Screen Shot 2017-10-06 at 6.39.51 PM.png

  1. Select the cluster to search , it is possible to select one or more clusters

  2. Enter a path one or more paths

    1. Screen Shot 2017-09-02 at 5.42.22 PM.png

  3. Enter a date range and time or leave this blank to search all available dates.    NOTE: If you do not narrow the search it will take longer to return the results

  4. The results display

    1. The time of when the directory was moved

    2. The user id that executed the move operation

    3. The original folder path before the move

    4. The new location of the folder path after the move

  5. Using the search results identify the path and user that executed the folder move operation to move the data back to the previous location

  6. Done



Auditor Role Based Access


Easy auditor has 2 permissions the user roles icon that are automatically assigned to the auditor user.  See below.

To create additional access to read only or read/write permissions consult the RBAC guide and use the permissions below.

RBAC guide

Screen Shot 2017-09-02 at 6.58.29 PM.png



How to Coexist with another CEE application

This section covers how to configure the ECA cluster to inter work with other CEE enabled applications.  The real-time features of Eyeglass requires the ECA cluster to be the primary  CEE processing system as other applications are not real-time.   Each Isilon cluster can only send CEE data to a single CEE enabled application or set of CEE servers at a time.   

Since the ECA architecture allows embedded CEE servers and can forward CEE events using rabbitMQ to another application, the preferred solution is to have Eyeglass CEE set as primary CEE endpoint target on each managed Isilon cluster.

See the diagram below of how this is configuration.


How to Backup and Restore an Audit Database

A key advantage to Easy Auditor architecture is using Isilon native features to protect the audit data.   The following sections explains how to backup and restore the Analytics database.

Backup the Audit Database with SnapshotIQ

  1. Create a  scheduled snapshot  of the HDFS root directory that contains the Audit Database directory with Isilon SnapshotIQ . Example:

  2. Recommended schedule daily snapshot at noon 7 days a week, with 30 day retention

Access zone basepath for audit database is  /ifs/data/igls.

HDFS root directory: /ifs/data/igls/eca

Audit Database directory: /ifs/data/igls/eca

  1. If creating a manual snapshot by using the Isilon GUI, do not leave the snapshot name blank. A  default  snapshot name will be applied automatically  (e.g. “Snapshot: 2017Nov09, 10:59 PM"). That name format is not supported for ECA cluster. That name format will prevent the ECA cluster to be brought up.  Provide a normal name for the snapshot. Avoid to use name with the “:” character.

  2. If creating a scheduled snapshot,  also avoid to use the name with the “:” character (e.g. ScheduleName_Duration_%Y-%m-%d_%H:%M).  That name format is not supported for ECA cluster. That name format will prevent the ECA cluster to be brought up.  Provide a name pattern without “:” character for the snapshot.

Note: Please refer to Isilon documentation for creating a snapshot, including to create a SnapRevert domain

Restore the Audit Database with SnapshotIQ

  1. Bring down the ECA Cluster.

    1. ssh to ECA master node (node 1). Login as ecaadmin

    2. Run command: ecactl cluster down.

  2. Wait until nodes are down, then shut down the ECA Cluster. On each ECA node:

    1. ssh to each node

    2. Type sudo -s (enter admin password)

    3. Type shutdown

  3. After the ECA cluster VMs are down, restore from snapshot. Isilon command:  isi job jobs start snaprevert --snapid xxxx (verify the correct snapid of the snapshot to revert to)

  4. To verify the snapshot revert job status, Isilon command to list running jobs: isi job jobs list

  5. Once the snapshot revert job has completed, power on ECA Cluster vApp.

  6. After ECA Cluster VMs are up, then bring up ECA Cluster

    1. ssh to ECA master node (node 1)

    2. Login as ecaadmin

    3. Run command: ecactl cluster up.

  7. Verify that ECA Cluster is up and audit database status return no error. Command: ecactl db shell

2017-11-10 08:59:52,729 WARN  [main] util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

HBase Shell; enter 'help<RETURN>' for list of supported commands.

Type "exit<RETURN>" to leave the HBase Shell

Version 1.2.6, rUnknown, Mon May 29 02:25:32 CDT 2017


hbase(main):001:0> status

1 active master, 2 backup masters, 3 servers, 0 dead, 2.6667 average load


Backup the Audit Database with SyncIQ


  1. Create a local SyncIQ Policy to replicate audit database to a directory above the access zone basepath with replication schedule every 5 minutes . Example:

Access zone basepath for audit database is  /ifs/data/igls.

HDFS root directory: /ifs/data/igls/eca

SyncIQ Policy Source Path: /ifs/data/igls/eca

SyncIQ Policy Target Path: /ifs/data/backup-auditdb


Restore the Audit Database with SyncIQ

  1. Bring down ECA Cluster. Command: ecactl cluster down

  2. Disable SyncIQ Policy for audit database replication

  3. Delete (move the current database to an alternate location)  the Audit database. Command: rm -rf /ifs/data/igls/eca/ecahbase/  or mv <current path>  <new path outside the access zone>

  4. Copy the audit database replica from the SyncIQ target directory back to the original audit database directory. Command: cp -rp /ifs/data/backup-eca/ecahbase/ /ifs/data/igls/eca/ecahbase/

  5. Once completed, bring up ECA Cluster. Command: ecactl cluster up

  6. Verify that ECA Cluster is up and audit database status return no error. Command: ecactl db shell

2017-11-10 01:56:33,254 WARN  [main] util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

HBase Shell; enter 'help<RETURN>' for list of supported commands.

Type "exit<RETURN>" to leave the HBase Shell

Version 1.2.6, rUnknown, Mon May 29 02:25:32 CDT 2017


hbase(main):001:0> status

1 active master, 2 backup masters, 3 servers, 0 dead, 2.6667 average load


  1. Enable the SyncIQ Policy for audit database replication



How to Implement Typical Audit Use Cases



This section walks through typical audit use cases and assists with suggested features to address the audit requirements.

User Reports of missing files in a share path


Options to audit this use case

  1. Scheduled Query: Create a search with advanced search tab and enter the cluster and path in the file system to monitor.  Save the query and then use the schedule tab to run every hour to alert you on any deletes in that path

    1. Same as above but enter a file extension as well to narrow the delete query and schedule every hour

  2. WireTap: Create a wiretap session to monitor the path in real-time if the delete is a recurring issue on a path.  The wiretap can monitor a path if it unknown who deleted the file(s).   If its a specific user issue, wiretap the user to monitor user activity while they execute a sequence to reproduce the delete issue.


Application Performance Issue for NAS share or export


Users raise issue about performance of an application or data access.  This can be caused by file locking or temp file creation on the NAS share versus local disk or poor application workflow accessing network shares/exports.


Options to audit this use case

  1. Wiretap:  Create a wiretap session for the user or path with performance issue.  Monitor while asking end users to re-attempt the application operations.   Path based wiretap is best when multiple users raise performance issue on a share.  Create use based wiretap when an application performance issue for single users.


Excessive Permissions Analysis


The excessive permissions report assists with identifying users with access to data that is no longer being accessed.  This report can help with compliance and securing access to data.   The report analysis users that have accessed shares and resolves their share access from AD group membership and lists users with access to shares but no actual file activity within the report range.  

This list of users are candidates to have group membership reduced to narrow access to data.


Options to audit this use case

  1. Builtin Excessive Permissions Report:  Open the Report History to open the report.  



User Behavior Audit  


Random user audits or suspicious file access auditing is a common requirement in security departments.    Easy Auditor provides several tools to perform proactive audits of file access.

Options to audit this use case

  1. Wiretap:  Create a wiretap session with per user option. The session can be actively monitored or saved and run a report to build a report of all file access since the creation of the wiretap session.

  2. Search: Build a search based on user id and a date range , that will return all file access on all shares within the data range.   In the preview screen of the search select run report.






Audit Message Workflows


This section shows expected audit messages for typical file action work flows to assist with auditing applications and user file access.

Audit Message Workflows - SMB


WorkFlow Description

File Audit messages Expected

Create a File

FILE_CREATE ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_WRITE ..\file_name

FILE_CLOSE_MODIFIED ..\file_name

Open a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_OPEN_READ ..\file_name

FILE_READ ..\file_name

FILE_OPEN_WRITE ..\file_name:Zone.Identifier

FILE_READ ..\file_name

FILE_CLOSE ..\file_name

FILE_READ ..\file_name


Open a File (Windows Explorer)

FILE_OPEN_WRITE ..\desktop.ini

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_WRITE ..\file_name:Zone.Identifier

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_READ ..\file_name

FILE_READ ..\file_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

FILE_OPEN_NOACCESS ..\file_name

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name



Close a File

FILE_CLOSE ..\file_name


Rename a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_RENAME ..\file_name

FILE_CLOSE ..\file_name

DIR_CLOSE ..\dir_name



Rename a File (Windows Explorer)

DIR_CLOSE ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_RENAME ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name


Write to a File

FILE_OPEN_WRITE ..\file_name

FILE_READ ..\file_name

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_WRITE ..\file_name


Save a File (After modified)

FILE_WRITE ..\file_name

FILE_CLOSE_MODIFIED ..\file_name

Delete a File (Command Line)

FILE_OPEN_NOACCESS ..\file_name

FILE_CLOSE ..\file_name

DIR_OPEN ..\dir_name

FILE_OPEN_NOACCESS ..\file_name

FILE_DELETE ..\file_name

FILE_CLOSE ..\file_name

DIR_CLOSE ..\dir_name


Delete a File (Windows Explorer)

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\desktop.ini

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name.\dir_name

DIR_CLOSE..\parent_dir_name

DIR_CLOSE ..\parent_dir_name.\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name.\dir_name\file_name

FILE_DELETE ..\parent_dir_name.\dir_name\file_name

FILE_CLOSE ..\parent_dir_name.\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name




Create a Directory (Command Line)

DIR_CREATE ..\dir_name

DIR_CLOSE ..\dir_name

Create a Directory (Windows Explorer)

DIR_CREATE ..\parent_dir_name\NEW FOLDER

DIR_CLOSE ..\parent_dir_name\NEW FOLDER

FILE_OPEN_WRITE ..\parent_dir_name\NEW FOLDER/desktop.ini

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\NEW FOLDER

DIR_RENAME ..\parent_dir_name\NEW FOLDER

DIR_CLOSE ..\parent_dir_name\NEW FOLDER

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Rename a Directory

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_RENAME ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name


Rename a Directory (Windows Explorer)

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_RENAME ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Delete a Directory (Command Line)

DIR_OPEN ..\dir_name

DIR_DELETE ..\dir_name

DIR_CLOSE ..\dir_name

Delete a Directory (Windows Explorer)

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_DELETE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

Delete a non-empty Directory

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_DELETE ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_DELETE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

Drag and Drop a non-empty folder  to other folder

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

DIR_OPEN  ..\parent_dir_name\source_dir_name

DIR_RENAME  ..\parent_dir_name\source_dir_name

DIR_CLOSE  ..\parent_dir_name\source_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_CLOSE  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_OPEN  ..\parent_dir_name

DIR_CLOSE  ..\parent_dir_name

Copy a group of files into a new folder same share

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_OPEN_READ ..\parent_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_READ ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_OPEN_READ ..\parent_dir_name\file_name_3

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name/desktop.in

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

FILE_OPEN_READ ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_1

FILE_OPEN_READ ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_2

FILE_OPEN_READ ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_CREATE ..\parent_dir_name\target_dir_name\file_name_3

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\target_dir_name/file_name_3


Move  a group of files into a new folder same share

FILE_OPEN_WRITE ..\parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_folder_name\desktop.ini

FILE_OPEN_WRITE ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_1

FILE_RENAME ..\parent_dir_name\file_name_1

FILE_CLOSE ..\parent_dir_name\file_name_1

DIR_OPEN ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\

DIR_OPEN  ..\parent_dir_name\target_dir_name

DIR_CLOSE  ..\parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_2

FILE_RENAME ..\parent_dir_name\file_name_2

FILE_CLOSE ..\parent_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

FILE_OPEN_NOACCESS ..\parent_dir_name\file_name_3

FILE_RENAME ..\parent_dir_name\file_name_3

FILE_CLOSE ..\parent_dir_name\file_name_3

DIR_OPEN ..\parent_dir_name\

DIR_OPEN ..\parent_dir_name\

DIR_CLOSE  ..\parent_dir_name\


Copy a group of files into a new folder different  share

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\desktop.ini

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS  ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE  ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_3

DIR_OPEN ..\target_parent_dir_name

DIR_CLOSE ..\target_parent_dir_name

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\source_parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name

DIR_OPEN  ..\target_parent_dir_name

DIR_CLOSE  ..\target_parent_dir_name

DIR_OPEN  ..\source_parent_dir_name

DIR_CLOSE  ..\source_parent_dir_name

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_OPEN_READ ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_3



Move  a group of files into a new folder different  share

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\desktop.ini

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

FILE_OPEN_WRITE ..\target_parent_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name\desktop.ini

FILE_OPEN_WRITE ..\target_parent_dir_name\target_dir_name

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_OPEN ..\target_parent_dir_name

DIR_CLOSE ..\target_parent_dir_name

DIR_OPEN ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name

DIR_CLOSE ..\source_parent_dir_name\source_dir_name

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_1

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_1

DIR_OPEN ..\target_parent_dir_name\target_dir_name

DIR_CLOSE ..\target_parent_dir_name\target_dir_name

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_2

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_WRITE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CREATE ..\target_parent_dir_name\target_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_OPEN_NOACCESS ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_DELETE ..\source_parent_dir_name\source_dir_name\file_name_3

FILE_CLOSE ..\source_parent_dir_name\source_dir_name\file_name_3

DIR_OPEN ..\source_parent_dir_name

DIR_OPEN ..\source_parent_dir_name\source_dir_name

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_1

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_2

FILE_CLOSE ..\target_parent_dir_name\target_dir_name\file_name_3


Set ACL of a file

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE   ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS   ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name


Set ACL of a Directory

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name



Set ACL of a Directory and its files

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name1

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name1

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name1

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name1

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name1

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name2

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name2

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name2

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name2

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name2

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name


Remove Inherited ACL from a File

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name


Modify ACL setting of a Directory to not propagate the ACL to files / subfolders

DIR_OPEN ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS  ..\parent_dir_name\dir_name\file_name

FILE_SET_ACL  ..\parent_dir_name\dir_name\file_name

FILE_CLOSE  ..\parent_dir_name\dir_name\file_name

DIR_SET_ACL ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_WRITE  ..\parent_dir_name\dir_name

FILE_OPEN_WRITE  ..\parent_dir_name\desktop.ini

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name


Open a lock file (already open by another client)  (in read-only mode)

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\desktop.ini

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name:Zone.Identifier

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\file_name

FILE_READ ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\.-lock.file_name#

FILE_READ ..\parent_dir_name\dir_name\.-lock.file_name#

FILE_OPEN_WRITE ..\parent_dir_name\dir_name\file_name

FILE_OPEN_READ ..\parent_dir_name\dir_name\file_name

FILE_READ ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_CLOSE ..\parent_dir_name\dir_name\.-lock.file_name#

DIR_OPEN ..\parent_dir_name

DIR_CLOSE ..\parent_dir_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name

FILE_OPEN_NOACCESS ..\parent_dir_name\dir_name\file_name

FILE_CLOSE ..\parent_dir_name\dir_name\file_name

DIR_OPEN ..\parent_dir_name\dir_name

DIR_CLOSE ..\parent_dir_name\dir_name




Audit Message Workflows with Turbo Audit - SMB

WorkFlow Description

File Audit messages Expected

SMB (Turbo Audit): Create a File

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir



SMB (Turbo Audit): Rename a File

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir


SMB (Turbo Audit): Write to  a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_READ ..\parent_dir\dir_name\file_name

FILE_OPEN_READ ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_READ ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir


SMB (Turbo Audit): Delete a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_DELETE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir


SMB (Turbo Audit): Create a Folder

DIR_CLOSE ..\parent_dir\dir_name\new_dir_name

DIR_CREATE ..\parent_dir\dir_name\new_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name


SMB (Turbo Audit): Delete a Folder

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_DELETE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name


SMB (Turbo Audit): Rename a Folder

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_RENAME ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir


SMB (Turbo Audit): Set ACL of a file

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_SET_ACL ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir


SMB (Turbo Audit): Set ACL of a Directory

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

FILE_SET_ACL ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name\current_dir_name

DIR_OPEN ..\parent_dir\dir_name\current_dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir



Audit Message Workflows - NFS

WorkFlow Description

File Audit messages Expected

NFS: Create a File

DIR_OPEN ..\dir_name

DIR_CLOSE ..\dir_name

FILE_CREATE ..\dir_name\file_name

FILE_CLOSE ..\dir_name\file_name

DIR_CLOSE ..\dir_name

NFS: Open a File (with editor and swp temp file is created)

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CREATE ..\parent_dir\dir_name\.file_name.swx

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swx

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swx

FILE_DELETE ..\parent_dir\dir_name\.file_name.swx

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

FILE_CREATE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\.file_name.swp

FILE_SET_ACL ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE ..\parent_dir\dir_name\.file_name.swp

FILE_OPEN_READ ..\parent_dir\dir_name\file_name

FILE_READ ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp


NFS: Close a File

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

DIR_CLOSE ..\parent_dir\dir_name


NFS: Rename a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Write to  a File

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp


NFS: Save a File after modified

DIR_OPEN ..\parent_dir\dir_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\temp_file

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_SET_ACL ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\temp_file

FILE_SET_ACL ..\parent_dir\dir_name\temp_file

FILE_CLOSE ..\parent_dir\dir_name\temp_file

FILE_DELETE ..\parent_dir\dir_name\temp_file

DIR_OPEN ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_CREATE ..\parent_dir\dir_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_WRITE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

FILE_DELETE ..\parent_dir\dir_name\file_name~

FILE_OPEN_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_WRITE ..\parent_dir\dir_name\.file_name.swp

FILE_DELETE ..\parent_dir\dir_name\.file_name.swp

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\.file_name.swp

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete a File

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

FILE_DELETE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Create a Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CREATE ..\parent_dir\dir_name\new_subdirectory_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\new_subdirectory_name


NFS: Rename a Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_RENAME ..\parent_dir\dir_name\old_sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete  a Directory

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name

DIR_DELETE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Delete  a non-empty  Directory

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_DELETE ..\parent_dir\dir_name\sub_directory_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_DELETE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Copy a group of files into a new directory same export

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

FILE_CREATE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_CREATE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_OPEN_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_WRITE ..\parent_dir\dir_name\sub_directory_name\file_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\sub_directory_name\file_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\sub_directory_name\file_name


NFS: Move a group of files into a new directory same export

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name\sub_directory_name

DIR_OPEN ..\parent_dir\dir_name

FILE_RENAME ..\parent_dir\dir_name\file_name

FILE_RENAME ..\parent_dir\dir_name\file_name

DIR_CLOSE ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name\sub_directory_name


NFS: Copy a group of files into a new directory different export

DIR_OPEN ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_OPEN ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name


NFS: Move a group of files into a new directory different export

DIR_OPEN ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_OPEN ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

DIR_OPEN ..\parent_dir2\dir_name2\sub_dir_2

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

DIR_OPEN ..\parent_dir1\dir_name1

FILE_DELETE ..\parent_dir1\dir_name1\file_name

FILE_OPEN_NOACCESS ..\parent_dir1\dir_name1\file_name

FILE_CLOSE ..\parent_dir1\dir_name1\file_name

FILE_CREATE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_WRITE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_OPEN_NOACCESS ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_SET_ACL ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_CLOSE_MODIFIED ..\parent_dir2\dir_name2\sub_dir_2\file_name

FILE_DELETE ..\parent_dir1\dir_name1\file_name

DIR_CLOSE ..\parent_dir1\dir_name1

DIR_CLOSE ..\parent_dir2\dir_name2\sub_dir_2


NFS: Change Ownership of a file

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name

FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name

FILE_SET_ACL ..\parent_dir\dir_name\file_name

FILE_CLOSE ..\parent_dir\dir_name\file_name

DIR_OPEN ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name


NFS: Change Ownership of a Directory

DIR_OPEN ..\parent_dir

DIR_CLOSE ..\parent_dir

DIR_OPEN ..\parent_dir\dir_name

DIR_SET_ACL ..\parent_dir\dir_name

DIR_CLOSE ..\parent_dir\dir_name






Advanced Configuration

Filter-Out Event Messages - Turbo Audit

Event Messages can be filtered out from the Audit Event processing to reduce the storage usage as well as the rate of processing events.

To configure the filter, add the following line in the /opt/superna/eca/eca-env-common.conf file

export BYPASSED_EVENT_TYPES=<list of Events to be filter - comma separated>


Example:

To filter-out DIR_SET_ACL,DIR_OPEN,DIR_CLOSE,DIR_SET_SEC events, add this line in the /opt/superna/eca/eca-env-common.conf file

export BYPASSED_EVENT_TYPES=DIR_SET_ACL,DIR_OPEN,DIR_CLOSE,DIR_SET_SEC


Verify that the Turbo Audit mode is also enabled

export USE_TURBOAUDIT=true


The supported list of events that can be specified in the Filter:

  • FILE_OPEN_NOACCESS

  • FILE_OPEN_READ

  • FILE_OPEN_WRITE

  • FILE_CREATE

  • FILE_RENAME

  • FILE_DELETE

  • FILE_CLOSE

  • FILE_CLOSE_MODIFIED

  • FILE_SET_ACL

  • FILE_READ

  • FILE_WRITE

  • DIR_CREATE

  • DIR_RENAME

  • DIR_DELETE

  • DIR_SET_ACL

  • DIR_OPEN

  • DIR_CLOSE