Release Notes 2.5.2 Easy Auditor

Contents

  1. 1 What’s New in Superna Eyeglass Easy Auditor Edition
  2. 2 Release 2.5.2
  3. 3 Supported OneFS releases
  4. 4 Supported Eyeglass releases
  5. 5 Inter Release Functional Compatibility
  6. 6 End of Life Notifications
  7. 7 Known Issues
    1. 7.1 Reporting
      1. 7.1.1 T5907 No record for failed user query in Finished Reports
      2. 7.1.2 T6145 User with Eyeglass read-only position cannot run a custom query
      3. 7.1.3 T6149 Count Table and Access Report queries store unnecessary query parameters
      4. 7.1.4 T6227 Finished Report display issue for Date Time Range
      5. 7.1.5 T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name
      6. 7.1.6 T6313 Report Query Builder allows filter on Unlicensed Cluster
      7. 7.1.7 T6338 File Ext Input only in first line
      8. 7.1.8 T6339 Report Query Naming
      9. 7.1.9 T6349 Running Report Job State does not immediately reflect a cancelled Job
      10. 7.1.10 T6350 Easy Auditor Running Reports window inactive
      11. 7.1.11 T6404 Saved Custom User Queries show unrelated Built In Query
      12. 7.1.12 T6579 Timeout may prevent error on retrieving finished reports where large number of reports exist
      13. 7.1.13 T7049 Finished Report display issue for Duration
    2. 7.2 Active Auditing
      1. 7.2.1 T5955 Wiretap Watch window cannot scroll horizontal
      2. 7.2.2 T6074 Wiretap Open Files List not updated
      3. 7.2.3 T6305 Invalid username causes Wiretap error
      4. 7.2.4 T6466 Deleted Wiretap not removed from filter processing
      5. 7.2.5 T6467 Wiretap Event type blank for Directory Create / Delete, File Create, File Set ACL, Directory Rename
    3. 7.3 General
      1. 7.3.1 T5678 Manage Services CPU and RAM show n/a
      2. 7.3.2 T5858  ecactl commands do not switch to ecaadmin user
      3. 7.3.3 T5915  Event retrieval stopped by Disable/Enable of Protocol Monitoring on the Isilon
      4. 7.3.4 T6004  Isilon Directory Selector Usage
      5. 7.3.5 T6097  UI Desktop Unexpected Behaviour
      6. 7.3.6 T6450  some ecactl commands result in error
      7. 7.3.7 T6451  Extra ECA Node listed in Manage Services with IP 0.0.0.0
  8. 8 Known Limitations
    1. 8.1 Reporting
      1. 8.1.1 Conditions under which audit events are not processed
      2. 8.1.2 T6361 Reporting for shares with local user permissions unsupported
      3. 8.1.3 T6478 Stale Access and Share Access Report AD User Limitation
      4. 8.1.4 T6061, T6465 Wiretap event rate display maximum of 25 events / s


What’s New in Superna Eyeglass Easy Auditor Edition

Release 2.5.2

What’s New! In Superna Eyeglass Easy Auditor Edition Release 2.5.2 can be found here.




Supported OneFS releases

8.0.0.x

8.0.1.x

8.1.x.x


Supported Eyeglass releases

Superna Eyeglass Easy Auditor Version


Superna Eyeglass Version


2.5.2-18080

2.5.2-18080



Inter Release Functional Compatibility


OneFS 8.0 -

OneFS 8.0.1

OneFS 8.0.1 -

OneFS 8.1

OneFS 8.0 -

OneFS 8.1

Reporting

Untested

Untested

Untested

Active Auditing

Untested

Untested

Untested





End of Life Notifications


Description

End of Life Date

None at this time





Known Issues

Reporting


T5907 No record for failed user query in Finished Reports

If a user based query fails, there is no record of the failed report in the Finished Reports.  

Workaround: None Required - Email notification is provided for the failed query.

This does not affect path only queries.

—————————————————–

T6145 User with Eyeglass read-only position cannot run a custom query

In the Report Query Builder a user who only has read-only permissions can only Load a previously save query to review it’s setting. From this interface no load can be run.

Workaround: Administrator with full privileges must create and save a query after which a user with read-only permission can then run it from the list.

—————————————————–

T6149 Count Table and Access Report queries store unnecessary query parameters

If you save the Count Table or Access Report query, disabled report parameters may be saved with the report definition even though the do not apply.

Workaround: None required.  Extra parameters are ignored.

—————————————————–

T6227 Finished Report display issue for Date Time Range

Finished Report Date Time Range may not correctly reflect the query date time definition. The display may show an incorrect date range or may be empty for some reports.

Workaround: None required.  The data retrieved correctly reflects the query date time definition.

—————————————————–

T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name

In the Stale Access and Access Reports, the cluster is identified by its GUID instead of displaying the cluster name.  

Workaround: To verify which cluster the report is for, from the Eyeglass web open the Inventory View.  Right click on a cluster name and select “Show Properties” to view the cluster GUID.

—————————————————–

T6313 Report Query Builder allows filter on Unlicensed Cluster

The Report Query Builder does not block selection of an unlicensed cluster.  

Workaround: None required.  File activity / events are not stored for unlicensed clusters and as such any report would return with 0 records.

—————————————————–

T6338 File Ext Input only in first line

Report Query File Ext filter is only editable in first line.  Clicking anywhere else in the box will not let you enter any text

Workaround: None required.  Enter File Ext filter at the top of the box.

—————————————————–

T6339 Report Query Naming

Saved Report Query names can only contain 0 to 9, a to z (lowercase) and A to Z (uppercase) without any spaces, - or _ .

Workaround: None available.

—————————————————–

T6349 Running Report Job State does not immediately reflect a cancelled Job

When a Running Auditor Job is cancelled, the Running Jobs view continues to show the Running state until the cancel task has been completed in its entirety.

Workaround: None required.

—————————————————–

T6350 Easy Auditor Running Reports window inactive

The Easy Auditor Running Reports window may become inactive such that expired reports are not removed and you cannot click on a Report to see details of the execution.

Workaround: Refresh the browser session.

—————————————————–

T6404 Saved Custom User Queries show unrelated Built In Query

A saved Customer User Query details will incorrectly show

Report Picker: Data access report - users who are writing most/least amount of data

even though this custom report is not related to this built in query.

Workaround: None required - other query information is relevant and accurate.

—————————————————–

T6579 Timeout may prevent error on retrieving finished reports where large number of reports exist

When opening the Easy Auditor -> Finished Reports you may experience a comms failure error on population of the list.  This is usually a result of default timeout expiring before being able to retrieve all records.

Workaround: Increase the timeout following steps below.  Recommend to set to 60s and then try again. May require adjustment depending on latency in your environment and number of reports.

  1. SSH to the eyeglass appliance as admin user

  2. type password (default: 3y3gl4ss)

  3. sudo su - (default password: 3y3gl4ss)

  4. vi /srv/www/htdocs/eyeglass/js/eyeglass_globals.js

  5. please change the ajax_get_timeout_seconds value to 60.  Refer to screenshot below for example

  6. :wq! // save the changes //

  7. login to the eyeglass webpage and open Finished Reports and check whether error still present or resolves. You may need to clear browser cache to ensure new java script is loaded to the browser that includes the new timeout.

  8. Done.


—————————————————–

T7049 Finished Report display issue for Duration

Finished Report Duration column does not display the entire duration required to complete the query.

Workaround: None available.  The duration can be seen in the Running Jobs view while the query is still in running state.

—————————————————–



Active Auditing

T5955 Wiretap Watch window cannot scroll horizontal

In the Wiretap Watch window you are not able to scroll in the horizontal direction in either section of the window.

Workaround: None available in Watch window.  A report could be generated using same criteria and timeframe for review once event of interest are known.

—————————————————–

T6074 Wiretap Open Files List not updated

File which is added to the Wiretap Open Files list may not be removed when the file is closed.

Workaround: None required. The real time event display will indicate which files are actively open.

—————————————————–

T6305 Invalid username causes Wiretap error

If you enter an invalid username that cannot be resolved when setting up a Wiretap active auditing job it causes the job creation to fail with the following error:

Failed to create new wiretap:

Server error when processing request: java.lang.NullPointerException

Workaround: Enter a username that can be resolved in the documented supported format.

—————————————————–

T6466 Deleted Wiretap not removed from filter processing

When you delete a Wiretap from the Eyeglass GUI, it is no longer displayed and cannot be selected but in the backend it continues to be active and filter is applied to incoming events.  If the deleted filter has a broad scope, it may result in dropped events for a smaller scope query as per Known Limitations T6061/T6465.

Workaround: Contact support for assistance in resolving this issue.

—————————————————–

T6467 Wiretap Event type blank for Directory Create / Delete, File Create, File Set ACL, Directory Rename

The Wiretap Watch window Event type column is empty for following event types:

  • Directory Create

  • Directory Delete

  • File Create

  • File Set ACL

  • Directory Rename

Workaround: None Available in the Watch window.  You may run a report with the same filter and timeframe to review these events.

—————————————————–




General

T5678 Manage Services CPU and RAM show n/a

The CPU and RAM information for the ECA components is not populated.   

Workaround: ssh to each ECA node and execute the following command to see the CPU and RAM for each component:

ecactl stats

—————————————————–

T5858  ecactl commands do not switch to ecaadmin user

If you are logged into an ECA node as root user and execute an ecactl command, you are prompted to login as the ecaadmin user to continue but even though the console indicates that the login as ecaadmin is underway the login never completes and the command cannot be executed.   

Workaround: Login to ECA as ecaadmin user when using ecactl commands.

—————————————————–

T5915  Event retrieval stopped by Disable/Enable of Protocol Monitoring on the Isilon

If you disable / enable Protocol Auditing on the Isilon cluster the ECA does not recover and does not begin reading events once Protocol Auditing enabled again.

Workaround: If you need to disable/enable Protocol auditing down the ECA cluster first

    Ecactl cluster down

Then disable Protocol Auditing on the Isilon cluster

After you have enabled Protocol Auditing on Isilon cluster, the bring the ECA back up:

      ecactl cluster up.

—————————————————–

T6004  Isilon Directory Selector Usage

In order to populate a cluster in the Directory Selector a directory must be selected in the file tree.   

Workaround: None required. Once cluster is populated a path can be selected from the tree or typed in but must begin with /ifs .

—————————————————–

T6097  UI Desktop Unexpected Behaviour

If you move a window to the edge of the Eyeglass desktop it may become stuck in that position.   

Workaround: Refresh browser.

—————————————————–

T6450  some ecactl commands result in error

The following ecactl commands have an error:

ecactl cluster status   

Workaround:

To verify hbase tables:

ecactl db shell

HBase Shell; enter 'help<RETURN>' for list of supported commands.

Type "exit<RETURN>" to leave the HBase Shell

Version 1.2.6, rUnknown, Mon May 29 02:25:32 CDT 2017

hbase(main):001:0> list

TABLE

inv

report

signal

stats

user

5 row(s) in 0.2570 seconds


=> ["inv", "report", "signal", "stats", "user"]


To verify hdfs connectivity:

ecactl cluster hdfs-status

—————————————————–

T6451  Extra ECA Node listed in Manage Services with IP 0.0.0.0

The Manage Services window may show an additional ECA Node with IP address 0.0.0.0.  It is Inactive and therefore results in an ECA Node Inactive alarm. Otherwise has no negative impact on functionality.   

Workaround: Remove the extra ECA node with IP address of 0.0.0.0 from Manage Services by selecting the associated “x”.

—————————————————–


Known Limitations

Reporting


Conditions under which audit events are not processed

In the following situations audit events will not be processed and any audit events which occur while processing is down are dropped - they are not recovered by post processing:

  • ECA NFS mount is down: Each ECA node is responsible for reading audit events for a specific set of Isilon nodes.  While the ECA NFS mount is down, audit events for these Isilon nodes are dropped.

  • ECA down: Each ECA node is responsible for reading audit events for a specific set of Isilon nodes.  While the ECA NFS mount is down, audit events for these Isilon nodes are dropped.

—————————————————–

T6361 Reporting for shares with local user permissions unsupported

Reports generated against shares which have a local Isilon user permission configured may give unexpected results in the report and may cause email notification to fail.

—————————————————–

T6478 Stale Access and Share Access Report AD User Limitation

Reports have been successfully generated against AD environment with up to 4000 users.  Reports against larger AD environments may fail.

—————————————————–

Active Auditing


T6061, T6465 Wiretap event rate display maximum of 25 events / s

Wiretap Watch window is limited to displaying events at a maximum of 25 events/s.  If there are more than 25 event/s which match the Wiretap filter this will result in events being dropped and not displayed.

Workaround: Define filter with smaller scope by adding a user and defining more precisely the path in the filter.  A report may also be run using same filter to retrieve all related results.

—————————————————–