Articles in this section

Configuring Global Auditing Settings

Sara Levy
  • Updated
Follow

Configuring Global Auditing Settings from the VAST Web UI

  1. From the left navigation menu, select Settings and then Auditing.

  2. Complete the General Settings:

    Audit directory name

    Specify a name for the audit directory. A directory of this name will be created directly under the root directory of the Element Store. Audit records will be written to this directory.

    Read-access Users

    Specify users in this field to grant them read access to all files in the audit directory.

    Specify each user by user name. Enter a comma to start entering a new user. Each user name appears with a removal button so that you can remove if needed while you are editing the field.

    Read-access Groups

    Specify groups in this field to grant them read access to all files in the audit directory.

    Specify each group by group name. Enter a comma to start entering a new group. Each group name appears with a removal button so that you can remove if needed while you are editing the field.

    Max audit file size

    The maximum size of each file of audit records. Audit records are written to subdirectories of the audit directory per CNode core. Records written to each directory roll over to a new file when the file reaches this size.

    This setting limits the size of each audit file, but it does not limit the total size of all audit files.

    Specify the value with units of MB, GB, TB and so on.

    Default: 1024 MB

  3. Under Global Baseline Audit Settings, optionally set auditing settings to apply globally to all views. Any settings that you do not enable here can be set per view policy. Settings that you do enable here will apply to all views, even if the view policy does not have these settings.

    1. Slide the Enable setting to the ON position. Default global audit settings are now enabled.

    2. From the Protocols dropdown, select one or more protocols to enable auditing for:

      • NFSv3. Enables auditing of NFSv3 operations.

      • NFSv4.1. Enables auditing of NFSv4.1 operations.

      • SMB. Enables auditing of SMB operations.

    3. Select the categories of operations that you want to be audited:

      Category of Operations to audit

      Description

      NFSv3 Operations Included (provided NFSv3 protocol is enabled for auditing)

      NFSv4.1 Operations Included (provided NFSv4.1 protocol is enabled for auditing)

      SMB Operations included (provided SMB protocol is enabled for auditing)

      Create/Delete Files/Dirs/Objects

      Operations that create, delete files and directories.

      CREATE, when it creates a file

      MKDIR

      LINK

      SYMLINK

      MKNOD

      REMOVE

      RMDIR

      RENAME

      CREATE

      OPEN, when it creates a file

      LINK

      REMOVE

      RENAME

      CREATE, when it creates a new file/directory or opens an existing file in delete-on-close mode

      SET_INFO, when it is used for delete on close

      SET_INFO, when it renames a file/directory

      Modify data/MD

      Operations that modify data (this includes operations that change the file size) and metadata.

      CREATE, when it truncates a file

      WRITESETATTR

      SETACL

      OPEN, if it truncates an existing file

      WRITE

      SETATTR

      CREATE - if it truncates an existing file

      SET_INFO - if it changes metadata

      Read data

      Operations that read data and metadata.

      READ

      READDIR

      READDIRPLUS

      GETACL

      ACCESS, if the RPC failed or if the granted access is lower than the requested access

      READ

      GETATTR

      READDIR

      VERIFY

      READ

      QUERY_DIRECTORY

      Session create/close

      For sessions that use Kerberos 5 authentication (krb5, krb5i, or krb5p): Session creation and closing operations.

      N/A

      Kerberos user token creation

      Kerberos user token deletion

      SESSION_SETUP

      LOGOFF

    4. Optionally change the Audit record options:

      Log full path

      Available and relevant for NFSv3 and NFSv4.1 audits.

      If enabled, audit records contain the full Element Store path to the requested resource. This may affect performance. When disabled, the view path is recorded.

      Log username

      Disabled by default.

      If enabled, audit records contain the username (if a username can be retrieved from the auth provider).

  4. Click Save.

Configuring Global Auditing Settings from the VAST CLI

  • To view the currently enabled global auditing settings, use the cluster show command with the --audit parameter.

    In the following example, auditing has not been enabled on the cluster:

    vcli: admin> cluster show --audit
+--------------------------+----------+
| ID                       | 1        |
| Name                     | Bonzo-02 |
| Audit-dir-name           |          |
| Read-access-users        | []       |
| Read-access-users-groups | []       |
| Max-file-size(GB)        | 1.024    |
| Max-retention-period     | 1        |
| Max-retention-timeunit   | h        |
| Protocols                | []       |
+--------------------------+----------+
Auditing disabled for all protocols

  • To configure global auditing settings, use the cluster modify command.

    For example, the following command sets the audit directory name to vast_audit_dir, grants read access for the audit files to the user janef and enables auditing of a few types of NFSv3 and SMB operations:

    vcli: admin> cluster modify --id 1 --audit-protocols NFSv3,SMB --read-access-users janef --audit-operations create_delete_files_dirs_objects,modify_data_md,read_data  --audit-dir-name .vast_audit_dir --enable-audit-settings

Related articles

Comments

0 comments

Article is closed for comments.