Subscribe
Highlighted
Accepted Solution

CIFS audit log integration with SIEM tools

[ Edited ]

we have a third party security tools such as LOGRHYTHM to monitor the event logs from all the systems in the environment.According to the Security guy we need agent to be installed on all hosts which needs to be monitored,i wonder how can agent be installed on the Netapp FAS 8080 system to enable the event logs to be monitored by LOGRHYTHM.we wanted to integrate the Auditing logs from CIFS and NFS shares to be monitored.

 

Did anyone has success in integrating such tools.Thank you.

Re: CIFS audit log integration with SIEM tools

Hi

 

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

 

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

 

 

 

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

 

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

 

2. EVTX And XML  standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

 

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

 

 

 

Gidi

Re: CIFS audit log integration with SIEM tools

Hello,

 

Have you configured the audit log with LOGRHYTHM? What method was used? Evtx files?

 

Thank you