Network Storage Protocols Discussions

CIFS Audit Log

cjeff

Can we forward CIFS audit log to syslog server or any other tools to collect

the CIFS audit log on filer?

Thanks,

Jeff

15 REPLIES 15

Re: CIFS Audit Log

reena

Hi Jeff,

You could use our partner software like Loglogic, NTP etc for that purpose. The native logging doesn't allow to move the logs to a syslog server.

-Reena

Re: CIFS Audit Log

billrothjr

More info on the LogLogic Open Log Platform, can be found at http://loglogic.com/products/index.php.

br

Re: CIFS Audit Log

txskibum2000

Jeff,

What did you end up using to forward CIFS Audit Logs??  Did you use the "LogLogic Open Log Platform" as recommended below?

Thanks!

Dale

Re: CIFS Audit Log

jackl51047

The best way to capture this audit log is by using a Log Management product like LogLogic.  LogLogic appliances support collecting logs using file pulls (as well as receiving syslog and other "push" log data.)

With LogLogic, you can define a cifs share, and the LogLogic appliance can pull the log on a schedule. The LogLogic system can then analyze and parse the file for reporting. The configuration is done through a simple gui and is well documented in the LogLogic Administrator Guide.  You can find more information on this at the LogLogic web site,  http://www.loglogic.com

Message was edited by: jackl51047

Re: CIFS Audit Log

txskibum2000

Thank you so much for the information about LogLogic.  I have reached out to them for more information and a possible call or web demo.

I have one more question....  Are you or anyone familiar with “TriGeo”?  Have you heard anything about TriGeo in comparison to LogLogic?

Here is their website:  http://www.trigeo.com/products/

Thanks again!

Dale

Re: CIFS Audit Log

Ronald_vanderPutte

Dale,

we are actually currently implementing TriGeo and we're trying to find the best way to get the CIFS audit logs from the Netapp to TriGeo. Still examining this. But judging from this thread it looks like "push" is out of the question

Do you have any experience with TriGeo or is it something you're looking into?

Re: CIFS Audit Log

txskibum2000

I do not have any experience with TriGeo or LogLogic.  I am asking for feedback from anyone that may have experience with either product getting CIFS logs from the filer.

Re: CIFS Audit Log

txskibum2000

Any more feedback on CIFS Auditing to a syslog appliance?  Has anyone been successful?

Re: CIFS Audit Log

Ronald_vanderPutte

We were able to get it set up using Trigeo, but the Trigeo tool for Netapp is still in beta, so Trigeo customers will need to request it.

We're currently only monitoring one folder on each filer and it has been tested by our Trigeo administrator and it works. We've only used it for about 6 weeks now though.

Re: CIFS Audit Log

snagesh

Hi

   We can configure syslog.conf to push syslog information to remote host but CIFS audit logging is a completely different frame work and used for altogether different purpose. Currently there is no way to push CIFS native auditing logs to remote host. Instead remote host can configure cron job to periodically pull logs from the ONTAP box either through ftp/sftp or scp.

Hope it helps

Re: CIFS Audit Log

cjeff

I did the test with EventReporter, it seems can forward the eventlog to the syslog server.

More information:

http://www.eventreporter.com/common/en/articles/netapp-eventlog-syslog.php

CIFS Audit Log

ferdie

Are you looking to just collect the logs?  There is a tool that collects, analyzes, archives and reports on all sorts of access called Varonis.  I have been using Varonis DatAdvantage with Netapp for about 4 years now.  The best thing about it is that you can get alerts on access when an unauthorized but allowed user accesses a sensitive file/folder.  For instance, if a Domain Admin were to browse around HR/Payroll, I would get an email alert.  There is obviously a lot more you can do with the data collected, if so inclined.

Re: CIFS Audit Log

javierb

Hello people

I was asked by a  customer here in Spain  to double-check about OSSIM-AlienVault as the tool/SW to "decipher" and correlate information provided by the events generated by our CIFS audit logging.

I am not talking about the classical SYSLOG information but CIFS auidt logging as  snagesh  user mentioned in June 2011 in this community and thread.

Quite similar to what  ferdie  user wrote about Varonis and its capability to get alerts on access unathorized / allowed user accesess to sensitive files.  Always within a Windows Domain.

Could you please tell anything about this OSSIM ?

Thanks

 


Re: CIFS Audit Log

nkollasch

Can we forward these logs to an RSA enVision appliance?

Re: CIFS Audit Log

snagesh

Hi Nicholas

   Kindly go through  "RSA Envision supported event source" document. They don't claim support for audit logs.

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public