Network and Storage Protocols

CIFS audit log integration with SIEM tools

Sushanth
11,637 Views

we have a third party security tools such as LOGRHYTHM to monitor the event logs from all the systems in the environment.According to the Security guy we need agent to be installed on all hosts which needs to be monitored,i wonder how can agent be installed on the Netapp FAS 8080 system to enable the event logs to be monitored by LOGRHYTHM.we wanted to integrate the Auditing logs from CIFS and NFS shares to be monitored.

 

Did anyone has success in integrating such tools.Thank you.

1 ACCEPTED SOLUTION

GidonMarcus
11,552 Views

Hi

 

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

 

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

 

 

 

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

 

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

 

2. EVTX And XML  standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

 

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

 

 

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

2 REPLIES 2

GidonMarcus
11,553 Views

Hi

 

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

 

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

 

 

 

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

 

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

 

2. EVTX And XML  standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

 

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

 

 

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

swannadjemian
11,282 Views

Hello,

 

Have you configured the audit log with LOGRHYTHM? What method was used? Evtx files?

 

Thank you

Public