Solved: CIFS audit log integration with SIEM tools

Sushanth · ‎2017-03-07

we have a third party security tools such as LOGRHYTHM to monitor the event logs from all the systems in the environment.According to the Security guy we need agent to be installed on all hosts which needs to be monitored,i wonder how can agent be installed on the Netapp FAS 8080 system to enable the event logs to be monitored by LOGRHYTHM.we wanted to integrate the Auditing logs from CIFS and NFS shares to be monitored.

Did anyone has success in integrating such tools.Thank you.

GidonMarcus · ‎2017-03-10

Hi

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

2. EVTX And XML standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

GidonMarcus · ‎2017-03-10

Hi

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

2. EVTX And XML standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

swannadjemian · ‎2017-05-04

Hello,

Have you configured the audit log with LOGRHYTHM? What method was used? Evtx files?

Thank you

CIFS audit log integration with SIEM tools

Audit log

Forwarding CIFS Audit logs to splunk server

CIFS Audit log forwarding to Splunk Server

NFS AUDIT LOG ENABLING

CIFS share auditing