Network and Storage Protocols

NetApp, event logs and SIEM - ArcSight


I am writing to inquire if anyone has experience with sending audit-file information to a Security Incident and Event Manager (SIEM) like ArcSight.

I am particularly interested in MS file access logs.



If ArcSight cannot do this natively, then you need Adiscon EventReporter.


The NetApp administrator and I got this to work - mostly configuration requirements on the NetApp end.

Can you describe what the NetApp admin had to do ?


We finally went with LogRythm for event log and cifs log reporting.  Does this nicely without an agent, etc.

However, nothing I can find can do Real Time File Intergrity Monitoring (FIM) without doing away with NetApp CIFS and migrating the file shares from the NetApp to a Windows front-end Server.

Here is some info on File Integrity Monitoring (FIM):

1. Alerts on any file or folder additions, deletions, modifications, or reads.

2. Can alert on a variety of malicious behaviors, from improper user access of confidential files to botnet related breaches and transmittal of sensitive data.

3. Meets PCI DSS compliance for sections 11.5* and 12.9 – specifically addresses 35 specific mandates of PCI DSS 1.2.

4. Provides a complete set of forensic data for rapidly identifying the root cause of security breaches.

*11.5 mandates that we deploy file integrity monitoring to alert personnel to unauthorized modifications of critical system or content files, and perform file comparisons at least weekly or more frequently.

My two cents.