Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

CIFS audit log integration with SIEM tools

Sushanth
‎2017-03-07 11:17 AM
10,591 Views

we have a third party security tools such as LOGRHYTHM to monitor the event logs from all the systems in the environment.According to the Security guy we need agent to be installed on all hosts which needs to be monitored,i wonder how can agent be installed on the Netapp FAS 8080 system to enable the event logs to be monitored by LOGRHYTHM.we wanted to integrate the Auditing logs from CIFS and NFS shares to be monitored.

 

Did anyone has success in integrating such tools.Thank you.

0 Kudos
View By:
Tags (1)
1 ACCEPTED SOLUTION

GidonMarcus
‎2017-03-10 09:58 AM
10,506 Views

Hi

 

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

 

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

 

 

 

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

 

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

 

2. EVTX And XML  standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

 

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

 

 

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

0 Kudos
2 REPLIES 2

GidonMarcus
‎2017-03-10 09:58 AM
10,507 Views

Hi

 

Ontap is a very very customized version of FreeBSD, you can't install agent on it. and there no product in the market that requires that.

 

FAS8080 can run two Modes of Data ONTAP Operation System,, 7-Mode, and Clustered. while Clustered is latest and what most new 8080 shipped with therefor i link only to cluster mode doc. but it's important that in your forward searching about that topic you know what exact Netapp product you are using. as some vendors might only support the legacy 7-mode and not yet adopted to the recent.

 

 

 

in Clustered Data ontap there two methods that software can monitor the access to files on the NetApp:

 

1. Fpolicy. you can see list of supported solutions that using that method - your product is not there:

https://kb.netapp.com/support/s/article/ka21A0000000joxQAA/what-are-the-fpolicy-partner-solutions-for-clustered-data-ontap?language=en_US

 

2. EVTX And XML  standard auditing files: that i suspect that product might know how to use but coulden't find a good public evidence for,

https://www.netapp.com/us/media/tr-4189.pdf

 

Its also important to know that there an Product level audit log that saves all the operations that the storage admin do. this also might be good to monitor. and can be done most easily with syslog

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-279ACA3C-00D2-490C-BEE9-C05625A550B1.html

 

 

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos

swannadjemian
‎2017-05-04 06:49 AM
10,236 Views

Hello,

 

Have you configured the audit log with LOGRHYTHM? What method was used? Evtx files?

 

Thank you

0 Kudos
All Community Forums
Public