Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > File System Auditing with Dell EMC PowerScale and Dell EMC Common Event Enabler > Audit architecture
Starting with OneFS 7.1, a likewise input/output (LWIO) filter manager was created. The filter manager provides a plug-in framework for pre- and post-input/output request packet (IRP). The IRP provides the mechanism to encode a protocol request handled by LWIO and encodes the request handled by the file system drivers.
Audit events are processed after the kernel has serviced the IRP. If the IRP involves a configured audit event for an Access Zone where auditing is enabled, an audit payload is created.
The audit events are logged on the individual nodes where the SMB/NFS client initiated the activity. The events are then stored in a binary file under /ifs/.ifsvar/audit/logs. The logs automatically roll over to a new file once the size reaches 1 GB. The default protection for the audit log files is +3. Given various regulatory requirements, such as HIPAA, which require two years of audit logs, the audit log files are not deleted from the cluster.
Starting in OneFS 7.1.1, audit logs are automatically compressed. Audit logs are compressed on file roll over. As part of the audit log roll over, a new audit log file is actively written to, while the previous log file is compressed. The estimated space savings for the audit logs is 90%.
Once the auditing event has been logged, a CEE forwarder service handles forwarding the event to CEE. The event is forwarded via an HTTP PUT operation.
At this point, CEE will forward the audit event to a defined endpoint, such as Varonis DatAdvantage. The audit events are coalesced by the 3rd Party audit application.
OneFS 7.1.1 added the ability to forward config and protocol auditing events to a syslog server. By default, syslog forwarding will write the events to /var/log/audit_protocol.log for protocol auditing events and /var/log/audit_config for configuration auditing events.
OneFS 8.0.1 adds the support for concurrent delivery to multiple CEE servers. Each node initiates 20 HTTP 1.1 connections across a subset of CEE servers. Each node can choose up to 5 CEE servers for delivery. The HTTP connections are evenly balanced across the CEE servers from each node. The change results in increased audit performance.
Starting from OneFS 8.2.0, OneFS protocol audit events have been improved to allow for more control of what protocol activity should be audited. It provides a granular way to select protocol audit events to stop collecting unneeded audit events that 3rd party applications do not register for. The changes allow for increased performance and efficiency by allowing customers to configure OneFS to no longer collect audit events their auditing application does not register for.