Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > File System Auditing with Dell EMC PowerScale and Dell EMC Common Event Enabler > Audit management
To enable protocol auditing in the OneFS WebUI, refer to the steps below:
1. Select Cluster Management
2. Select Auditing
3. Click Enable Protocol Access Auditing
4. Add Access Zone(s) that need to be audited
5. In the Event Forwarding section, enter the niform resource identifier (URI) for the server where the CEE stays. The format for the entry will be: http://FQDN:port/cee and 12228 is the default CEE HTTP listen port. For example: http://cee.example.com:12228/cee
6. Hostname – Storage cluster name
Note: Hostname is required only if needed by 3rd party audit application and it should match the name used to define the file server in the auditing application.
To enable protocol auditing, refer the following CLI command:
isi audit settings global modify --protocol-auditing-enabled on
To disable protocol auditing, refer the following CLI command:
isi audit settings global modify --protocol-auditing-enabled off
To add access zone to Audit, use the following CLI command:
isi audit settings global modify --audited-zones <ZONE>
To view the audit settings:
#isi audit settings global view
Protocol Auditing Enabled: No
Audited Zones: System
CEE Server URIs: http://cee.example.com:12228/cee
Hostname: cluster.example.com
Config Auditing Enabled: Yes
Config Syslog Enabled: Yes
Config Syslog Servers: -
Protocol Syslog Servers: -
Before 8.2.0 auditing could be configured to collect only a subset of events but not directly to match the events the auditing application needed. This resulted in collecting unneeded audit events.
The new audit events in OneFS 8.2.0 allow for collecting just the events needed. It is still required for the customer to correctly enable the events they need for their auditing application. If the customer enables everything the same number of events will be collected and sent off the cluster. This will bring the following benefits:
1. Lower storage footprint
2. Better performance
Audit collects events are re-designed and implemented at a more granular level in OneFS 8.2. The new events in OneFS 8.2.0 and their mapping relationship with the ones in the previous OneFS version are listed in Table 5.
Audit events prior to OneFS 8.2.0 | Audit events in OneFS 8.2.0 |
open | open_directory, open_file, open_file_noaccess, open_file_read, open_file_write create_directory, create_file |
close | close_directory, close_file, close_file_modified, close_file_unmodified |
delete | delete_directory, delete_file |
read | read_file |
write | write_file |
rename | rename_directory, rename_file |
get_security | get_security_directory, get_security_file |
set_security | set_security_directory, set_security_file |
logon | logon |
logoff | logoff |
tree_connect | tree_connect |
Protocol audit events are configurable at CEE granularity with each OneFS event mapping to a CEE event. This 1:1 mapping relationship is shown in Table 6.
Audit events in OneFS 8.2.0 | CEE events | Description |
create_file | CEPP_CREATE_FILE | Send a notification when a file is created. |
create_directory | CEPP_CREATE_DIRECTORY | Send a notification when a directory is created. |
open_file_write | CEPP_OPEN_FILE_WRITE | Send a notification when a file is opened for write access. |
open_file_read | CEPP_OPEN_FILE_READ | Send a notification when a file is opened for read access. |
open_file_noaccess | CEPP_OPEN_FILE_NOACCESS | Send a notification when a file is opened for a change other than read or write access (for example, read or write attributes on the file) |
open_directory | CEPP_OPEN_DIRECTORY | Send a notification when a directory is opened. |
close_file_modified | CEPP_CLOSE_MODIFIED | Send a notification when a file is changed before closing. |
close_file_unmodified | CEPP_CLOSE_UNMODIFIED | Send a notification when a file is not changed before closing. |
close_directory | CEPP_CLOSE_DIRECTORY | Send a notification when a directory is closed |
delete_file | CEPP_DELETE_FILE | Send a notification when a file is deleted. |
delete_directory | CEPP_DELETE_DIRECTORY | Send a notification when a directory is deleted. |
rename_file | CEPP_RENAME_FILE | Send a notification when a file is renamed. |
rename_directory | CEPP_RENAME_DIRECTORY | Send a notification when a directory is renamed. |
write_file | CEPP_WRITE_FILE | Send a notification when a file write is received. |
read_file | CEPP_FILE_READ | Send a notification when a file read is received. |
set_security_file | CEPP_SETACL_FILE | Send a notification when a file security change is received. |
set_security_directory | CEPP_SETACL_DIRECTORY | Send a notification when a directory security change is received. |
logon | N/A | Send a notification when an SMB session is established. |
Logoff | N/A | Send a notification when there is an SMB session logoff. |
tree_connect | N/A | Send a notification when there is a first attempt to access an SMB share. |
For the OneFS version prior to OneFS 8.2.0, refer to OneFS to Dell EMC CEE event map in Appendix B.
The new audit events in OneFS 8.2.0 are referred as detailType within the event payload. The following is an example to compare the payload for the same audit event in different OneFS versions. The payload for OneFS 8.2.0 audit feature contains everything the previous version has, which means auditing is backward compatible with previous audit events.Figure 1. Audit payload
The CLI for audit fully supports these granular event type as the parameter.