Configuration Settings for EMC Isilon Auditing

Configure the following audit settings on EMC Isilon nodes.

  1. Connect any one of the Isilon nodes using SSH Client
    1. Open syslog.conf file in the /etc/mcp/templates directory
    2. Add the following entry
      1. *.* @<hostname/IP Address of the AdAuditPlus server> after the "!audit_protocol" line
    3. Enable syslog forwarding for the zone to be audited by executing the following command
      1. on OneFS version 7.x isi zone zones modify <zonename> --syslog-forwarding-enabled=yes --syslog-audit-events=all
      2. on OneFS version 8.x isi audit settings modify --syslog-forwarding-enabled=yes --syslog-audit-events=all --zone=<zonename>

Steps to configure in ADAudit Plus.

  1. Login into ADAudit Plus.
  2. Goto File Audit tab -> Configured Server -> EMC Isilon.
  3. Configure the Isilon cluster with the wizard available (Note: Provide an administrative credential for audit).
  4. Goto Admin -> General Settings -> Connection.
  5. Check "Current Syslog Status" is "On".

Note: Ensure that the account used in Domain configuration has permission to read shares. Additionally, the account used in Isilon configuration must have permission to read the Isilon configuration

Trouble shooting

Problem/Message

Solution

The Selected Domain must be an Authentication Provider for the Cluster.

Make sure the cluster in added in the domain selected. Even after this if issue persists, update the computer objects by doing the following:

  1. Click the Domain Settings link from the client to open the Domain Settings page.(This is present at the Top Right corner of ADAudit Plus)
  2. Click on the drop down menu and choose "Update Domain Objects"
  3. Choose "Computers" from the list and then click on Save.
  4. Wait for few minutes, then try adding the server.

Isilon Zone(s) not Found

Make sure the user provided in the first step has permission to read the Isilon configuration

Error in getting Shares, Access is denied

The user configured in the Domain settings must have the permission to read the shares for the configured zone.

The Timestamp is not updated/No data is received

  1. To check whether the syslog data is received by ADAudit server, install the ManageEngine Free Syslog Forwarder tool from https://www.manageengine.com/free-syslog-forwarder-tool/free-syslog-forwarder-index.html

  2. Turn off syslog Listening from Admin->General Settings->Connection (or) Stop ADAudit Service

  3. In the syslog forwarder tool, click Start to receive syslog data.

  4. If no data is shown, re-check the syslog configurations. Otherwisecontact our support. 
Copyright © 2017, ZOHO Corp. All Rights Reserved.
ManageEngine