ChangeAuditor 5.6. For NetApp User Guide

Transcription

1 ChangeAuditor 5.6 For NetApp User Guide

2 2011 Quest Software, Inc. ALL RIGHTS RESERVED This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA USA legal@quest.com Refer to our Web site for regional and international office information. Patents This product is protected by U.S. Patent #7,979,494. Additional Patents Pending. Trademarks Quest, Quest Software, the Quest Software logo, ChangeAuditor, Defender, Intrust and Quest Authentication Services are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s tradmarks, please see Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions ChangeAuditor contains some third party components. For a complete list, see the Third Party Components page in the ChangeAuditor online help. ChangeAuditor for NetApp User Guide September 2011 Version 5.6

3 TABLE OF CONTENTS ABOUT THIS GUIDE OVERVIEW CONVENTIONS ABOUT QUEST SOFTWARE CONTACTING QUEST SOFTWARE CONTACTING QUEST SUPPORT CHAPTER 1 CHANGEAUDITOR FOR NETAPP INTRODUCTION SYSTEM OVERVIEW DEPLOYMENT REQUIREMENTS REQUIRED CHANGEAUDITOR COMPONENTS SYSTEM REQUIREMENTS REQUIRED RIGHTS AND PERMISSIONS FPOLICY LIMITATION CLIENT COMPONENTS/FEATURES CHAPTER 2 INSTALLATION AND CONFIGURATION BEFORE YOU BEGIN STEP 1: ENSURE NETAPP IS PROPERLY INSTALLED STEP 2A: INSTALL CHANGEAUDITOR FOR NETAPP STEP 2B: UPGRADE CHANGEAUDITOR AND LICENSE CHANGEAUDITOR FOR NETAPP STEP 3: CREATE NETAPP AUDITING TEMPLATE CHAPTER 3 GETTING STARTED INTRODUCTION VERIFY LICENSE AND TEMPLATE MAKE CHANGES AND RUN A REPORT TROUBLESHOOTING STEPS

4 ChangeAuditor for NetApp CHAPTER 4 NETAPP FILER AUDITING INTRODUCTION NETAPP AUDITING PAGE NETAPP AUDITING TEMPLATES NETAPP AUDITING WIZARD FILE SYSTEM EVENTS SETTINGS NETAPP EVENT LOGGING CHAPTER 5 NETAPP SEARCHES/REPORTS INTRODUCTION CREATE CUSTOM NETAPP SEARCHES APPENDIX A PERFORMANCE CONSIDERATIONS CHANGEAUDITOR AGENT PERFORMANCE HARDWARE CONSIDERATIONS LOAD BALANCING CONFIGURING AUDIT SCOPE APPENDIX B NETAPP FILER EVENTS INDEX

5 About This Guide Overview Conventions About Quest Software Contacting Quest Software Contacting Quest Support

6 ChangeAuditor for NetApp Overview This document has been prepared to assist you in becoming familiar with ChangeAuditor for NetApp. This User Guide contains information about the additional features that are available when a valid ChangeAuditor for NetApp license has been applied. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. Separate user guides are available that describe the functionality provided when a valid ChangeAuditor for Active Directory, ChangeAuditor for Exchange, ChangeAuditor for Windows File Servers, ChangeAuditor for EMC, ChangeAuditor for NetApp, ChangeAuditor for SQL Server, or ChangeAuditor for LDAP license is applied. In addition, there is a ChangeAuditor User Guide that explains the core functionality available regardless of the product license that has been applied. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT Select Bolded text Italic text Bold Italic text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Used for emphasis. Blue text Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. 6

7 About This Guide ELEMENT CONVENTION Used to highlight processes that should be performed with care. Used to highlight a troubleshooting tip pertaining to the topic being described. Used to highlight permissions required to perform the action being described. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. About Quest Software Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to Contacting Quest Software Phone Mail Web site (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. 7

8 ChangeAuditor for NetApp Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at From SupportLink, you can do the following: Review thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: 8

9 1 ChangeAuditor for NetApp Introduction System Overview Deployment Requirements FPolicy Limitation Client Components/Features

10 ChangeAuditor for NetApp Introduction ChangeAuditor for NetApp tracks, audits, reports, and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by native auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. ChangeAuditor for NetApp also allows you to include or exclude certain files or folders from the audit scope in order to ensure a faster and more efficient audit process. ChangeAuditor for NetApp captures audited events and provides detailed information about the following filer activity: File and folder access File and folder creation, deletion and renames File and folder permission changes Content changes, such as file reads and writes ChangeAuditor for NetApp functionality is based on NetApp s Data OnTap file screening policy (FPolicy). This policy allows third-party file screening software to interact with the NetApp filer. 10

11 ChangeAuditor for NetApp System Overview The following diagram illustrates how NetApp integrates with ChangeAuditor to provide this auditing capability. 1. Using the ChangeAuditor Client, users create a NetApp Auditing template to specify the NetApp filer location and select the ChangeAuditor Agent that is to receive the NetApp events. The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests. 2. The specified ChangeAuditor Agent registers with the FPolicy screening policy to capture the NetApp filer events based on the auditing scope defined in the NetApp Auditing template. 3. The NetApp filer forwards detailed information about the changes and activities back to the ChangeAuditor Agent. 4. The ChangeAuditor Agent then processes the NetApp events and forwards them on to the ChangeAuditor database. 11

12 ChangeAuditor for NetApp Deployment Requirements In order to ensure a successful deployment, ensure that you have the following components and your environment meets the minimum system requirements. Required ChangeAuditor Components ChangeAuditor for NetApp 5.5 (or higher) System Requirements ChangeAuditor Agent Requirements Locate the ChangeAuditor Agent NEAR the NetApp filer (use fastest connection type available) It is recommended to have 1 Gbps network connectivity (or faster connection type) between the monitored NetApp filer and the computer where the ChangeAuditor for NetApp Agent Service is running. Use a direct or one-switch connection. Use a multiple CPU host for ChangeAuditor Agent Service (at least 2 CPUs or 2 CPU core). In order for the NetApp filer to properly send events to the ChangeAuditor Agent, reverse DNS zone must be configured for the ChangeAuditor Agent server s IP address. This can be configured in the Reverse Lookup Zone of the DNS server used by the NetApp filer. To verify you can look up a ChangeAuditor Agent using its IP address, use the nslookup command as illustrated below: If Windows Firewall is enabled on the server hosting the ChangeAuditor Agent responsible for capturing the NetApp filer events, it must be configured to allow File Sharing. 12

13 ChangeAuditor for NetApp Software Requirements NetApp filer with Data OnTap 7.2, 7.3, (or higher) OnTap 7.3 (or higher) is required to monitor permission change events Recommended: OnTap (or higher) ChangeAuditor for NetApp 5.5 (or higher) For information on ChangeAuditor system requirements, see the ChangeAuditor Installation Guide. Required Rights and Permissions Valid credentials are needed in order for a ChangeAuditor Agent to collect NetApp filer events. The provided credentials must have local Administrator rights on the monitored NetApp filer. You can specify these credentials in one of two ways for the ChangeAuditor Agents that will be assigned to the NetApp Auditing template which defines what is to be audited on the selected NetApp filer: You can add the ChangeAuditor Agent Service account to the local Administrators group on the NetApp filer. 13

14 ChangeAuditor for NetApp You can use the Credentials button on the NetApp Auditing template to specify the NetApp filer credentials to be used by the selected ChangeAuditor Agent. If you use this method, the specified account must be an Active Directory user that is a member of the local Administrators group of the NetApp filer. To add a new account to a NetApp filer s local Administrators group: 1. Open Active Directory Users and Computers MMC snap-in. 2. Select the domain where the NetApp filer is located. 3. Select Computers from the tree and then select the filer from the list in the right pane. By default, the computer name is the same as the filer name. The actual container and the computer names are configured during CIFS setup on the filer. 4. Right-click the filer and click Manage. The Computer Management console opens. 5. Select System Tools Local Users and Groups Groups. 6. Double-click the Administrators group on the right. 7. Click Add to add an account to the Administrators group. FPolicy Limitation File changes to the NetApp filer initiated from the server hosting the ChangeAuditor Agent responsible for capturing NetApp events will NOT be reported. This is a limitation of the NetApp filer s FPolicy and not a limitation of ChangeAuditor. 14

15 Client Components/Features ChangeAuditor for NetApp The following table lists the client components and features that require a valid ChangeAuditor for NetApp license. The product will not prevent you from using these features; however, associated events will not be captured unless the proper license is applied. To hide unlicensed ChangeAuditor features from the Administration Tasks tab (including unavailable audit events throughout the client), use the Action Hide Unlicensed Components menu command. Note this command is only available when the Administration Tasks tab is the active page. CLIENT PAGE Administration Tasks Tab FEATURE Agent Configuration Page Event Logging - enable/disable NetApp event logging Note: See NetApp Event Logging for information on enabling event logging. Configuration Setup Page - File System Events settings Discard duplicates that occur within nn seconds Audit all configured, including duplicates (Not Recommended) Audit Task List NetApp Note: See NetApp Filer Auditing for information on using the agent configuration settings and on creating templates to define NetApp auditing. Event Details Pane Events Searches Page What Details Path Process Facilities NetApp Built-in Reports Reports that include NetApp events. 15

16

17 2 Installation and Configuration Before You Begin Step 1: Ensure NetApp is Properly Installed Step 2a: Install ChangeAuditor for NetApp Step 2b: Upgrade ChangeAuditor and License ChangeAuditor for NetApp Step 3: Create NetApp Auditing Template

18 ChangeAuditor for NetApp Before You Begin It is recommended that you perform the following steps before you begin the installation procedure: Review the Deployment Requirements Review the complete installation process Read the ChangeAuditor Release Notes for updated information Ensure you have the appropriate license file to enable ChangeAuditor for NetApp. You should have received separate license files from Quest to enable the ChangeAuditor products you purchased (i.e., ChangeAuditor for Active Directory, ChangeAuditor for Exchange, ChangeAuditor for Windows File Servers, ChangeAuditor for SQL Server, ChangeAuditor for LDAP, ChangeAuditor for QAS, ChangeAuditor for Defender, ChangeAuditor for NetApp, and/or ChangeAuditor for EMC. Copy the.asc license files to the local hard drive where you are installing ChangeAuditor. Step 1: Ensure NetApp is Properly Installed This guide assumes NetApp OnTap is properly installed and configured. For detailed installation steps, see the appropriate guides from NetApp. Prior to installing or upgrading ChangeAuditor for auditing NetApp filer activity: Verify that Common Internet File System (CIFS) is setup for NTFS files only. Verify that CIFS is enabled and running. 18

19 Installation and Configuration Step 2a: Install ChangeAuditor for NetApp For detailed instructions and required permissions for installing ChangeAuditor, see the ChangeAuditor Installation Guide. If you do not have a previous version of ChangeAuditor already installed, we recommend installing the ChangeAuditor components in the following order: 1. Database (SQL Server) Choose the SQL database you are going to use. If you wish to install the ChangeAuditor database to a SQL instance other than the default instance of the selected SQL server, create the new instance BEFORE running the installer. 2. ChangeAuditor Coordinator Once you have confirmed that the database instance you are going to use is installed and functioning correctly, install the ChangeAuditor Coordinator. ChangeAuditor will prompt you for a valid license file during the coordinator installation process. If you are installing multiple ChangeAuditor products, select each of the licenses to be applied. You must apply the ChangeAuditor for NetApp license to enable the NetApp filer auditing in ChangeAuditor. 3. ChangeAuditor Client Once you have confirmed that the coordinator is functioning correctly, install the ChangeAuditor Client. 4. ChangeAuditor Agents Finally, launch the ChangeAuditor Client to deploy agents to your domain controllers and member servers. 19

20 ChangeAuditor for NetApp Step 2b: Upgrade ChangeAuditor and License ChangeAuditor for NetApp For detailed instructions on upgrading ChangeAuditor, see the ChangeAuditor Installation Guide. If you have a previous version of ChangeAuditor already installed, upgrade the ChangeAuditor components in the following order: 1. ChangeAuditor Coordinator ChangeAuditor 5.5 Upgrade: If you are upgrading from ChangeAuditor 5.5 and already have ChangeAuditor for NetApp licensed, you will NOT require new licenses for any of your ChangeAuditor products. However, if ChangeAuditor for NetApp is new to your installation, you must apply the ChangeAuditor for NetApp license before you can use the product. You can apply this new license at this time or at a later time using the ChangeAuditor License Manager. ChangeAuditor 5.0/5.1 Upgrade: If you are upgrading from ChangeAuditor 5.0 or 5.1 you will NOT require new licenses for existing ChangeAuditor products. However, since ChangeAuditor for NetApp was not available in these earlier releases, you must apply the ChangeAuditor for NetApp license before you can use the product. You can apply this new license at this time or at a later time using the ChangeAuditor License Manager. 2. ChangeAuditor Client 3. ChangeAuditor Agents 20

21 Installation and Configuration Step 3: Create NetApp Auditing Template Using the ChangeAuditor Client, define a separate NetApp Auditing template for each NetApp filer to be audited. 1. Open the Administration Tasks tab (View Administration). 2. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). 3. Select NetApp in the Auditing NAS Templates task list to open the NetApp Auditing page. 4. Select the Add tool bar button. This will launch the NetApp Auditing wizard, which steps you through the process of defining the location of the NetApp filer to be audited, the auditing scope, and the ChangeAuditor agent(s) that are to receive the NetApp filer audit events. 21

22 ChangeAuditor for NetApp A red flashing icon indicates that you have not yet entered the required information. For this scenario, we will specify to audit all events on all volumes. For instructions on configuring your template to audit an individual file, folder and/or volume, see NetApp Auditing Templates in the NetApp Filer Auditing chapter. 5. On the first page of the wizard, enter the following information: NetApp Filer - Select the NetApp filer to be audited from the drop-down. Or enter the Netbios name or IP address of the NetApp filer. Audit Path - select All Volumes and then select the Add button. (The Audit Path will contain an *, which will be displayed as (All Volumes) in the Audit Path list when the Add button is selected.) Events tab - Select both the File Events and Folder Events check boxes (in the header) to select all events. Inclusions tab - Click on the Inclusions tab, enter * and select the Add button to add it to the Included Names list. (Specifying an * will include all subfolders and files in the selected audit path.) Exclusions tab - Skip the Exclusions tab. (In this scenario, we will not be excluding any subfolders or files from auditing.) 22

23 Installation and Configuration Select Next to continue. 6. On the second page of the wizard, select one or more ChangeAuditor agents to be used to connect to the NetApp filer to capture the NetApp events. Select a ChangeAuditor Agent that will NOT be performing any operations against the NetApp filer. (File changes to the NetApp filer initiated from the server hosting the ChangeAuditor Agent responsible for capturing these NetApp events will NOT be reported.) Specifying multiple agents may provide better performance because the NetApp filer will load balance audit events and send each assigned agent events round-robin style. Only increase the number of agents if a single agent cannot handle the volume of events generated. The downside of specifying multiple agents, is that the Where field for NetApp events may contain any one of these agents. Also, if event logging for NetApp is enabled, events will be written on multiple agent servers. To add a ChangeAuditor Agent to the NetApp Auditing template: Select the Add button. On the ChangeAuditor Agents dialog, select one or more agents from the list and select OK. If you did NOT add the ChangeAuditor Agent accounts to the local Administrators group on the NetApp filer, select the ChangeAuditor Agent from the list, select the Credentials button and enter the NetApp filer credentials to be used. See Required Rights and Permissions for more information on valid credentials. Select Finish to close the wizard and create the NetApp Auditing template. 7. Back on the Administration Tasks tab, select the Configuration task button at the bottom of the navigation pane. Select Agent in the Configuration task list to open the Agent Configuration page. 8. Select the ChangeAuditor Agent(s) assigned to the NetApp Auditing template and select the Refresh Configuration tool bar button or right-click command. 9. Verify that is displayed in the NetApp column. If you do not refresh the agent s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes. 23

24

25 3 Getting Started Introduction Verify License and Template Make Changes and Run a Report Troubleshooting Steps

26 ChangeAuditor for NetApp Introduction ChangeAuditor for NetApp provides you with the ability to search, report and alert on changes to a specific file, folder, volume or all volumes on a NetApp filer. Using ChangeAuditor for NetApp you can receive real-time alerts whenever someone tries to access a secure file or folder on a NetApp device. This chapter provides a high-level view of the tasks to get you started using ChangeAuditor for NetApp. It assumes you have successfully installed/licensed ChangeAuditor for NetApp and NetApp OnTap. Verify License and Template To verify that ChangeAuditor for NetApp is licensed: 1. From the member server where ChangeAuditor is installed, launch the License Manager (Start All Programs Quest Software ChangeAuditor License Manager). 2. On the About ChangeAuditor dialog, verify that the License Status field is set to 'Installed' for ChangeAuditor for NetApp. 3. If the License Status field indicates that ChangeAuditor for NetApp is 'Uninstalled', use the Update License button to locate and apply the appropriate license. To verify that a NetApp Auditing template is applied to ChangeAuditor Agents: 1. Launch the ChangeAuditor Client (Start All Programs Quest Software ChangeAuditor ChangeAuditor Client). 2. Open the Administration Tasks tab (View Administration menu command). 3. If not already selected, select the Configuration task button at the bottom of the navigation pane (left-hand pane). 4. Select Agent in the Configuration task list to open the Agent Configuration page. 5. Verify that is displayed in the NetApp column of the agents you selected to monitor for NetApp events. If this column displays, select the agent(s), right-click and select Refresh Configuration. 26

27 Getting Started Make Changes and Run a Report 1. To test NetApp filer auditing, make some changes to the NetApp filer being monitored. For example: create a new folder add a.doc or.txt file change the security permissions on a file (right-click file, open the Security tab and add another user with full control) delete the sample.txt file add a sub-folder change the security permission of the new folder 2. Launch the ChangeAuditor Client (Start All Programs Quest Software ChangeAuditor ChangeAuditor Client) to review the audited events generated. 3. Open the Searches tab. 4. Expand the Shared Built-in Reports All Events Reports folder in the left-hand pane. 5. Locate and double-click All NetApp Events in the right-hand pane. A new Search Results tab is added to the client displaying the NetApp events that were captured. 27

28 ChangeAuditor for NetApp 6. Double-click an event from the Search Results grid to display the event details for the selected event. 28

29 Getting Started Troubleshooting Steps If the NetApp filer events do not appear in the ChangeAuditor Client as expected, check the following: Verify that the NetApp filer is valid for the NetApp Auditing template. The NetApp Filer field should contain the Netbios name or IP address of the NetApp filer to be audited. The wizard does NOT validate this entry when it is entered. Verify that the ChangeAuditor Agents assigned to the NetApp Auditing template are NOT on the servers that are initiating file changes to the NetApp filer. (This is a limitation with the NetApp filer s FPolicy.) Verify that the following options have been configured on the server(s) hosting the ChangeAuditor Agent(s) assigned to a NetApp Auditing template: Reverse DNS zone must be configured and functional in your domain. If Windows Firewall is enabled, it must be configured to allow File Sharing. See System Requirements. Verify that all of the ChangeAuditor Agents assigned to a NetApp Auditing template have their user account in the local Administrators group of the NetApp filer or that you have specified the NetApp filer credentials in the NetApp Auditing wizard. See Required Rights and Permissions. Verify that you have selected those type of events in the NetApp Auditing template. (Events tab in the wizard). Verify that you have included the correct subfolders and paths in the NetApp Auditing template. (Inclusions tab in the wizard). Note: Entering * will include all subfolders and paths. Verify that you have not excluded the specified subfolders or paths in the NetApp Auditing template. (Exclusions tab in the wizard). Refresh the specified ChangeAuditor Agent configurations on the Agent Configuration page to ensure the latest NetApp Auditing template is being used. Verify what version of Data OnTap is being used. That is, NetApp filers running version 7.2 (or earlier) will NOT capture the File/Folder Ownership Changed or File/Folder Access Rights Changed events. If you are using an older version of Data OnTap, you may need to upgrade to version (or later) in order to capture audited events. 29

30

31 4 NetApp Filer Auditing Introduction NetApp Auditing Page NetApp Auditing Templates NetApp Auditing Wizard File System Events Settings NetApp Event Logging

32 ChangeAuditor for NetApp Introduction A separate NetApp Auditing template must be defined for each NetApp filer to be audited by ChangeAuditor. The NetApp Auditing page on the Administration Tasks tab displays details about each NetApp Auditing template created and allows you to add new auditing templates. This chapter provides a description of the NetApp Auditing page and NetApp Auditing wizard which walks you through the process of creating a new auditing template. It also explains the File System Event settings available on the Configuration Setup dialog which can be used to define how to process duplicate File System events. For a description of the dialogs mentioned in this chapter, please refer to the online help. For more information about agent configurations, please refer to the ChangeAuditor User Guide. NetApp Auditing Page The NetApp Auditing page is displayed when NetApp (in the Auditing task list) is selected in the navigation pane of the Administration Tasks tab. From this page you can launch the NetApp Auditing wizard to specify the location of the NetApp filer to be audited, the auditing scope, and the ChangeAuditor agent(s) that are to receive the NetApp filer audit events. You can also edit existing templates, disable a template, and remove templates that are no longer being used. Authorization to use the administration tasks on the Administration Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to this page, please refer to the ChangeAuditor User Guide for more information on how to gain access to ChangeAuditor tasks. 32

33 NetApp Filer Auditing The NetApp Auditing page contains an expandable view of all the NetApp Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template: FIELD Filer Status Paths DESCRIPTION Displays the name of the NetApp filer specified in the wizard. Indicates whether the auditing template is enabled or disabled. This field is used for filtering data. Click the expansion box to the left of the Filer name to expand this view and display the following details: FIELD Path Status Include DESCRIPTION Displays the name of the audit path(s) included in the NetApp Auditing template. Indicates whether auditing for the selected audit path is enabled or disabled. Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard. 33

34 ChangeAuditor for NetApp FIELD Scope Exclude Operations Agent User DESCRIPTION Indicates the scope of coverage specified for each audit path in the selected template: This object only This object and child objects only This object and all child objects Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard. Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template. Lists the ChangeAuditor agents assigned to monitor the selected NetApp filer. Displays the name of the user account that has access to the NetApp filer. This information is only displayed when the Set Credentials button is used on the second page of the wizard to specify the NetApp filer credentials to be used by a ChangeAuditor Agent. The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the ChangeAuditor Client, see the ChangeAuditor User Guide. 34

35 NetApp Auditing Templates NetApp Filer Auditing In order to enable NetApp filer auditing in ChangeAuditor, you must first create a NetApp Auditing template for each NetApp filer to be audited. Each auditing template defines the location of the NetApp filer to be audited, the auditing scope, and the ChangeAuditor agent(s) that are to receive the NetApp filer audit events. There can be only one NetApp Filter template per NetApp filer. Therefore, if you want to audit multiple audit paths, use the same template to specify all the audit paths to be audited on the selected NetApp filer. To audit a file: 1. Launch the NetApp Auditing wizard (Select Add or Edit tool bar button on NetApp Auditing page). 2. On the first page of the wizard, enter the following information: NetApp Filer - Select the NetApp filer from the drop-down or enter the Netbios name or IP address of the NetApp filer to be audited. Audit Path - select File. Enter a file name and path (i.e., VolumeName\FolderName\FileName.ext) to be audited. Select the Add button to move the specified audit path to the selection list. Events tab - Select the file events to be audited for the file selected in the selection list. Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events. Repeat this step to add additional files to this auditing template. 3. Select Next to proceed to the next page. 4. On the second page of the wizard, select the ChangeAuditor agents to be used to connect to the NetApp filer to capture the NetApp events. To add a ChangeAuditor agent to the NetApp Auditing template: Select the Add button On the ChangeAuditor Agents dialog, select one or more agents from the list and select OK. 5. Select the Finish button to close the wizard and create the NetApp Auditing template. 35

36 ChangeAuditor for NetApp 6. Back on the Administration Tasks tab, select the Configuration task button at the bottom of the navigation pane. Select Agent in the Configuration task list to open the Agent Configuration page. 7. Select the ChangeAuditor Agent(s) assigned to the NetApp Auditing template and select the Refresh Configuration tool bar button or right-click command. 8. Verify that is displayed in the NetApp column. If you do not refresh the agent s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes. To audit a folder: 1. Launch the NetApp Auditing Wizard. (Select Add or Edit tool bar button on NetApp Auditing page.) 2. On the first page of the wizard, enter the following information: NetApp Filer - Select the NetApp filer from the drop-down or enter the Netbios name or IP address of the NetApp filer to be audited. Audit Path - Select Folder. Enter a folder name and path (i.e., VolumeName\FolderName) to be audited. Use the Add button to add the specified folder to the selection list (middle of the page). 3. By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list: This Object - select this option to audit only the selected folder, not its files or subfolders. This Object and Child Objects Only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive. This Object and All Child Objects - select this option to audit this folder and all of its files and subfolders. In addition, when the folder entry is selected in the Selection list, the tabs across the bottom of the page are activated. The settings specified on these tabs apply to the entry selected. 4. On the Events tab, select the file and folder events to be audited. Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events. 36

37 NetApp Filer Auditing 5. On the Inclusions tab, add the names of the subfolders and files to be audited. Use the button to browse for and select an individual subfolder or file. Or enter the name of the subfolder or file to be audited. You can also select a group of files or subfolders using wildcard characters. That is, use an asterisk (*) to substitute zero or more characters or use a question mark (?) to substitute a single character. For example, entering * will include all files in the selected audit path. Once you have specified a subfolder or file for inclusion, use the Add button to add it to the Inclusion list at the bottom of the page. Repeat this step to add additional subfolders and files to the Inclusion list. 6. (Optional) On the Exclusions tab, add the names of any subfolders and files in the selected audit path to be excluded from auditing. Use the button to browse for and select an individual subfolder or file in the specified audit path. Or enter the audit path and name of the subfolder or file to be excluded. By default, the folder selected above in the Selection list will be displayed. To exclude a file or folder in this folder, append the name of the individual subfolder or file to the path. Do not delete the audit path. You can also select a group of files or subfolders using wildcard characters. That is, use an asterisk (*) to substitute zero or more characters or use a question mark (?) to substitute a single character. For example, entering <audit path>\*.log will exclude all files in the specified audit path with the.log file extension. When using wildcard characters, remember to append it to the end of the audit path. 37

38 ChangeAuditor for NetApp Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page: Add Folder Add File Repeat this step to add additional subfolders and files to the Exclusion list. 7. Select Next. 8. On the second page of the wizard, select the ChangeAuditor agents to be used to monitor the NetApp filer. Select the Add button. On the ChangeAuditor Agents dialog, select one or more agents from the list and select OK. 9. Select Finish to close the wizard and create the template. 10. Back on the Administration Tasks tab, select the Configuration task button at the bottom of the navigation pane. Select Agent in the Configuration task list to open the Agent Configuration page. 11. Select the ChangeAuditor Agent(s) assigned to the NetApp Auditing template and select the Refresh Configuration tool bar button or right-click command. 12. Verify that is displayed in the NetApp column. If you do not refresh the agent s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes. To audit a volume: 1. Launch the NetApp Auditing Wizard. (Select Add or Edit tool bar button on NetApp Auditing page.) 2. On the first page of the wizard, enter the following information: NetApp Filer - Select the NetApp filer from the drop-down or enter the Netbios name or IP address of the NetApp filer to be audited. Audit Path - Select Volume. Enter a volume name (i.e., VolumeName) to be audited. Use the Add button to add the specified volume to the selection list (middle of the page). 3. By default, the scope of coverage for the selected volume will be This object and all child objects, which cannot be changed. 38

39 NetApp Filer Auditing Select the volume entry in the Selection list to activate the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected. 4. On the Events tab, select the file and folder events to be audited. Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events. 5. On the Inclusions tab, add the names of the subfolders and files to be audited. Use the button to browse for and select an individual subfolder or file. Or enter the name of the subfolder or file to be audited. You can also select a group of files or subfolders using wildcard characters. That is, use an asterisk (*) to substitute zero or more characters or use a question mark (?) to substitute a single character. For example, entering * will include all files in the selected audit path. Once you have specified a subfolder or file for inclusion, use the Add button to add it to the Inclusion list at the bottom of the page. Repeat this step to add additional subfolders and files to the Inclusion list. 6. (Optional) On the Exclusions tab, add the names of any subfolders and files in the selected audit path to be excluded from auditing. 39

40 ChangeAuditor for NetApp Use the button to browse for and select an individual subfolder or file in the specified audit path. Or enter the audit path and name of the subfolder or file to be excluded. By default, the volume selected above in the Selection list will be displayed. To exclude a file or folder on this volume, append the name of the individual folder or file to the volume name. Do not delete the volume name. You can also select a group of files or subfolders using wildcard characters. That is, use an asterisk (*) to substitute zero or more characters or use a question mark (?) to substitute a single character. For example, entering <VolumeName>\*.log will exclude all files on the specified volume with the.log file extension. When using wildcard characters, remember to append it to the end of the volume name. Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page: Add Folder Add File Repeat this step to add additional subfolders and files to the Exclusion list. 7. Select Next. 8. On the second page of the wizard, select the ChangeAuditor agents to be used to monitor the NetApp filer. Select the Add button. On the ChangeAuditor Agents dialog, select one or more agents from the list and select OK. 9. Select Finish to close the wizard and create the template. 10. Back on the Administration Tasks tab, select the Configuration task button at the bottom of the navigation pane. Select Agent in the Configuration task list to open the Agent Configuration page. 11. Select the ChangeAuditor Agent(s) assigned to the NetApp Auditing template and select the Refresh Configuration tool bar button or right-click command. 12. Verify that is displayed in the NetApp column. If you do not refresh the agent s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes. 40

41 NetApp Filer Auditing To disable an auditing template: The disable feature allows you to temporarily stop auditing the specified audit path without having to remove the auditing template or individual audit path from a template. 1. On the NetApp Auditing page, use one of the following methods to disable a NetApp Auditing template: Click in the Status cell for the template to be disabled and select Disabled. Right-click the template to be disabled and select Disable. The entry in the Status column for the template will change to Disabled. 2. To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu. To disable the auditing of an audit path in a template: 1. On the NetApp Auditing page, use one of the following methods to disable an audit path in an auditing template: Click in the Status cell for the audit path to be disabled and select Disabled. Right-click the audit path to be disabled and select Disable. The entry in the Status column for the selected file path will change to Disabled. 2. To re-enable the auditing of an audit path, use the Enable option in either the Status cell or right-click menu. To delete an auditing template: 1. On the NetApp Auditing page, use one of the following methods to delete a NetApp Auditing template: Select the template to be deleted and use the Delete Delete Template tool bar button. Right-click the template to be deleted and select Delete. 2. A dialog will be displayed confirming that you want to delete the selected template. Select Yes. 41

42 ChangeAuditor for NetApp To delete an audit path from a template: You cannot delete the last audit path in a NetApp Auditing template. 1. On the NetApp Auditing page, use one of the following methods to delete an audit path from an auditing template: Select the audit path to be deleted and use the Delete Delete File Path tool bar button. Right-click the audit path to be deleted and select Delete. 2. A dialog will be displayed confirming that you want to delete the selected file path from the template. Select Yes. To delete a ChangeAuditor Agent from a template: You cannot delete the last ChangeAuditor Agent in a NetApp Auditing template. 1. On the NetApp Auditing page, use one of the following methods to delete an audit path from an auditing template: Select the ChangeAuditor Agent to be deleted and use the Delete Delete Agent tool bar button. Right-click the agent to be deleted and select Delete. 2. A dialog will be displayed confirming that you want to delete the selected agent from the template. Select Yes. NetApp Auditing Wizard The NetApp Auditing wizard is displayed when you select the Add tool bar button on the NetApp Auditing page. This wizard steps you through the process of creating a new NetApp auditing template, identifying the location of the NetApp filer to be audited, the auditing scope, and the ChangeAuditor agent(s) that are to receive the NetApp filer audit events. The following table provides a description of the fields and controls in the NetApp Auditing wizard: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed. 42

43 NetApp Filer Auditing CREATE OR MODIFY A NETAPP AUDITING TEMPLATE PAGE Use the first page of the wizard to specify the NetApp filer to be audited and the file, folder, volume or all volumes to be audited on that filer. NetApp Filer Use the drop-down control to the far right of this field to select the NetApp filer to be audited. Or enter the Netbios name or IP address of the NetApp filer. Note: There can be only one NetApp Auditing template per NetApp filer. The wizard will not allow you to create a duplicate template using the same NetApp filer name. 43

44 ChangeAuditor for NetApp Audit Path Select one of the following options to define auditing for a file, folder or volume: File - select this option to audit a single file. Then enter a file name and path (VolumeName\FolderName\FileName.ext) to be audited. Folder - select this option to audit a folder or a set of files. Then enter a folder name and path (VolumeName\FolderName) to be audited. Volume - select this option to audit a single volume. Then enter the volume name (VolumeName) to be audited. All Volumes - select this option to audit all volumes. The Audit Path text box will contain an asterisk (*) which cannot be changed. Once you have entered the audit path to be audited, use the Add button to add it to the selection list. Add Use the Add button to move the entry in the Audit Path text box to the selection list. Note: Even though you cannot edit the Audit Path when the All Volumes option is selected, you must still use the Add button to move it to the selection list. Remove Select an entry in the selection list and select the Remove button to remove it from the list. 44

45 NetApp Filer Auditing Selection list The list box, located across the middle of this page, displays the files, folders or volumes selected for auditing. When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage for the folder. This Object - select this option to audit only the selected folder, not its files or subfolders. This Object and Child Objects Only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive. This Object and All Child Objects - select this option to audit this folder and all of its files and subfolders. (Default) Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page. Events Tab Use the Events tab to select vital file and/or folder events. File Events Folder Events Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list. Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list. 45

46 ChangeAuditor for NetApp Inclusions Tab Use the Inclusions tab to specify individual subfolders or files to be included for auditing. When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify the names of the subfolders and files to be audited. Add the names of subfolders and files to audit Use the button to browse for and select an individual subfolder or file. Or enter the name of the subfolder or file to be included. You can also select a group of files or subfolders by using wildcard characters. Use an asterisk (*) to substitute zero or more characters. Use a question mark (?) to substitute a single character. For example, * will include all files in the selected audit path. Note: If the monitored files mask ends with the \* symbols, the parent folder is also included. Once you have specified the subfolder or file to be included, select the Add button to add it to the Inclusions list. Inclusions list The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries: Add - Use the Add button to move the entry in the text box to the Inclusions list. Remove - Select an entry in the Inclusions list and use the Remove button to remove it. 46

47 NetApp Filer Auditing Exclusions Tab (Optional) Use the Exclusions tab to exclude individual subfolders or files in the selected audit path from auditing. When the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names of any subfolders and files in the selected audit path that are to be excluded from auditing. Note: ChangeAuditor uses event consolidation rules for Microsoft Office file types to reduce the number of events generated. Therefore,.tmp files associated with Microsoft Word or Excel documents are excluded from auditing. Excluding *.tmp will remove the ability to consolidate these events and you may lose some events. Add the names of paths of subfolders and files to exclude from auditing To exclude a subfolder or file, use the button to browse for and select an individual subfolder or file. Or enter the name of the folder or file to be excluded from auditing. By default, when a Folder or Volume audit path is selected above in the Selection list, the audit path will be displayed. To exclude a file or subfolder in that audit path, append the name of the individual subfolder or file to the path. Do not delete the audit path. You can also select a group of files or subfolders using wildcard characters. Use an asterisk (*) to substitute zero or more characters. Use a question mark (?) to substitute a single character. For example, entering <audit path>\*.exe will exclude all files in the specified audit path with the file extension of.exe from being audited. Note: If the monitored files mask ends with the \* symbols, the parent folder is also excluded. Once you have specified a subfolder or file to be excluded, select the appropriate Add button to add the file or folder to the Exclusions list. 47

48 ChangeAuditor for NetApp Exclusions list The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries: SELECT CHANGEAUDITOR AGENTS PAGE Add - Use one of the following Add commands to move the entry in the text box to the Exclusions list: Add Folder Add File Remove - Select an entry in the Exclusions list and use the Remove button to remove it. Use this page to select the ChangeAuditor agents that are to receive the audit events captured on the selected NetApp filer. Note: You can improve performance by assigning a NetApp Auditing template to more than one ChangeAuditor Agent. When multiple agents are assigned to the same NetApp Auditing template, events will be load balanced between these agents. However the downside is that the where field for NetApp events may contain any one of these agents. In addition, if NetApp event logging is enabled in ChangeAuditor, events will be written on multiple agent servers. 48

49 NetApp Filer Auditing Add Use the Add button to assign one or more ChangeAuditor agents to the NetApp Auditing template. Selecting this button displays the ChangeAuditor Agents dialog. From this dialog, select one or more agents and then select OK. Remove Set Credentials Use the Remove button to remove the selected agent from the list. If you did NOT add the ChangeAuditor Agent accounts to the local Administrators group on the NetApp filer, select the ChangeAuditor Agent from the list and select the Credentials button. Enter the NetApp filer credentials to be used. See Required Rights and Permissions for more information on valid credentials. Clear Credentials ChangeAuditor Agent list Use the Clear Credentials button to clear the NetApp filer credentials that were previously entered for the selected ChangeAuditor Agent. The list across the bottom of the page lists the ChangeAuditor Agents selected to capture audit events from the selected NetApp filer. File System Events Settings The File System Events settings on the Configuration Setup dialog also apply to the NetApp filer events. Use these settings to define how to process duplicate events. Discard duplicates that occur within nn seconds This option is selected by default and will discard file system events that occur within 10 seconds of each other. You can enter a value between 1 and 600 (or use the arrow controls) to increase or decrease this interval. Audit all configured, including duplicates (Not Recommended) Select this option to audit all configured file system events including duplicate events. This is NOT recommended and therefore is disabled by default. 49

50 ChangeAuditor for NetApp To set the File System Events settings: 1. Open the Administration Tasks tab. 2. Select the Configuration task button at the bottom of the navigation pane. 3. Select Agent in the Configuration task list to display the Agent Configuration page. 4. Select the Configurations tool bar button. 5. On the Configuration Setup dialog, select an agent configuration from the left-hand pane (i.e., the configuration that is being used by the ChangeAuditor Agents assigned to receive NetApp filer events) and then set the File System Events settings as defined above. 6. Once you have set these settings, select OK to save your selections, close the dialog and return to the Agent Configuration page. 7. Back on the Agent Configuration page, select the ChangeAuditor Agent(s) assigned to receive NetApp filer events and select the Refresh Configuration tool bar button or right-click command. If you do not refresh the agent s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes. 50

51 NetApp Filer Auditing NetApp Event Logging For NetApp events, event logging is disabled by default. When enabled, only configured activities are sent to the ChangeAuditor for NetApp Event log. See the ChangeAuditor for NetApp Event Reference Guide for a list of the NetApp events that can be sent to the event log. To enable NetApp event logging: 1. Open the Administration Tasks tab. 2. Select the Configuration task button at the bottom of the navigation pane. 3. Select Agent in the Configuration task list to display the Agent Configuration page. 4. Select the Event Logging tool bar button. 5. On the Event Logging dialog, select NetApp. Select OK to save your selection and close the dialog. The NetApp events configured in the NetApp Auditing template will then be sent to the ChangeAuditor for NetApp event log. 51

52

53 5 NetApp Searches/Reports Introduction Create Custom NetApp Searches

54 ChangeAuditor for NetApp Introduction ChangeAuditor for NetApp enables you to create custom search definitions to search for file and/or folder changes to a specific NetApp file, folder or volume. You will use the Search Properties tabs across the bottom of the Searches page to define new custom searches. This chapter explains how to create custom NetApp searches. For a description of the dialogs mentioned in this chapter, please refer to the online help. For a description of the Search Properties tabs and how to use these tabs to customize your searches, see the ChangeAuditor User Guide. Create Custom NetApp Searches The following scenarios explain how to use the What tab to create custom NetApp searches. If you wanted to, you can use the other Search Properties tabs to define additional criteria: Who - allows you to search for events generated by a specific user, computer or group Where - allows you to search for events captured by a specific agent or within a specific domain or site When - allows you to search for events that occurred within a specific date/time range Origin - allows you to search for events that originated from a specific workstation or server Comments - allows you to search for events that contain a specific comment To search for all file system events including NetApp filer events: 1. Open the Searches page. 2. In the explorer view (left-hand pane), expand and select the folder where you want to save your search. Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all ChangeAuditor users. 3. Select the New tool bar button at the top of the Searches page (or right-click a folder and select the New New Search menu command). 54

55 NetApp Searches/Reports This will open and activate the Search Properties tabs across the bottom of the Searches page. 4. On the Info tab, enter a name and description for the search. 5. Open the What tab, expand the Add tool bar button and select Subsystem File System. 6. On the Add File System Path dialog, select the All File System Paths option. 7. Review the Actions section and select those that are to be included in the search. By default, All Actions is selected meaning that all of the actions associated with the file system path will be included in the search. 8. Select the OK button to save your selection and close the dialog. 9. Once you have defined your search criteria, select Run to save and run the search. 10. When this search is run, ChangeAuditor will search for all file system events including NetApp filer events and display the results in a new search results page. To search for events performed against a specific NetApp file or folder: 1. Open the Searches page. 2. In the explorer view, expand and select the folder where you want to save your search. Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all ChangeAuditor users. 3. Select the New tool bar button at the top of the Searches page (or right-click a folder and select the New New Search menu command). 4. On the Info tab, enter a name and description for the search. 55