File system auditing
File system auditing monitors and records file access and modification operations performed through the SMB and NFSv3 protocols. Records are made using the Windows Eventlog format and can be stored to the file system's audit log or made available to third-party external tools.
File system audit logging is performed and controlled on a per file system basis.
Currently, file system auditing is only supported for operations using SMB and NFSv3. By default, when file system auditing is enabled, access to the audited file system is only allowed for these two protocols. However, access by clients using other protocols like NFSv2, can optionally be allowed. When such access is allowed, access to file system objects through these protocols is not audited.
After a file has been externally migrated (migrated to an external server), for example to a Hitachi Content Platform (HCP) system, subsequent access to the file through the NAS server is audited as if the file were still local.
For known users (users with a Windows user mapping), the NAS server logs Object Access events 560, 562, 563 and 564. As with the Windows operating system, auditable events for objects are specified by SACLs (system access control lists). Auditing events are logged under the following conditions:
- 560 – open handle
This event is logged when a network client asks for access to an object. An access check is performed against the DACL (discretionary access control list) and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.
- 562 – close handle
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 560.
- 563 – open handle for delete
This event is logged when a network client asks for access to a file using the CreateFile call, and the delete-on-close flag is specified. An access check is performed against the DACL and an audit check is performed against the SACL. If the result of the access check matches the result of the audit check, an audit record is generated.
For successful deletions, the audit records the accesses that were granted, and for failures the audit records the accesses that were requested.
- 564 – delete
This event is logged when an application closes (disposes of) an existing handle, and is logged in conjunction with event 563.
About file system audit logs
The file system audit log is buffered in memory, and may be permanently stored in a file in the file system being audited. Active audit log files are stored in Windows event log file format (.evt) so that standard tools can access them. The name, location, size of the active audit log file, log file retention, and active log file backup settings are defined when enabling auditing for a file system.
Audit log files are limited in size, and the retention behavior when a log fills is configurable. When an audit log reaches its maximum size, log entries (file system events) can be overwritten, or the full audit log can be saved, and a new log started
You can specify a backup policy, which backs up the active log at regular intervals, and starts a new active log file. Backup log files are created in the same directory as the active audit log file.
In the event of a server crash, active file system audit logs are recovered only if a rollback is performed on restart. Note that a rollback may reset the audit log file to a time when it can be recovered, thus saving some records that would otherwise be lost.
Controlling file system auditing
File system auditing requires that a file system audit policy be defined for the file system to be monitored, and that auditing is enabled for the specific file system. File system auditing is performed and controlled on a per file system basis.
Creating a file system audit policy
Procedure
Navigate to add to display the Add File System Audit Policy page.
, and clickField/Item Description EVS/File System Lists the currently selected EVS and file system, to which the audit policy will apply. Click change to go to the Select a File System page, where you can select a different EVS and file system. Access via Unsupported Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: - Deny Access. Client access to the file system using unauditable protocols (such as NFSv2) is denied.
- Allow Access. Allows client access to the file system using unauditable protocols (such as NFSv2), but does not create any auditing events.
Audited Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: - smb. Only the SMB protocol is audited. Access to SMB is always allowed, and access via other protocols is determined via the Other Protocol Support option.
- smb, nfsv3. Both the SMB and NFSv3 protocols are audited. Access to SMB and NFSv3 is always allowed, and access via other protocols is determined via the Other Protocol Support option.
External Stops the audit records from being stored locally (including audit log backups) and instead only makes them available to an external audit log server. To configure an external logging server, use the audit-syslog CLI command or for third-party audit logging applications, configure an audit log consolidated cache and then read the audit logs using the Windows EVENTLOG protocol. Active Log File Name Specify the file name for the file system audit log. The file name must have an .evt extension. The default file name is audit.evt. Logging Directory Specify the directory within the file system in which the file system audit log files are saved. You can use the browse button to search for an existing directory, or enter the name of a directory to be created. Maximum Log File Size Specify the maximum size of the active audit log file in KiB or MiB. The default size is 512 KiB. The maximum log file size is 50 MiB. Log roll over policy Determines what the system does once the active audit log file is full (when it reaches the Maximum Log File Size). You can select either: - Wrap, which causes the system to delete the oldest existing audit entry to allow room for a new entry.
- New, which causes the system to create a new active audit log file. The default is New.
Backup Interval Specify the time (in minutes) between automatic backups of the active audit log. The backup interval must be between 5 and 14400 minutes (10 days). A value of 0 disables the automatic backups. The default is 0. Number of files to retain Specify the number of backup audit log files to retain. The default is 10. The maximum number of files to retain is 50. Specify the access settings for unsupported (unauditable) protocols
- Deny Access. Client access to the file system using unauditable protocols (such as NFS) is denied.
Specifying Deny Access generates an error if there is an NFS export mounted on an unauditable client or the file system has a FTP user that has a directory available. To ensure this error is not generated, you can remove the NFS export for the file system, remove the FTP user, or select the Allow Access option.
- Allow Access. Allows client access to the file system using unauditable protocols (such as NFS), but does not create any auditing events.
- Deny Access. Client access to the file system using unauditable protocols (such as NFS) is denied.
Specify the name for the active audit log file. The file type suffix must be .evt.
Click browse to specify an existing logging directory, or enter the name of a directory to create.
For ease of access to the audit log files, the logging directory should be within in a CIFS share that can be accessed by those who need to review the access log.Specify the maximum log file size.
Specify the roll over (retention) policy.
Specify the backup interval.
Specify the number of files to retain.
Click OK to save the policy as specified.
Configuring auditing on the Windows client
After creating a file system audit policy, the next step is to configure which of these events gets audited from the Windows client. By default, no file system accesses will be audited.
Procedure
Right-click a folder that resides on a server file system that is configured for auditing and select Properties, and then the Security tab.
Click Advanced and select the Auditing tab.
Select Add and select which users get audited.
For example, select Everyone so that all users get audited.A box pops up and allows you to specify which events are to be audited for the specified user.
You can choose to audit Successful, Failed, or both for each access type.
Enabling auditing for a file system
To enable file system auditing for a particular file system, the file system must be added to the file system audit list.
Procedure
Navigate to
.Field/Item Description EVS Lists the EVS to which host the file system is assigned. Click change to go to the Select an EVS page, where you can select a different EVS. Audit Log Consolidated Cache The server uses this cache for reporting file system audit events to Windows clients. Only one consolidated cache file can be configured per EVS. modify Enables the user to configure a file system, directory where the file is stored and file name for the audit log consolidated cache file. File System Lists all file systems in the specified EVS that have an audit policy. Status Indicates whether file system auditing is enabled or disabled. It also indicates whether auditing is external. details Displays the File System Audit Policy Details page, in which you can change the auditing options for a file system. add Displays the Add File System Audit Policy page, in which you can set the auditing options for a file system. Only one audit policy is allowed per file system. delete Deletes the audit policy for a selected file system. enable Enables file system auditing for the selected file system. disable Disables file system auditing for the selected file system. If the file system on which you want to enable auditing is listed, an audit policy has already been defined for that file system.
- If the Audit Policy Status is enabled, logging is already enabled for the file system, and no further actions are required.
- If the Audit Policy Status is disabled, select the check box next to the file system name, and click enable.
Click change to display the Select an EVS page, in which you can select a different EVS.
- If, after selecting the EVS that hosts the file system, the file system on which you want to enable auditing is now listed on the File System Audit Policies page, select the check box next to the file system name, and click enable.
- If, after selecting the EVS that hosts the file system, the file system on which you want to enable auditing is still not displayed, you must define a file system audit policy for that file system. Click add to display the Add File System Audit Policy page, in which you can set the auditing options for a file system.
Modifying a file system audit policy
Navigate to
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click . change to go to the Select an EVS page, in which you can select a different EVS.Click the details button on the file system with the audit policy you want to modify to display the File System Audit Policy Details page.
The following table describes the fields on this page:
Field/Item Description EVS/File System Lists the currently selected EVS and file system, to which the audit policy will apply. Click change to go to the Select a File System page, where you can select a different EVS and file system. Auditing Indicates whether file system auditing is enabled or disabled. Click enable or disable to toggle the auditing mode. Access via Unsupported Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either: - Deny Access. Client access to the file system using unauditable protocols (such as iSCSI) is denied.
- Allow Access. Allows client access to the file system using unauditable protocols (such as iSCSI), but does not create any auditing events.
Audited Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as iSCS), this setting determines if those clients are permitted to access the file system. You can select either: - smb. Only the SMB protocol is audited. Access to SMB is always allowed, and access through other protocols is determined through the Other Protocol Support option.
- smb,nfsv3. Both the SMB and NFSv3 protocols are audited. Access to SMB and NFSv3 is always allowed, and access through other protocols is determined via the Other Protocol Support option.
External Stops the audit records from being stored locally (including audit log backups) and instead only makes them available to an external audit log server. To configure an external logging server, use the audit-syslog CLI command or for third-party audit logging applications, configure an audit log consolidated cache and then read the audit logs using the Windows EVENTLOG protocol. Active Log File Name Specifies the file name for the file system audit log. The file name must have an .evt extension. The default file name is audit.evt. Logging Directory Specifies the directory within the file system in which the file system audit log files are saved. You can use the browse button to search for an existing directory, or enter the name of a directory to be created. Maximum Log File Size Specifies the maximum size of the active audit log file in KiB or MiB. The default is 512 KiB. The maximum value is 50 MiB. Log roll over policy Determines what the system does once the active audit log file is full (when it reaches the Maximum Log File Size). You can select either: - Wrap, which causes the system to delete the oldest existing audit entry to allow room for a new entry.
- New, which causes the system to create a new active audit log file. The default is New.
Backup Interval Specifies the time (in minutes) between automatic backups of the active audit log. The backup interval must be between 5 and 14400 minutes (10 days). A value of 0 disables the automatic backups. The default is 0. Number of files to retain Specifies the number of backup audit log files to retain. The default is 10. Modify the policy as required.
Click OK to save the policy as specified.
Enabling or disabling auditing for a file system
Navigate to
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click . change to go to the Select an EVS page, in which you can select a different EVS.Select the check box next to the name of the file system with the audit policy you want to enable or disable.
Click Enable to allow a disabled policy to function again, or click Disable to stop the policy from functioning.
When disabled, file system access operations are not logged, and protocol restrictions are not enforced. Note that disabling a policy does not delete it.
Deleting a file system audit policy
Navigate to
If the file system with the audit policy you want to change is not displayed, change the currently selected EVS to display the EVS hosting the file system with the audit policy you want to change. To select a different EVS, click . change to go to the Select an EVS page, in which you can select a different EVS.Select the check box next to the name of the file system with the audit policy you want to delete, and click delete.
NoteExisting log files are not deleted automatically when a policy is deleted. If you want to delete these logs, you must do so manually,
Displaying file system audit logs
The NAS server supports using a remote Windows Event Viewer to display file system audit log events. The audit log files are shown in the "FS" (file system) log, which can be displayed by the Windows Event Viewer, assuming that:
- You have used the audit-log-consolidated-cache command to configure a single consolidated cache file (the audit-log-consolidated-cache).
If the cache file is not configured, the Windows Event Viewer cannot view file system events. The consolidated cache file has a default size of 10MB, and a maximum size of 50MB.
NoteOnly one consolidated cache file can be configured per EVS. Audit events from all file systems assigned to that EVS are collected into this single consolidated cache file.When you create the consolidated cache file, you must specify the name of the file system in which the file will be stored. The cache file is located in the
.audit
directory of the root of the named file system. The default name for the consolidated cache file isaudit_cache.evt
(audit log files for individual file systems have a default name ofaudit.evt
). - The logging directory is within a CIFS share.
Using the Windows Event Viewer, you can display, save, and clear the local event logs, or those on a remote computer. Audit logs can be saved in several formats, including a .evt
event format or a plain text file. The Windows Event Viewer can only save in .evt
format to a file on the same computer as the event log, because it is the computer being viewed that does the copy (meaning the Event Viewer does not just read the event log and write it to a file). The Event Viewer can also be used to open and display saved audit log files.
Optionally, you can send file system audit logs to a remote syslog server using the audit-syslog command. Enter man audit-syslog at the CLI, or see the Command Line Reference for more information.