This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CG Collect NetAPP Audit log

HI All

     I create a audit volume for netapp audit use

002.png

then I reference CG admin guide to set /etc/fstab (I find the document add colon......it spent I much time to check why I could not mount it)

//192.168.1.81/nsroot/audit /mnt/audit cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0

then I create a file on /usr/netiq/vsau/etc

the content like below

192.168.1.81,/nsroot/audit,/mnt/audit,audit

then I restart  /etc/init.d/vigilentagent to apply security agent

then apply CG's Netapp Policy like below

010.png

then I try to add file then modify file content to audit volume...

but no event to been generated....

Who has connect NetAPP's audit success experience ??

 

Thanks!!

 

Wencheng

Tags:

  • 0  

    then I create a file on /usr/netiq/vsau/etc

    the content like below

    192.168.1.81,/nsroot/audit,/mnt/audit,audit


    since the audit log is in /audit we need to give it like this
    192.168.1.81,/audit,/mnt/audit,audit

    if this still does not work please CG-netapp log from this location in the agent box
    /usr/netiq/vsau/local/tmp/NetAppObject__singleton.err

  • 0 in reply to   

    HI

       About NetAPP Audit XML , I find after I create this XML file...I "must" do another action....I need open volume or folder security setting from a windows workstation which mount this audit volume. set everyone or users which you want to monitoring...

        then I do some file actions...this XML will capture these file action that I did...

    But CG security agent still not read xml file which mouont by /etc/fstab....

    so I think the netapp configure file on /usr/netiq/vsau/etc still incorrect.

     

    Wencheng

  • 0   in reply to 

    can you cross-check if the audit log is present at the mount location and it contains events for any file operation? 


  • 0 in reply to   

    Hi

        I modify my configure file like below

    192.168.1.81,/audit,/mnt/audit,audit

    then reboot...

    I do some file action ....the audit XML could capture these event..

    But Security Agent still no event send to CGServer.

    SecuritySetting.pngNetAPPPolicy.png

     

    Wencheng

  • 0   in reply to   

    can you share the log from below location in agent box /usr/netiq/vsau/local/tmp/NetAppObject__singleton.err

  • 0 in reply to   

    Hi

        Like this screenshot....you could see much object (file) action in XML file...

    NetAPPAuditXML.png

    I also provie my Audit XML as attachment file.

     

    audit_netapp-svm1_last.zip
  • 0 in reply to   

    Hi

        Here you need.

     

    NetAppObject__singleton.zip
  • 0   in reply to 

    Hi 

    the issue lies here 
    Mon Sep 21 16:17:35 2020 1557 DBG grp 0: at event source initialization line 117: Mount directory /mnt/audit is not mapped to a volume in /usr/netiq/vsau/etc/netapp-volume-tab.
    Mon Sep 21 16:17:46 2020 1557 DBG grp 0: at main line 98: Terminating - received TERMINATE command from detectd

    the input in the config file is not correct so it is notable to red the mount logs 

  • 0 in reply to   

    Hi

       So I had modify it base your previous suggestion today ...

    ------------------------------

    192.168.1.81,/audit,/mnt/audit,audit

    ------------------------------

     

    you could check the NetAppObject__singleton.err From "Mon Sep 28"

     

    Wencheng

  • 0 in reply to   

    HI  

          Did you had tested NetAPP module and work fine ??

    Could you provide your /etc/fstab and /usr/netiq/vsau/etc/<NetAPP Configure file> let me refer to ??

     

    Wencheng