Embed Size (px)
Citation preview
Integrate EMC Isilon EventTracker v8.x and above
Publication Date: March 3, 2017
1
Integrate EMC Isilon
Abstract This guide helps you in configuring EMC Isilon and EventTracker to receive EMC Isilon events. In this
document, you will find the detailed procedure required for monitoring EMC Isilon.
Audience Administrators who are assigned the task to monitor and manage EMC Isilon events using EventTracker.
The information contained in this document represents the current view of EventTracker. on the
issues discussed as of the date of publication. Because EventTracker must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of EventTracker,
and EventTracker cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from
EventTracker, if its content is unaltered, nothing is added to the content and credit to
EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from EventTracker, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or
should be inferred.
© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
2
Integrate EMC Isilon
Table of Contents Abstract ............................................................................................................................................................. 1
Audience ............................................................................................................................................................ 1
Overview ................................................................................................................................................................ 3
Prerequisites .......................................................................................................................................................... 3
Integration of EMC Isilon to EventTracker manager ............................................................................................. 3
EventTracker Knowledge Pack .......................................................................................................................... 4
Alerts ............................................................................................................................................................. 4
Flex Reports ................................................................................................................................................... 4
Knowledge Object ......................................................................................................................................... 6
Import EMC Isilon knowledge pack into EventTracker ......................................................................................... 6
Knowledge Objects ............................................................................................................................................ 7
Alerts ................................................................................................................................................................. 8
Token Template ................................................................................................................................................. 9
Flex Reports ..................................................................................................................................................... 11
Verify EMC Isilon knowledge pack in EventTracker ............................................................................................ 12
Knowledge Objects .......................................................................................................................................... 12
Alerts ............................................................................................................................................................... 13
Token Template ............................................................................................................................................... 14
Flex Reports ..................................................................................................................................................... 15
Create Flex Dashboards in EventTracker............................................................................................................. 16
Schedule Reports ............................................................................................................................................. 16
Create Dashlets ............................................................................................................................................... 19
Sample Flex Dashboards.................................................................................................................................. 22
3
Integrate EMC Isilon
Overview Isilon OneFS is the NAS solution which combines the three layers of traditional storage architectures — file
system, volume manager, and data protection — into one unified layer.
EventTracker helps you to monitor user login activities, file operation (open, close, read, write, etc) activities
and changes in file permission. It will trigger an alert whenever changes occur in file permission or login
failure by users. It’s knowledge object will help you make log search easier and informative.
Prerequisites EventTracker v8.x should be installed.
EMC Isilon OneFS 7.1 and later should be installed.
An exception should be added into windows firewall on EventTracker machine for syslog port 514.
Integration of EMC Isilon to EventTracker manager 1. Login into EMC Isilon CLI console using SSH or directly.
2. Run the following command to back up the /etc/mcp/templates/syslog.conf file:
cp /etc/mcp/templates/syslog.conf /etc/mcp/templates/syslog.conf.bku1
3. Open the /etc/mcp/templates/syslog.conf file in a text editor such as vi, edit, or nano.
4. Add a custom filter for your EventTracker manager. For example:
*.warn;*.notice;kern.*;ifs.info;istat.none @<EventTracker manager>
NOTE: A filter of *.* will generate a lot of traffic.
5. To enable remote logging of syslog events for configuration and protocol auditing, find these sections of
the /etc/mcp/templates/syslog.conf file.
!audit_config
*.* /var/log/audit_config.log
!audit_protocol
*.* /var/log/audit_protocol.log
6. Add a line for remote syslog servers (EventTracker Manager), so that the resulting sections of the file will
now look like this (it is assumed that you have enabled syslog for auditing):
4
Integrate EMC Isilon
!audit_config
*.* /var/log/audit_config.log
*.* @<EventTracker manager IP address>
!audit_protocol
*.* /var/log/audit_protocol.log
*.* @<EventTracker manager IP address>
7. Save the file and exit from your editor. The master control process (MCP) will push out your changes from
the template file into /etc/syslog.conf a short time later.
8. Reload the configuration by sending the hang-up signal to the syslogd process:
isi_for_array 'killall -HUP syslogd'
EventTracker Knowledge Pack Once logs are received into EventTracker, alerts, reports and knowledge object can be configured into
EventTracker.
The following Knowledge Packs are available in EventTracker Enterprise to support EMC Isilon.
Alerts
EMC Isilon: Login failed – This alert is generated when user logon failure occurs on EMC Isilon.
EMC Isilon: File permission changes – This alert is generated when user makes changes in File or
directory permission.
EMC Isilon: File or directory deleted - This alert is generated when user deletes file or directory from
the EMC Isilon zones.
Flex Reports
EMC Isilon-File operations – This report provides information about the operations (like open, close,
read, write, rename, etc) that occurs on file in EMC Isilon zone by a user. This report will show user
information (like Security ID, Client IP) who did operation (Open, close, read, write, rename, etc) on
File (like filepath, file type).
Figure 1
5
Integrate EMC Isilon
Sample logs:
Figure 2
EMC Isilon-File permission checked and changed – This report provides information about the
checking and changing in file permission. This report will show the user information (Security ID, Client
IP) who made changes in file (file path, file type) permission.
Figure 3
Sample logs:
Figure 4
EMC Isilon-Logon and logoff activities – This report provides information about the logon and logoff
activities that occurs on EMC Isilon. This report will show information about the logon and logoff done
by user on EMC Isilon.
Figure 5
Sample logs:
Figure 6
EMC Isilon-Logon failed – This report provides information about the user logon failure by a client.
This report gives user information who is trying to logon into EMC lsilion.
6
Integrate EMC Isilon
Figure 7
Sample logs:
Figure 8
Knowledge Object
EMC Isilon – This knowledge object will help us to analyze the log related with file operation,
login/logoff activities and file permission changes.
Import EMC Isilon knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:
Token template
Knowledge Objects
Alerts
Flex Reports
NOTE: Please export following KP items while replicating configuration to other EventTracker manager:
Token Template
Knowledge Object
Flex Reports
Alerts
1. Launch EventTracker Control Panel.
2. Double click Export Import Utility.
7
Integrate EMC Isilon
Figure 9
3. Click the Import tab.
Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page.
2. Locate the All EMC Isilon group of Knowledge object.etko, and then click Import button.
Figure 10
3. Choose the Knowledge objects that needs to be imported and click on upload.
8
Integrate EMC Isilon
Figure 11
4. Knowledge objects are now imported successfully.
Figure 12
Alerts
1. Click Alerts option, and then click the browse button.
9
Integrate EMC Isilon
Figure 13
2. Locate All EMC Isilon group of alerts.isalt file, and then click the Open button.
3. To import alerts, click the Import button.
EventTracker displays success message.
Figure 14
4. Click OK, and then click the Close button.
Token Template 1. Logon to EventTracker Enterprise.
2. Click the Admin menu and then click the Parsing rule.
10
Integrate EMC Isilon
3. Click the Template tab.
4. Click the Import button.
(Note: Make sure pop-up is enabled for EventTracker).
Figure 15
5. Locate and choose All EMC Isilon group of template.ETTD file and then click the Open button.
Figure 16
11
Integrate EMC Isilon
6. Select the template you want to upload.
7. Then click on Import configuration button.
Figure 17
EventTracker displays success message
Figure 18
8. Click OK it will automatically close the window
Flex Reports
1. Click Reports option, and then click the browse button.
2. Locate the All EMC Isilon group of flex reports.issch file, and then click the Open button.
12
Integrate EMC Isilon
Figure 19
3. Click the Import button to import the scheduled reports. EventTracker displays success message.
Figure 20
Verify EMC Isilon knowledge pack in EventTracker
Knowledge Objects 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Knowledge
Objects.
2. In the Knowledge Object tree, expand EMC Isilon group folder to see the imported Knowledge
objects.
13
Integrate EMC Isilon
Figure 21
Alerts 1. Logon to EventTracker Enterprise.
2. Click the Admin menu, and then click Alerts.
3. In Search field, type ‘EMC Isilon’, and then click the Go button.
Alert Management page will display all the imported EMC Isilon alerts.
Figure 22
14
Integrate EMC Isilon
4. To activate the imported alerts, select the respective checkbox in the Active column.
EventTracker displays message box.
Figure 23
5. Click OK, and then click the Activate Now button.
NOTE: You can select alert notification such as Email, and Message etc. For this, select the respective
checkbox in the Alert management page, and then click the Activate Now button.
Token Template 1. Logon to EventTracker Enterprise, Click Admin > Go to Parsing rule.
2. Click on Template tab.
3. Check the template you had uploaded.
Figure 24
15
Integrate EMC Isilon
Flex Reports 1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Configuration.
2. In Reports Configuration pane, select Defined option.
3. In search box enter ‘EMC Isilon’, and then click the Search button.
EventTracker displays Flex reports of ‘EMC Isilon’.
Figure 25
16
Integrate EMC Isilon
Create Flex Dashboards in EventTracker NOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature is
available from EventTracker Enterprise v8.0.
Schedule Reports 1. Open EventTracker in browser and logon.
Figure 26
2. Navigate to Reports>Configuration.
3. Select EMC Isilon in report groups. Check Defined dialog box.
17
Integrate EMC Isilon
Figure 27
4. Click on ‘schedule’ to plan a report for later execution.
5. Click Next button to proceed.
6. In review page, check Persist data in EventVault Explorer option.
18
Integrate EMC Isilon
Figure 28
7. In next page, check column names to persist using PERSIST checkboxes beside them. Choose suitable
Retention period.
19
Integrate EMC Isilon
Figure 29
8. Proceed to next step and click Schedule button.
9. Wait till the reports get generated.
Create Dashlets 1. Open EventTracker Enterprise in browser and logon.
Figure 30
20
Integrate EMC Isilon
2. Navigate to Dashboard>Flex.
Flex Dashboard pane is shown.
Figure 31
3. Fill suitable title and description and click Save button.
4. Click to configure a new flex dashlet. Widget configuration pane is shown.
Figure 32
21
Integrate EMC Isilon
5. Locate earlier scheduled report in Data Source dropdown.
6. Select Chart Type from dropdown. 7. Select extent of data to be displayed in Duration dropdown.
8. Select computation type in Value Field Setting dropdown.
9. Select evaluation duration in As Of dropdown. 10. Select comparable values in X Axis with suitable label.
11. Select numeric values in Y Axis with suitable label. 12. Select comparable sequence in Legend.
13. Click Test button to evaluate. Evaluated chart is shown.
Figure 33
22
Integrate EMC Isilon
14. If satisfied, click Configure button.
Figure 34
15. Click ‘customize’ to locate and choose created dashlet.
16. Click to add dashlet to earlier created dashboard.
Sample Flex Dashboards For below dashboard
WIDGET TITLE: FILE ACCESSED IN LAST 24 HRS DATA SOURCE: EMC Isilon-File operation CHART TYPE: Column AXIS LABELS [X-AXIS]: File LEGEND[SERIES]: Action
Figure 35
23
Integrate EMC Isilon
For below dashboard
WIDGET TITLE: USER LOGIN AND LOGOFF ACTIVITIES IN LAST 24 HRS DATA SOURCE: EMC Isilon-Login and logoff activities CHART TYPE: Donut AXIS LABELS [X-AXIS]: User security ID LEGEND [SERIES]: Action
Figure 36
