Complete a FS Logga configuration

 

  1. The folder icon with the eye indicates a FS Logga configuration.
  2. Turn the FS Logga on or off. You must enter a comment to perform the action. The event and the comment is recorded in the ARM logbook.

Use the logbook to verify that the FS Logga has been turned on successfully.

You cannot change credentials if the FS Logga is turned on.

  1. You can change the name of the configuration. The name has no impact on the FS Logga function.

 

ARM shows you the file server name and type and the collector that is used. For NetApp and EMC you can change the account that is used for monitoring.

 

Monitored actions and data refresh interval

  1. Click on one of the links to open up this dialog.
  2. Specify the interval at which the Logga data is written from the collector to the ARM database. The default value is 10 minutes, minimum is 1 minute, maximum 60 minutes.
  3. With monitored actions you can filter what type of events are recorded. Disable not needed actions to reduce the amount of recorded data in the data base.
  4. You must enter a comment.
  5. Click Apply.

 

File filter configuration

Filtering is based on either the blacklist or whitelist method. Click one of the links.

 

  1. Blacklist entries: Define for which files no events are recorded.
  2. Whitelist entries: Define for which files events are recorded.
  3. You can use wildcards "*", "?" or regular expressions.
  4. Delete a filter entry.
  5. Add a filter entry.

The FS-Logga first applies the blacklist entries, then the whitelist entries.

The filter configuration shown here is illogical and is for demonstration purposes only.

 

Record detailed permission changes

FS Logga enables you to create a report on permission changes details. File servers just deliver the event, that an ACL (access control list) has changed. To see what has changed in detail, much more effort is needed. The permissions of all monitored directories and files have to be scanned and stored in the database. After a changed ACL event has happened the permissions of the regarding object have to be read again and compared to the permissions before. This process consumes storage space and CPU power.

We strongly recommend to use this function for sensitive files and directories only. Which resources are monitored is defined by the report configuration.

This feature is not available for Windows failover cluster resources.

Click on the link to enter the credentials of the account that is used for reading the ACLs.

 

NetApp Clustered Data ONTAP configuration

The following section applies only to NetApp Clustered Data ONTAP.

  1. Click on one of the links to open up this dialog.
  2. Connection from collector to NetApp
    Enter the IP address and port of the dedicated collector. The values must match to those configured during the Preparation of NetApp clustered data ONTAP file servers.

The IP address and port is used to receive the events from the NetApp and therefore must be available.

  1. NetApp SVM management
    Enter the IP address of the LIF (Logical Interface) of the SVM (Storage Virtual Machine) on which the file server to be monitored is running.
    The LIF to set here must match the configured one. See Firewall configuration.
    The credentails must match the account configured in chapter Domain accounts.
  2. You must enter a comment.
  3. Click Apply.

 

Report configuration

Events captured by the FS Logga are recorded in the ARM database. To view the information recorded, you must create a report.

Report configurations define the scope of the FS Logga. Only file server events that are happening in an area that is covered by a report configuration will be recorded. Also the event types that are recorded are defined by the report configuration.

 

Click one of the links to create a report configuration.

 

Configure the "Who did what?" report

  1. Click "Who did what?".
  2. Name the FS Logga report configuration.
  3. Select the directories to be monitored.

 

  1. Use credentials of an account that is allowed to read file server paths. On NetApp the account has to be a member of the Power User group. See NetApp clustered or NetApp 7-mode.
  2. Select the directories to be monitored. Subdirectories and files are included.
  3. Click Apply.

 

For the selected directories, subdirectories and the files in there are the following operations recorded:

  • File read
  • File written
  • Directory or file created
  • Directory or file deleted
  • Directory or file moved or renamed
  • ACL changed
  • ACL read (switched off by default, activation in the pnTracer.config.xml file possible, not available for NetApp and EMC file server)

 

Configure the "Who made changes?" report

  1. Click "Who made changes?".
  2. Name the FS Logga report configuration.
  3. Select the directories to be monitored.

 

  1. Use credentials of an account that is allowed to read file server paths. On NetApp the account has to be a member of the Power User group. See NetApp clustered or NetApp 7-mode.
  2. Select the directories to be monitored. Subdirectories and files are included.
  3. Click Apply.

 

For the selected directories, subdirectories and the files in there are the following operations recorded:

  • File written
  • ACL changed

 

 

Configure the "Who did what, except authorized users (SoD)?" report

  1. Click "Who did what, except authorized users (SoD)?".
  2. Name the FS Logga report configuration.
  3. Select the directories to be monitored.

 

  1. Use credentials of an account that is allowed to read file server paths. On NetApp the account has to be a member of the Power User group. See NetApp clustered or NetApp 7-mode.
  2. Select the directories to be monitored. Subdirectories and files are included.
  3. Click Apply.

 

For the selected directories, subdirectories and the files in there are the following operations recorded:

The selection of authorized users and groups is done when the report is created.

  • File read
  • File written
  • Directory or file created
  • Directory or file deleted
  • Directory or file moved or renamed
  • ACL changed
  • ACL read (switched off by default, activation in the pnTracer.config.xml file possible, not available for NetApp and EMC file server)

 

Configure the "Detailed permission changes" report

This report type is not available for Windows Failover cluster resources.

We strongly recommend to use this function for sensitive files and directories only. The extended use of this function can result in a high CPU load on the monitored file server and the assigned collector server.

 

  1. Click "Detailed permission changes".
  2. Name the FS Logga report configuration.
  3. Select the directories to be monitored.

 

  1. Use credentials of an account that is allowed to read file server paths. On NetApp the account has to be a member of the Power User group. See NetApp clustered or NetApp 7-mode.
  2. Select the directories to be monitored. Subdirectories and files are included.
  3. Click Apply.