Complete a FS Logga configuration

Start the Configuration application.
Click Scans.
Locate the Logga - File Server scan configuration.

Below is an example of the configuration controls in a FS Logga scan configuration.

The following table describes the controls you can use to configure and initiate your FS Logga scan.

Number	Icon	Description
1		Indicates a FS Logga configuration.
2		Activates and deactivates a FS Logga scan configuration. You must enter a comment to perform the action. The event and the comment is recorded in the ARM logbook. Use the logbook to verify that the FS Logga activated successfully. You cannot change the credentials if the FS Logga is activated.
3		Indicates the scan configuration name. You can change the configuration name. The name has no impact on the FS Logga function.

Number

Icon

Description

Indicates a FS Logga configuration.

Activates and deactivates a FS Logga scan configuration.

You must enter a comment to perform the action. The event and the comment is recorded in the ARM logbook.

Use the logbook to verify that the FS Logga activated successfully.

You cannot change the credentials if the FS Logga is activated.

Indicates the scan configuration name.

You can change the configuration name. The name has no impact on the FS Logga function.

ARM displays the file server name and type, as well as the collector used for the scan. For NetApp and EMC. you can change the account used for monitoring.

To complete a FS Logga configuration:

Select the monitored actions and data refresh interval.
Configure the file filter.
Record the permission changes.
Set up the NetApp Clustered Data ONTAP configuration.
Configure the report.

Select the monitored actions and data refresh interval

In the scan configuration summary, click one of the links to open the Configuration for the File server Logga dialog box.
Select the interval that the Logga data is written from the collector to the ARM database.

Select a value between 1 and 60 minutes. The default value is 10 minutes.
Under Monitored actions, select the actions that you want to log. Deselect any unneeded actions to reduce the amount of recorded data in the database.
Enter a comment that describes your configuration changes.
Click Apply.

Configure the file filter

You can create a file filter that tags files to a whitelist or blacklist. Based on your selections, ARM will record or not record events that occur in the files.

Click the highlighted link in the scan configuration.
In the File Configuration for the File Server Logga window, configure the file filters.

FS-Logga applies the blacklist entries first, and then the whitelist entries.

The following selections are for demonstration purposes only.
1. Add the blacklist label to files that you do not want to monitor. ARM will not record events that occur in these files.
2. Add the whitelist label to files that you want to monitor. ARM will record events that occur in these files.
3. Select regular expressions or wildcards, such as "*" or "?".
4. Delete a file entry (if required)
5. Click + to add a filter entry.
Enter a comment that best describes the reasons for the changes.
Click Apply.

Record the permission changes

SolarWinds Platform strongly recommends using this function for sensitive files and directories only. See Configure the Detailed permission changes report configuration for details about the monitored resources.

This feature is not available for Windows failover cluster resources.

File servers deliver events to ARM that indicates changes in the access control list (ACL). To view the change details, the monitored directory and file permissions must be scanned and stored in the database. After an ACL event occurs, the permissions of the targeted object must be read again and compared to the previous permissions. This process consumes storage space and CPU power.

Using FS Logga, you can create a report that lists the details for all changes in the ACL. To enter the credentials of the account used for reading the ACLs, click the highlighted links shown below and follow the instructions on your screen.

Set up the NetApp Clustered Data ONTAP configuration

The following section applies only to NetApp Clustered Data ONTAP.

In the scan configuration, click on one of the highlighted links shown above.
Configure the connection from the collector to NetApp.

Under Data connection from collector to NetApp, enter the IP address and port of the dedicated collector. The values must match the values you configured in Prepare the NetApp clustered data ONTAP file servers.

The IP address and port is used to receive the events from the NetApp and therefore must be available.

Configure the NetApp SVM management.

Under NetApp SVM OnTap Management, enter the logical interface (LIF) IP address of the storage virtual machine (SVM) that is running on the monitored file server.

Ensure that:
- The LIF matches the configured LIF. See Prepare the NetApp clustered data ONTAP file servers for instructions.
- The credentials match the account you configured in Prepare the NetApp clustered data ONTAP file servers under Domain account.
Enter a comment that describes the configuration changes.
Click Apply.

Configure the report

Events captured by FS Logga are recorded in the ARM database. To view the recorded information, create a report.

Configure the report to define the scope of the FS Logga. When you are finished, file servers events that occur in an area addressed by the configuration will be recorded. Recorded event types are also included in the report.

You can configure reports that provide information about:

Who did what
Who made changes
Who did what except authorized users (SoD)
Detailed permission changes

Click one of the highlighted links below to configure a report.

Configure the Who did what report

In the scan configuration, click Who did what?.
Name the FS Logga report configuration.
Select the credentials and the files you want to monitor.
1. In the Credentials field, use the credentials of an account that is allowed to read file server paths.
  
  On NetApp and EMC, the account must be a member of the Power User group.
  
  See Prepare the NetApp clustered data ONTAP file servers and Prepare the NetApp 7-mode file servers for more information.
2. Select the directories you want to monitor. All subdirectories and files are included.
  
  The following operations will be recorded:
  - File read
  - File written
  - Directory or file created
  - Directory or file deleted
  - Directory or file moved or renamed
  - ACL changed
  - ACL read
    
    This operation is switched off by default. The operation can be activated in the pnTracer.config.xml file, but is not available for NetApp and EMC file server.
3. Click Apply.

Configure the Who made changes report

In the scan configuration, click Who made changes?.
Name the FS Logga report configuration.
In the Directory selection window, select the directories you want to monitor.
1. In the Credentials field, use credentials of an account that is allowed to read file server paths.
  
  On NetApp, the account must be a member of the Power User group.
  
  See Prepare the NetApp clustered data ONTAP file server or Prepare the NetApp 7-mode file servers for more information.
2. Select the directories you want to monitor. All subdirectories and files are included.
  
  In the selected directories and subdirectories, the following operations are recorded:
  - File written
  - ACL changed
3. Click Apply.

Configure the Who did what, except authorized users (SoD) report

In the scan configuration, click Who did what, except authorized users (SoD)?.
Name the FS Logga report configuration.
Select the directories you want to monitor.
1. Use the credentials of an account that is allowed to read file server paths.
  
  On NetApp the account must a member of the Power User group. See Prepare the NetApp clustered data ONTAP file server or Prepare the NetApp 7-mode file servers for more information.
2. Select the directories you want to monitor.
  
  In the selected directories and subdirectories, the following operations are recorded:
  - File read
  - File written
  - Directory or file created
  - Directory or file deleted
  - Directory or file moved or renamed
  - ACL changed
  - ACL read
    
    This operation is switched off by default. The operation can be activated in the pnTracer.config.xml file, but is not available for NetApp and EMC file server.
3. Click Apply.

Configure the Detailed permission changes report

This report type is not available for Windows Failover cluster resources.

SolarWinds strongly recommends using this function for sensitive files and directories only. The extended use of this function can result in a high CPU load on the monitored file server and the assigned collector server.

In the scan configuration, click Detailed permission changes.
Name the FS Logga report configuration.
Select the directories you want to monitor.
1. In the Credentials field, enter the credentials of an account that is allowed to read file server paths. On NetApp the account has to be a member of the Power User group.
  
  See Prepare the NetApp clustered data ONTAP file server or Prepare the NetApp 7-mode file servers for more information.
2. Select the directories you want to monitor. The subdirectories and files are included.
3. Click Apply.

Search SolarWinds Support