I'm having a problem with the security part.
settings:
Enable auditing
isi audit settings global modify --audited-zones=System, Zone2, Zone3
isi audit settings global modify --protocol-auditing-enabled yes
isi audit settings global modify --config-auditing-enabled Yes
isi audit settings global modify --config-syslog-enabled Yes
isi audit settings global view
Protocol Auditing Enabled: Yes
Audited Zones: System, Zone2, Zone3
CEE Server URIs:
Hostname:
Config Auditing Enabled: Yes
Syslog Config Enabled: Yes
isi audit settings modify --syslog-forwarding enabled Yes
isi audit settings modify --syslog-forwarding-enabled = yes --zone = System
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone2
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone3
isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: close, create, delete, read, write
Syslog Forwarding Enabled: Yes
isi audit settings view --zone=System
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone2
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone3
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
Entries in
/etc/mcp/override/syslog.conf
auth.* @ip_splunk_server
!audit_protocol
. @ip_splunk_server
!audit_config
. @ip_splunk_server
Splunk
Splunk Data entries -> UDP -> 514 -> emc: isilon: syslog - index = isilon
Important
In the /var/log/audit_protocol.log only the logs of the access zone of the system appear.
The other 2 - Zone2 and Zone 3 should not appear.
isi_audit_viewer -t protocol
normal audit of all zones appears.
FS Audit Logs or FS Audit Lof Search - all files, created or deleted, appear as root. The domain name does not appear.
img - as root
https://ibb.co/nP1FGp9
Centos 7
Isilon 8.1.0.4 - node 10
Splunk Common Information Model (CIM) - 4.12.0
EMC Isilon application for Splunk Enterprise - 2.4.0
Splash Enterprise EMC Isilon Add-in - 2.5.0 - Connected Node 10
Have you dealt with this problem? If you have any help, please explain how to configure syslog.conf, because the characters of the web page may be inconsistent.
Please any error or message in _internal by using below query:
index=_internal component="ExecProcessor" "EMC Isilon Error:" | table _time host log_level message