- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- EMC Isilon App and Add-on for Splunk Enterprise: H...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EMC Isilon App and Add-on for Splunk Enterprise: How to configure for Syslog, get all Zones:
I'm having a problem with the security part.
settings:
Enable auditing
isi audit settings global modify --audited-zones=System, Zone2, Zone3
isi audit settings global modify --protocol-auditing-enabled yes
isi audit settings global modify --config-auditing-enabled Yes
isi audit settings global modify --config-syslog-enabled Yes
isi audit settings global view
Protocol Auditing Enabled: Yes
Audited Zones: System, Zone2, Zone3
CEE Server URIs:
Hostname:
Config Auditing Enabled: Yes
Syslog Config Enabled: Yes
isi audit settings modify --syslog-forwarding enabled Yes
isi audit settings modify --syslog-forwarding-enabled = yes --zone = System
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone2
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone3
isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: close, create, delete, read, write
Syslog Forwarding Enabled: Yes
isi audit settings view --zone=System
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone2
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone3
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
Entries in
/etc/mcp/override/syslog.conf
auth.* @ip_splunk_server
!audit_protocol
. @ip_splunk_server
!audit_config
. @ip_splunk_server
Splunk
Splunk Data entries -> UDP -> 514 -> emc: isilon: syslog - index = isilon
Important
In the /var/log/audit_protocol.log only the logs of the access zone of the system appear.
The other 2 - Zone2 and Zone 3 should not appear.
isi_audit_viewer -t protocol
normal audit of all zones appears.
FS Audit Logs or FS Audit Lof Search - all files, created or deleted, appear as root. The domain name does not appear.
img - as root
https://ibb.co/nP1FGp9
Centos 7
Isilon 8.1.0.4 - node 10
Splunk Common Information Model (CIM) - 4.12.0
EMC Isilon application for Splunk Enterprise - 2.4.0
Splash Enterprise EMC Isilon Add-in - 2.5.0 - Connected Node 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you dealt with this problem? If you have any help, please explain how to configure syslog.conf, because the characters of the web page may be inconsistent.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please any error or message in _internal by using below query:
index=_internal component="ExecProcessor" "EMC Isilon Error:" | table _time host log_level message
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
