All Apps and Add-ons

EMC Isilon App and Add-on for Splunk Enterprise: How to configure for Syslog, get all Zones:

aparicio
New Member

I'm having a problem with the security part.
settings:

Enable auditing

isi audit settings global modify --audited-zones=System, Zone2, Zone3
isi audit settings global modify --protocol-auditing-enabled yes
isi audit settings global modify --config-auditing-enabled Yes
isi audit settings global modify --config-syslog-enabled Yes

isi audit settings global view

Protocol Auditing Enabled: Yes
Audited Zones: System, Zone2, Zone3
CEE Server URIs:
Hostname:
Config Auditing Enabled: Yes
Syslog Config Enabled: Yes

isi audit settings modify --syslog-forwarding enabled Yes
isi audit settings modify --syslog-forwarding-enabled = yes --zone = System
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone2
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone3

isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: close, create, delete, read, write
Syslog Forwarding Enabled: Yes

isi audit settings view --zone=System
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes

isi audit settings view --zone=Zone2
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes

isi audit settings view --zone=Zone3
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes

Entries in
/etc/mcp/override/syslog.conf

auth.* @ip_splunk_server
!audit_protocol
. @ip_splunk_server
!audit_config
. @ip_splunk_server

Splunk

Splunk Data entries -> UDP -> 514 -> emc: isilon: syslog - index = isilon

Important

In the /var/log/audit_protocol.log only the logs of the access zone of the system appear.
The other 2 - Zone2 and Zone 3 should not appear.

isi_audit_viewer -t protocol
normal audit of all zones appears.

FS Audit Logs or FS Audit Lof Search - all files, created or deleted, appear as root. The domain name does not appear.
img - as root
https://ibb.co/nP1FGp9

Centos 7
Isilon 8.1.0.4 - node 10
Splunk Common Information Model (CIM) - 4.12.0
EMC Isilon application for Splunk Enterprise - 2.4.0
Splash Enterprise EMC Isilon Add-in - 2.5.0 - Connected Node 10

0 Karma

zrenplus
New Member

Have you dealt with this problem? If you have any help, please explain how to configure syslog.conf, because the characters of the web page may be inconsistent.

0 Karma

p_gurav
Champion

Please any error or message in _internal by using below query:
index=_internal component="ExecProcessor" "EMC Isilon Error:" | table _time host log_level message

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!