Getting Data In

How to configure environment and EMC CEE Framework to audit an Isilon Cluster?

manuzet
Engager

Hi,

I try to test your application to audit an Isilon Cluster.
I'm running splunk v6.1 on my server.

First I installed the EMC CEE Framework and configure it in the regedit to enabled it.
Twice I configure my cluster with the CEE url.
Third I installed your apps on splunk.
Fourth I configure your app in managed input (splunkweb).

I doesn't find the file emc_cee_config.xml, could indicated where I can found it.

For the moment I didn't have any input in the index (created for that) of splunk.

Kind regards,

0 Karma

ralphwu15
New Member

The CEE TA shouldn't be used with Isilon. Isilon supports sending audit logs directly to syslog. Search for the Isilon add-on and app in splunkbase and install that. There are also instructions on how to configure the cluster to send the logs to a syslog server.

0 Karma

fulldanad
Path Finder

Hi,

find below how I it worked for me

1> Installation of splunk and the EMC CEE Framework on Linux and configuration of the EMC CEE Framework to forward the logs to the app. The file to amend is the following here : /opt/CEEPack/emc_cee_config.xml

<Audit>
  <Configuration>
    <Enabled>1</Enabled>
    <EndPoint>Splunk@http://IP.1.2.3:12229</EndPoint>
  </Configuration>
</Audit>

2> Configuration of the Isilon cluster to send logs to the EMC CEE Framework : http://IP.1.2.3:12228/CEE

3> Installation of the app in Splunk

4 >Configuration of the app via splunk : data source > EMC CEPA > Isilon > advanced config

5>Activation of the lookups(ntstatus, flag and event)

Enjoy !-)

0 Karma

fulldanad
Path Finder

In my case the event_code.csv is not correct and I had to modify it as follow :

event,eventDescription
0x1,ReadSec
0x2,ReadFile
0x4,WriteFileRequest
0x8,CreateFile
0x10,RenameFile
0x20,DeleteFile
0x200,NewFileName
0x400,WriteFile
0x10000,CreateDir
0x20000,RenameDir
0x40000,DeleteDir
0x100000,ReadDirSec

But this is only my best interpretation : I'd rather use an official EMC reference.

Anyone aware of where the official table might be hidden ?

Rgds

0 Karma

fulldanad
Path Finder

desiredAccess,desiredAccessDescription
0x1,FILE_READ_DATA
0x2,FILE_WRITE_DATA
0x4,FILE_APPEND_DATA
0x8,FILE_READ_EA
0x10,FILE_WRITE_EA
0x20,FILE_EXECUTE
0x80,FILE_READ_ATTRIBUTES
0x100,FILE_WRITE_ATTRIBUTES
0x10000,DELETE
0x20000,READ_CONTROL
0x40000,WRITE_DAC
0x80000,WRITE_OWNER
0x100000,SYNCHRONIZE
0x1000000,ACCESS_SYSTEM_SECURITY
0x2000000,MAXIMUM_ALLOWED
0x10000000,GENERIC_ALL
0x20000000,GENERIC_EXECUTE
0x40000000,GENERIC_WRITE
0x80000000,GENERIC_READ

cf : https://msdn.microsoft.com/en-us/library/ee442175.aspx

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Have you tried using the Splunk App for Stream? You could configure it on the server that mounts the directories, and specifically monitor any port and protocol required. Events will be collected from the wire and logged as JSON events into Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...