Archive

How to configure environment and EMC CEE Framework to audit an Isilon Cluster?

Engager

Hi,

I try to test your application to audit an Isilon Cluster.
I'm running splunk v6.1 on my server.

First I installed the EMC CEE Framework and configure it in the regedit to enabled it.
Twice I configure my cluster with the CEE url.
Third I installed your apps on splunk.
Fourth I configure your app in managed input (splunkweb).

I doesn't find the file emcceeconfig.xml, could indicated where I can found it.

For the moment I didn't have any input in the index (created for that) of splunk.

Kind regards,

0 Karma

New Member

The CEE TA shouldn't be used with Isilon. Isilon supports sending audit logs directly to syslog. Search for the Isilon add-on and app in splunkbase and install that. There are also instructions on how to configure the cluster to send the logs to a syslog server.

0 Karma

Explorer

Hi,

find below how I it worked for me

1> Installation of splunk and the EMC CEE Framework on Linux and configuration of the EMC CEE Framework to forward the logs to the app. The file to amend is the following here : /opt/CEEPack/emcceeconfig.xml

<Audit>
  <Configuration>
    <Enabled>1</Enabled>
    <EndPoint>Splunk@http://IP.1.2.3:12229</EndPoint>
  </Configuration>
</Audit>

2> Configuration of the Isilon cluster to send logs to the EMC CEE Framework : http://IP.1.2.3:12228/CEE

3> Installation of the app in Splunk

4 >Configuration of the app via splunk : data source > EMC CEPA > Isilon > advanced config

5>Activation of the lookups(ntstatus, flag and event)

Enjoy !-)

0 Karma

Explorer

In my case the event_code.csv is not correct and I had to modify it as follow :

event,eventDescription
0x1,ReadSec
0x2,ReadFile
0x4,WriteFileRequest
0x8,CreateFile
0x10,RenameFile
0x20,DeleteFile
0x200,NewFileName
0x400,WriteFile
0x10000,CreateDir
0x20000,RenameDir
0x40000,DeleteDir
0x100000,ReadDirSec

But this is only my best interpretation : I'd rather use an official EMC reference.

Anyone aware of where the official table might be hidden ?

Rgds

0 Karma

Explorer

desiredAccess,desiredAccessDescription
0x1,FILEREADDATA
0x2,FILEWRITEDATA
0x4,FILEAPPENDDATA
0x8,FILEREADEA
0x10,FILEWRITEEA
0x20,FILEEXECUTE
0x80,FILE
READATTRIBUTES
0x100,FILE
WRITEATTRIBUTES
0x10000,DELETE
0x20000,READ
CONTROL
0x40000,WRITEDAC
0x80000,WRITE
OWNER
0x100000,SYNCHRONIZE
0x1000000,ACCESSSYSTEMSECURITY
0x2000000,MAXIMUMALLOWED
0x10000000,GENERIC
ALL
0x20000000,GENERICEXECUTE
0x40000000,GENERIC
WRITE
0x80000000,GENERIC_READ

cf : https://msdn.microsoft.com/en-us/library/ee442175.aspx

0 Karma

Splunk Employee
Splunk Employee

Have you tried using the Splunk App for Stream? You could configure it on the server that mounts the directories, and specifically monitor any port and protocol required. Events will be collected from the wire and logged as JSON events into Splunk.

0 Karma