I'm having a problem with the security part.
settings:
Enable auditing
isi audit settings global modify --audited-zones=System, Zone2, Zone3
isi audit settings global modify --protocol-auditing-enabled yes
isi audit settings global modify --config-auditing-enabled Yes
isi audit settings global modify --config-syslog-enabled Yes
isi audit settings global view
Protocol Auditing Enabled: Yes
Audited Zones: System, Zone2, Zone3
CEE Server URIs:
Hostname:
Config Auditing Enabled: Yes
Syslog Config Enabled: Yes
isi audit settings modify --syslog-forwarding enabled Yes
isi audit settings modify --syslog-forwarding-enabled = yes --zone = System
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone2
isi audit settings modify --syslog-forwarding-enabled = yes --zone = Zone3
isi audit settings view
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: close, create, delete, read, write
Syslog Forwarding Enabled: Yes
isi audit settings view --zone=System
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone2
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
isi audit settings view --zone=Zone3
Audit Failure: create, delete, rename, set_security, close
Audit Success: create, delete, rename, set_security
Syslog Audit Events: create, delete, rename, set_security
Syslog Forwarding Enabled: yes
Entries in
/etc/mcp/override/syslog.conf
auth.* @ip_splunk_server
!audit_protocol
. @ip_splunk_server
!audit_config
. @ip_splunk_server
Splunk
Splunk Data entries -> UDP -> 514 -> emc: isilon: syslog - index = isilon
Important
In the /var/log/audit_protocol.log only the logs of the access zone of the system appear.
The other 2 - Zone2 and Zone 3 should not appear.
isi_audit_viewer -t protocol
normal audit of all zones appears.
FS Audit Logs or FS Audit Lof Search - all files, created or deleted, appear as root. The domain name does not appear.
img - as root
https://ibb.co/nP1FGp9
Centos 7
Isilon 8.1.0.4 - node 10
Splunk Common Information Model (CIM) - 4.12.0
EMC Isilon application for Splunk Enterprise - 2.4.0
Splash Enterprise EMC Isilon Add-in - 2.5.0 - Connected Node 10
... View more
