Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
mmuessig Absent Member.
Absent Member.
665 views

NetApp Filer Auditing

Hi out there,

anybody there having experience with the netapp filer syslog connector?

I am looking for an alternative to using Varonis "Data Advantage" for NetApp Filer auditing.

As i checked the Netapp connector documentation I found event field mapping rather poor.

Haven't seen it live, but i could not imagine that there is really helpfull audit information mapped...

In detail i look for information like

- who had access to a certain object on a certain share at a given time

- which access rights were given to a user at a given time

- who changed object ACLs on shares and when (old and new privileges)

- etc...

Any ideas?

Thanks in advance,

Markus

Labels (1)
0 Likes
Reply
11 Replies
Highlighted
a2g Absent Member.
Absent Member.

Re: NetApp Filer Auditing

Markus,

   The reason is that NetApp produces two types of logs.  What you see is it's OS syslog.  What you're probably looking for is its application log, which NetApp stores in Windows Log format internally.  There is no SmartConnector for that application log as far as I am aware of.

Anton

0 Likes
Reply
mmuessig Absent Member.
Absent Member.

Re: NetApp Filer Auditing

Hi Anton,

thanks a lot! This was very helpful... At least, i know understand, why "NetApp Filer Auditing" is as poor as it is!

Trying to get further with your information...

Is it planned to have a NetApp filer auditing for the application level audit information?

I have my second customer situation right now where we have to think about an alternative vendor cause of poor file-services audit information...

Regards from Wuerzburg/Germany,

Markus

0 Likes
Reply
a2g Absent Member.
Absent Member.

Re: NetApp Filer Auditing

The problem is that currently Windows event logs are picked up by establishing a direct RPC call to the Windows system hosting it, which cannot be done to NetApp.  The log files are stored in a binary .evt files and as far as I am aware, there is currently no plans to support this format by a FlexConnector framework, unless someone here in this forum has different information.

Anton

0 Likes
Reply
Till
New Member.

Re: NetApp Filer Auditing

Well, Netapp supports the live mode, which allows Windows event viewer to connect to a Filer via RPC and read the audit log in real time.

Unfortunately this doesn't work with our connector.

Markus: please open feature requests for all customers requesting this.

This is the best way to get it prioritized.

-Till

0 Likes
Reply
Established Member.. ilia.tivin@hpe.
Established Member..

Re: NetApp Filer Auditing

Hi Markus,

There is a software solution that we use at several customers especially for that reason. The solution is "Varonis" (http://www.varonis.com/), But as far as I know the solution works really well both for NetApp and EMC storage ( havent tried it with other Sun, XIV or anything else.)

The solution is not cheap as they charge per user that is on the filer ( you don't really need to buy 6k licenses for 6k users), the licenses are only application licenses, so if you buy 100 licenses, you will only see 100 users in the application. (Arcsight overrides this as it accesses directly the database before the events are processed and unlicensed users are removed.

Besides that, EMC has a framework for connecting with the filer, and I am positive that NetApp has one too. Since I am not a "Gold/Premium partner", I don't really get replies for my emails. I suggest you try emailing them.

Best of Luck!

Ilia Tivin.

0 Likes
Reply
gportnoy1
New Member.

Re: NetApp Filer Auditing

Till,

I've been asking for this functionality for close to 3 years. I believe you now have developed a similar functionality to pull events from EMC Celerra using their Event Publishing Agent, at least i've seen a config guide for it. I know for a fact that NetApp supports similar functionality, called fpolicy, which is how AV scanning is implemented in both platforms, so it should be relatively easy to extend that functionality to NetApp devices. I guess there is just not enough demand for it. From my understanding the EMC agent came about because a fairly large customer refused to go ahead with the purchase until this was supported. That's powerful motivation.

0 Likes
Reply
nmaurer Valued Contributor.
Valued Contributor.

Re: NetApp Filer Auditing

Is it possible to get Varonis events into ArcSight?

0 Likes
Reply
Established Member.. ilia.tivin@hpe.
Established Member..

Re: NetApp Filer Auditing

Sure,

You'll need a time based flex.

I might have a query somewhere. I'll look it up.

0 Likes
Reply
Al Wilson_2 Contributor.
Contributor.

Re: NetApp Filer Auditing

This thread is a little old, I noticed that 5.14 connectors have " Netapp Filer Event Log (Beta)" - is anyone utilizing it?

0 Likes
Reply
Hakan Trusted Contributor.
Trusted Contributor.

Re: NetApp Filer Auditing

Hi Markus, have you found a way to get the NetApp Filer Auditing events on ArcSight ESM/Logger?

HAKAN
0 Likes
Reply
Hakan Trusted Contributor.
Trusted Contributor.

Re: NetApp Filer Auditing

Hi Gary, are you collecting audit events from NetApp Filer now?

HAKAN
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.