WIXLIB

Integrate EMC IsilonEventTracker v8.x and abovePublication Date: March 3, 2017

Integrate EMC IsilonAbstractThis guide helps you in configuring EMC Isilon and EventTracker to receive EMC Isilon events. In thisdocument, you will find the detailed procedure required for monitoring EMC Isilon.AudienceAdministrators who are assigned the task to monitor and manage EMC Isilon events using EventTracker.The information contained in this document represents the current view of EventTracker. on theissues discussed as of the date of publication. Because EventTracker must respond to changingmarket conditions, it should not be interpreted to be a commitment on the part of EventTracker,and EventTracker cannot guarantee the accuracy of any information presented after the date ofpublication.This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission fromEventTracker, if its content is unaltered, nothing is added to the content and credit toEventTracker is provided.EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from EventTracker, the furnishing of this document does not give youany license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended orshould be inferred. 2017 EventTracker Security LLC. All rights reserved. The names of actual companies andproducts mentioned herein may be the trademarks of their respective owners.1

Integrate EMC IsilonTable of ContentsAbstract . 1Audience . 1Overview. 3Prerequisites . 3Integration of EMC Isilon to EventTracker manager . 3EventTracker Knowledge Pack . 4Alerts . 4Flex Reports . 4Knowledge Object . 6Import EMC Isilon knowledge pack into EventTracker . 6Knowledge Objects . 7Alerts . 8Token Template . 9Flex Reports . 11Verify EMC Isilon knowledge pack in EventTracker . 12Knowledge Objects . 12Alerts . 13Token Template . 14Flex Reports . 15Create Flex Dashboards in EventTracker. 16Schedule Reports . 16Create Dashlets . 19Sample Flex Dashboards. 222

Integrate EMC IsilonOverviewIsilon OneFS is the NAS solution which combines the three layers of traditional storage architectures — filesystem, volume manager, and data protection — into one unified layer.EventTracker helps you to monitor user login activities, file operation (open, close, read, write, etc) activitiesand changes in file permission. It will trigger an alert whenever changes occur in file permission or loginfailure by users. It’s knowledge object will help you make log search easier and informative.Prerequisites EventTracker v8.x should be installed.EMC Isilon OneFS 7.1 and later should be installed.An exception should be added into windows firewall on EventTracker machine for syslog port 514.Integration of EMC Isilon to EventTracker manager1. Login into EMC Isilon CLI console using SSH or directly.2. Run the following command to back up the /etc/mcp/templates/syslog.conf file:cp /etc/mcp/templates/syslog.conf /etc/mcp/templates/syslog.conf.bku13. Open the /etc/mcp/templates/syslog.conf file in a text editor such as vi, edit, or nano.4. Add a custom filter for your EventTracker manager. For example:*.warn;*.notice;kern.*;ifs.info;istat.none @ EventTracker manager NOTE: A filter of *.* will generate a lot of traffic.5. To enable remote logging of syslog events for configuration and protocol auditing, find these sections ofthe /etc/mcp/templates/syslog.conf file.!audit config*.*!audit protocol*.*/var/log/audit config.log/var/log/audit protocol.log6. Add a line for remote syslog servers (EventTracker Manager), so that the resulting sections of the file willnow look like this (it is assumed that you have enabled syslog for auditing):3

Integrate EMC Isilon!audit config*.**.*!audit protocol*.**.*/var/log/audit config.log@ EventTracker manager IP address /var/log/audit protocol.log@ EventTracker manager IP address 7. Save the file and exit from your editor. The master control process (MCP) will push out your changes fromthe template file into /etc/syslog.conf a short time later.8. Reload the configuration by sending the hang-up signal to the syslogd process:isi for array 'killall -HUP syslogd'EventTracker Knowledge PackOnce logs are received into EventTracker, alerts, reports and knowledge object can be configured intoEventTracker.The following Knowledge Packs are available in EventTracker Enterprise to support EMC Isilon.Alerts EMC Isilon: Login failed – This alert is generated when user logon failure occurs on EMC Isilon.EMC Isilon: File permission changes – This alert is generated when user makes changes in File ordirectory permission.EMC Isilon: File or directory deleted - This alert is generated when user deletes file or directory fromthe EMC Isilon zones.Flex Reports EMC Isilon-File operations – This report provides information about the operations (like open, close,read, write, rename, etc) that occurs on file in EMC Isilon zone by a user. This report will show userinformation (like Security ID, Client IP) who did operation (Open, close, read, write, rename, etc) onFile (like filepath, file type).Figure 14

Integrate EMC IsilonSample logs:Figure 2 EMC Isilon-File permission checked and changed – This report provides information about thechecking and changing in file permission. This report will show the user information (Security ID, ClientIP) who made changes in file (file path, file type) permission.Figure 3Sample logs:Figure 4 EMC Isilon-Logon and logoff activities – This report provides information about the logon and logoffactivities that occurs on EMC Isilon. This report will show information about the logon and logoff doneby user on EMC Isilon.Figure 5Sample logs:Figure 6 5EMC Isilon-Logon failed – This report provides information about the user logon failure by a client.This report gives user information who is trying to logon into EMC lsilion.

Integrate EMC IsilonFigure 7Sample logs:Figure 8Knowledge Object EMC Isilon – This knowledge object will help us to analyze the log related with file operation,login/logoff activities and file permission changes.Import EMC Isilon knowledge pack into EventTrackerNOTE: Import knowledge pack items in the following sequence: Token templateKnowledge ObjectsAlertsFlex ReportsNOTE: Please export following KP items while replicating configuration to other EventTracker manager: Token TemplateKnowledge ObjectFlex ReportsAlerts1. Launch EventTracker Control Panel.2. Double click Export Import Utility.6

Integrate EMC IsilonFigure 93. Click the Import tab.Knowledge Objects1. Click Knowledge objects under Admin option in the EventTracker manager page.2. Locate the All EMC Isilon group of Knowledge object.etko, and then click Import button.Figure 103. Choose the Knowledge objects that needs to be imported and click on upload.7

Integrate EMC IsilonFigure 114. Knowledge objects are now imported successfully.Figure 12Alerts1. Click Alerts option, and then click the browse8button.

Integrate EMC IsilonFigure 132. Locate All EMC Isilon group of alerts.isalt file, and then click the Open button.3. To import alerts, click the Import button.EventTracker displays success message.Figure 144. Click OK, and then click the Close button.Token Template1. Logon to EventTracker Enterprise.2. Click the Admin menu and then click the Parsing rule.9

Integrate EMC Isilon3. Click the Template tab.4. Click the Import button.(Note: Make sure pop-up is enabled for EventTracker).Figure 155. Locate and choose All EMC Isilon group of template.ETTD file and then click the Open button.Figure 1610

Integrate EMC Isilon6. Select the template you want to upload.7. Then click on Import configuration button.Figure 17EventTracker displays success messageFigure 188. Click OK it will automatically close the windowFlex Reports1. Click Reports option, and then click the browsebutton.2. Locate the All EMC Isilon group of flex reports.issch file, and then click the Open button.11

Integrate EMC IsilonFigure 193. Click the Import button to import the scheduled reports. EventTracker displays success message.Figure 20Verify EMC Isilon knowledge pack in EventTrackerKnowledge Objects1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click KnowledgeObjects.2. In the Knowledge Object tree, expand EMC Isilon group folder to see the imported Knowledgeobjects.12

Integrate EMC IsilonFigure 21Alerts1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Alerts.3. In Search field, type ‘EMC Isilon’, and then click the Go button.Alert Management page will display all the imported EMC Isilon alerts.Figure 2213

Integrate EMC Isilon4. To activate the imported alerts, select the respective checkbox in the Active column.EventTracker displays message box.Figure 235. Click OK, and then click the Activate Now button.NOTE: You can select alert notification such as Email, and Message etc. For this, select the respectivecheckbox in the Alert management page, and then click the Activate Now button.Token Template1. Logon to EventTracker Enterprise, Click Admin Go to Parsing rule.2. Click on Template tab.3. Check the template you had uploaded.Figure 2414

Integrate EMC IsilonFlex Reports1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Configuration.2. In Reports Configuration pane, select Defined option.3. In search box enter ‘EMC Isilon’, and then click the Search button.EventTracker displays Flex reports of ‘EMC Isilon’.Figure 2515

Integrate EMC IsilonCreate Flex Dashboards in EventTrackerNOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature isavailable from EventTracker Enterprise v8.0.Schedule Reports1. Open EventTracker in browser and logon.Figure 262. Navigate to Reports Configuration.3. Select EMC Isilon in report groups. Check Defined dialog box.16

Integrate EMC IsilonFigure 274. Click on ‘schedule’to plan a report for later execution.5. Click Next button to proceed.6. In review page, check Persist data in EventVault Explorer option.17

Integrate EMC IsilonFigure 287. In next page, check column names to persist using PERSIST checkboxes beside them. Choose suitableRetention period.18

Integrate EMC IsilonFigure 298. Proceed to next step and click Schedule button.9. Wait till the reports get generated.Create Dashlets1. Open EventTracker Enterprise in browser and logon.Figure 3019

Integrate EMC Isilon2. Navigate to Dashboard Flex.Flex Dashboard pane is shown.Figure 313. Fill suitable title and description and click Save button.4. Clickto configure a new flex dashlet. Widget configuration pane is shown.Figure 3220

Integrate EMC Isilon5. Locate earlier scheduled report in Data Source dropdown.6. Select Chart Type from dropdown.7. Select extent of data to be displayed in Duration dropdown.8. Select computation type in Value Field Setting dropdown.9. Select evaluation duration in As Of dropdown.10. Select comparable values in X Axis with suitable label.11. Select numeric values in Y Axis with suitable label.12. Select comparable sequence in Legend.13. Click Test button to evaluate. Evaluated chart is shown.Figure 3321