Help Document

EMC CIFS server auditing

Log360 Cloud simplifies EMC server auditing and helps ensure security, compliance and operational integrity.

Audited events

Log360 Cloud audits both success and failure attempts for the following file activities:

  • Create
  • Read
  • Modify
  • Write
  • Delete
  • Change file permissions

Required privileges

For effective EMC CIFS server auditing with Log360 Cloud, the user configured in the domain must have either admin privileges or be granted the minimum privileges outlined below:

  1. Read and Write privileges for the EMC Registry Editor.
  2. Read privileges on the EMC audit log share path. Refer to these steps to update the shared path.
  3. Read and Write permissions to enable automatic configuration of the SACL for auditing on the specified shares.

Configuring EMC server auditing in Log360Cloud

To configure EMC server auditing in Log360 Cloud, follow these steps for EMC server auditing:

  1. Navigate to Settings > Configuration > File Integrity Monitoring > EMC Server.
  2. EMC CIFS server auditing

  3. If the server is domain-configured, select the EMC Server from the list of discovered devices; otherwise, choose the Configure Manually option and enter the server name.
  4. EMC CIFS server auditing

  5. Provide the correct credentials and select an appropriate agent.
  6. EMC CIFS server auditing

  7. Verify the provided credentials to enable location browsing. Ensure proper validation for secure connections and accurate monitoring of file activities within EMC locations.
  8. EMC CIFS server auditing

  9. Navigate through directories, selecting specific files and folders for monitoring. Alternatively, manually enter the path to the desired files/folders.
  10. EMC CIFS server auditing

  11. Use the filter to selectively include/exclude specific file types, and then further refine by excluding certain sublocations within the main directory, or all sublocations within the main directory.
  12. EMC CIFS server auditing

  13. To enable automatic configuration of object-level auditing by Log360 Cloud, select the checkbox for "Set necessary object-level auditing on selected shares."
  14. EMC CIFS server auditing

  15. Click the Configure button to initiate the configuration process.
  16. EMC CIFS server auditing

Configuring audit policies

To configure audit policies on your EMC storage devices, follow these steps:

  1. Install the CIFS Management MMC Snap-in on any domain server and open it.
  2. Right-click Data Mover Management and select Data Mover.
  3. Navigate to Data Mover Management > Data Mover Security Settings > Audit Policy.
  4. Enable Audit Object Access for both Success and Failure events.
  5. Click OK.

Configuring Eventlog settings for EMC server auditing

Configuring Eventlog settings for EMC server auditing involves adjusting the default Eventlog size, set to 512KB, to prevent event overwriting. To modify the log size, follow these steps:

1. Creating a shared folder:

  • Create a new volume in the EMC file system: Navigate to Storage > File > File Systems tab > Create a new file system.
  • Establish a hidden share in that volume: Navigate to Storage > File > SMB Shares > Create share. Copy its local path, obtainable under Computer Management console > System Tools > Shared Folders > Shares > right-click the hidden share > Properties > Folder path.

2. Updating Eventlog location in registry:

  • Open the Registry Editor by going to Run > regedit > File > Connect Network Registry > type the EMC CIFS server's name.
  • Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Eventlog > Security > Security.
  • Set the local path of the hidden share as the key name under File > [Local Path of the Audit Log]. This updates the default location of the Eventlog file.

3. Adjusting Event Viewer settings:

  • Open Event Viewer by going to Run > eventvwr > right-click Event Viewer > Connect to Another Computer > type the target EMC CIFS server's name.
  • Navigate to Security Log > right-click Properties > select Do not overwrite events.

4. Configuring archive settings in registry:

  • Continue in the Registry Editor (Run > regedit > File > Connect Network Registry > type the target EMC CIFS server's name).
  • Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Eventlog > Security > Security.
  • Set the following values for the archive settings:

    AutoArchiveEnabled: 1

    AutoArchiveTriggerPolicySize: 512MB

    AutoArchiveRetentionPolicySize: 10GB

Manual SACL configuration for EMC server auditing

For manual SACL configuration in EMC server auditing, follow these steps:

  1. Right-click the target share and select Properties. Navigate to the Security tab.
  2. Click on Advanced and proceed to the Auditing tab.
  3. Add the following entries for the Everyone group.
To audit Principal Event type Accesses Applies to
File and folder changes Everyone Success and failure Create Files / Write Data

Create Folders / Append Data

Write Attributes

Write Extended Attributes

Delete Subfolders and Files

Delete

This folder, subfolders, and files
Folder permission changes Everyone Success and failure Change Permissions This folder and subfolders
File read Everyone Success and failure List Folder / Read Data Files only
File read failure Everyone Failure List Folder / Read Data This folder and subfolders

Troubleshooting EMC server Auditing:

Target server not listed during configuration

Error message: No EMC Server(s) found.

Cause: The server is not added to the domain.

Solution:

  1. Ensure the correct domain is selected.
  2. Click the refresh option in the 'Select Server' modal to reload computer objects.
  3. Verify that the Active Directory computer object has the Operating System named EMC.

Credentials verification

Error message: Error message: Connection failed for {server name} due to Invalid Credentials

Cause: Incorrect credentials.

Solution: Provide credentials with appropriate privileges.

SyncSourceFiles Failure

Error message : The system cannot find the file specified

Cause: Unable to find the registry path.

Solution: Check registry path availability in HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Eventlog > Security > Security.