Access audit profiles
Access audit profiles are the settings based on which events are collected by DataSecurity Plus. This vital configuration determines which access types, users, and shares are audited. The collected data is then displayed in reports.
For more information on the data collection process in File Audit, refer to the architecture.
To give users granular control over audit data collection in their file storage environment, DataSecurity Plus supports two types of access audit profiles:
- Global audit profiles, which can be applied to all or a combination of configured servers.
- Server-specific profiles, which are applied individually to specific servers.
These profiles help users ensure that collected event details are not duplicated, which can cause log databases to fill up faster.
Access audit profiles can be viewed and modified only by administrative technician accounts. To view all configured audit policies, follow the steps below:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration.
- Here, you will see the Global Profiles and Server Specific Profiles tabs.
- Global Profiles: In this tab, you can view a list of the access audit configurations applied to all or a combination of configured servers.
- Server Specific Profiles: In this tab, select a server in the Server Name field to view all the access audit configurations specific to that server along with the global audit configurations that have been applied to it.
Creating and editing access audit profiles
A) Global audit profiles
Upon installation, DataSecurity Plus will have one default global audit profile. This, the Default Access Audit Configuration, is a predefined profile based on which event collection and processing will start as soon as a file server is set up in DataSecurity Plus. It collects audit data based on these filters:
User: All
Monitor Object: All
Action: All
It collects details on all file access events performed by all users on all configured shares, local folders, sub-folders, and local files in the configured servers.
File actions audited by the default global audit profile
Create | Modify | Delete | Move |
Owner change | Overwrite | Permission change | Rename |
SACL change | File copied | Read deny | Restore |
Write deny | Delete deny | File extension change | Read |
File paste |
Creating global audit profiles
To create a new global audit profile:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration > Global Profiles.
- Click Add Global Profile in the top-right corner.
- Enter a suitable profile name and description for the audit profile.
- Click the + icon next to the Selected Servers field and choose the servers that you wish to apply this profile to.
- To apply this profile to any new servers that might be added to DataSecurity Plus in the future, check the box next to Apply profile to new servers.
- Under Criteria, choose the entities to be configured under the Include and Exclude options.
- Click Save to create a new global audit profile.
Note: Exclude filters will be given precedence over Include filters.
Best practice: Multiple global access audit policies are seldom required. Please note that duplicate audit profile settings will cause audit data to be collected twice, take up unnecessary database space, and be listed multiple times in reports. To eliminate the possibility of an overlap, we strongly recommend contacting DataSecurity Plus' technical experts at support@datasecurityplus.com prior to starting the procedure. Our technicians will assist you with audit profile configuration via a remote support session.
Editing global audit profiles
To edit a global audit profile:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration > Global Profiles.
- Click the edit icon next to the audit profile you wish to edit.
- Change the required fields under Include and Exclude to collect or omit file access audit details for those entities.
- Click Save.
Best practice: For most use cases, there will be no need to edit an audit profile. In fact, it is not recommended unless you are a certified DataSecurity Plus technician. A misconfiguration can potentially lead to a total loss of critical audit data.
To view audit data for a specific file, user, access type, or other criteria, you can instead use filters in the default reports or create a custom report by following the steps in this page.
Server-specific profiles
Creating server-specific profiles
To create a new server-specific profile:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration > Server Specific Profiles.
- Click the + icon next to the Server Name field and choose the server that you wish to create a profile for. Click Select.
- Click Add Server Profile in the top-right corner.
- Enter a suitable profile name and description for the audit profile.
- Under Criteria, choose the entities to be configured under the Include and Exclude options.
- Click Save to create a new server-specific audit profile.
Note: Exclude filters will be given precedence over Include filters.
To better understand how you can use the server-specific audit profiles, here is an example for when you don't want to audit all file accesses made by users in a server.
Say two shares are configured in a server and you want to audit all events in share A but only some events in share B. You can create two server-specific audit profiles as shown below:
Audit Profile A:
To audit all file access events in share A, set the filters as:
User Object: All
Action: All
Monitor Object: Share A
Audit Profile B:
To audit only delete, move, and permission change events in share B, set the filters as:
User Object: All
Action: Delete, Move, Permission Change
Monitor Object: Share B
Audit Profile B will ensure that only the specified events are collected by DataSecurity Plus in share B. Other accesses like Read, Modify, Write Deny, and more will not be collected. To ensure that those events are not collected elsewhere and that the included events are not collected multiple times, remove the server from all applicable global audit profiles.
Tip: In case you wish to apply the same audit profile to two or more servers, use the Global Profiles tab and apply the profile to multiple servers. This will save time by eliminating the need for multiple individual server-specific audit profiles.
Editing server-specific audit profiles
To edit a server-specific audit profile:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration > Server Specific Profiles.
- Select the server for which you want to edit the profile from the corresponding field.
- Click the Edit icon next to the audit profile you want to edit.
- Change the required fields under Include and Exclude to collect or omit file access audit details for those entities.
- Click Save.
Best practice: For most use cases, there will be no need to edit an audit profile. In fact, it is not recommended unless you are a certified DataSecurity Plus technician. A misconfiguration can potentially lead to a total loss of critical audit data.
To view audit data for a specific file, user, access type, or other criteria, you can instead use filters in the default reports or create a custom report by following the steps in this page.
Deleting audit profiles
To delete an audit profile configuration:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Audit Configuration.
- Select the type of profile you wish to delete from the corresponding tabs.
- If you want to delete a server-specific profile, select that server in the Server Specific Profiles tab. Otherwise, skip this step.
- From the table, check the box next to the profile you wish to delete.
- Click the delete icon at the top of the table.
- Click OK to confirm the action.