API - NetApp CIFS Audit Event Log
The Network Appliance filers have a Windows Event Log server emulator. It writes CIFS (Windows shares) audit logs to the Security event Log. Customers can pull these logs directly into LogRhythm.
Prerequisites
Configure the NetApp filer to turn on CIFS auditing. For more information, see https://www.netapp.com/media/16330-tr-4189.pdf.
Configure NetApp CIFS Audit Logs
To set up the NetApp’s audit log, run the following commands (telnet/ssh to NetApp using root/netapp123):
options cifs.audit.enable on options cifs.audit.liveview.enable on options cifs.audit.liveview.allowed_users everyone
If you cannot connect to the NetApp box using Event Viewer and are getting errors indicating the RPC server is unavailable, you may need to map a drive from NetApp to the Agent host, and then try again.
To clear the NetApp’s audit log, issue the commands on the command line (either telnet/ssh to NetApp using root/netapp123):
- options cifs.audit.liveview.enable off
- cifs audit clear
- options cifs.audit.liveview.enable on
You must run Windows Agent as a user that has sufficient privileges on the NetApp box LocalSystem or the configuration will not work. Provide the service credentials for the System Monitor Agent in Services. Go to Control Panel, click Administrative Tools, then click Services.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - NetApp CIFS Security Audit Event Log. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- Format is: [MachineName]:[PathToNetAppResourceDLL]
PathToNetAppResourceDLL: The path to the NetApp message resource file. The resource file is called ontapAuditE.dll and can be found in the NetApp’s ETC$ directory.
- Examples of File Path when ontapAuditE.dll is on NetApp filer and accessed using the default ETC$ administrative CIFS share:
- 192.168.0.9:\\192.168.0.9\etc$\ontapAuditE.dll
- 192.168.0.1:Y:\etc\ontapAuditE.dll
- Netapp_filerA:\\Netapp_filerA\etc$\ontapAuditE.dll
- Examples of ontapAuditE.dll on local (Agent) machine:
- 192.168.0.6:C:\NetAppResource\ontapAuditE.dll
- Netapp_filerA:C:\NetAppResource\ontapAuditE.dll
- Examples of File Path when ontapAuditE.dll is on NetApp filer and accessed using the default ETC$ administrative CIFS share: