NOTE: Only CIFS configuration is supported.
First, you should decide on the objects and actions you want to track. Consider the following:
- Actions reported by Netwrix Auditor vary depending on the file server type and the audited object (file, folder, or share).
- Besides, monitoring and reporting of the EMC storage systems may not provide the results you expect — due to native EMC audit peculiarities. See Actions, Object Types and Attributes Monitored on File Servers for details.
For example, the change operation (in Netwrix Auditor terminology) includes creation, modification, deletion, moving, renaming, and copying. So, to track the copy action, you will need to enable successful read access and change auditing.
You can configure your file shares for monitoring in one of the following ways:
When creating a monitoring plan—If you select the Adjust audit settings automatically option, the program will configure object access audit entries for file shares. Other settings must be configured manually, as described below.
If you select to automatically configure audit in the target environment, your current audit settings will be periodically checked and adjusted if necessary.
To configure EMC Celerra/VNX/VNXe/Unity for auditing, perform the following procedures:
Configure Security Event Log Maximum Size to avoid overwriting of the security logs; it is recommended to set security log size to a maximum (4GB).
By default, the security log is set to overwrite events that are older than 10 days, and its size is set to 512 KB. The default location for the security.evt log is C:\security.evt, which corresponds to the root partition of the Data Mover. To be able to increase the security log size, you must move it from the Data Mover root folder.
- Configure Audit Object Access Policy. Set the Audit object access policy set to "Success" and "Failure" in the Group Policy of the OU where your EMC VNX/VNXe/Unity/Celerra appliance belongs to.
For more information on VNX/VNXe/Unity/Celerra GPO support, refer to documentation provided by EMC.
- Configure Audit Settings for CIFS File Shares on EMC VNX/VNXe/Unity
NOTE: If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.