Go Up
You are here: ConfigurationConfigure IT InfrastructureNetApp FilerConfigure NetApp Clustered Data ONTAP 8 and ONTAP 9 for Monitoring

Configure NetApp Clustered Data ONTAP 8 and ONTAP 9 for Monitoring

To configure Clustered Data ONTAP 8 and ONTAP 9 for monitoring, perform the following procedures:

Prerequisites

Netwrix assumes that you are aware of basic installation and configuration steps. If not, refer to the following administration and management guides.

Version Related documentation

Clustered Data ONTAP 8.2

 

Clustered Data ONTAP 8.3

 

ONTAP 9.0 - 9.7

Perform the steps below before proceeding with audit configuration:

  1. Configure CIFS server and make sure it functions properly.

    NOTE: NFS file shares are not supported.

  2. Configure System Access Control List (SACL) on your file share. See Configure Audit Settings for CIFS File Shares for more information.
  3. Set the Security Style for Volume or Qtree where the audited file shares are located to the "ntfs" or "mixed".
  4. Configure audit manually. For 8.3, review the Auditing NAS events on SVMs with FlexVol volumes section in Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS.

    NOTE: The current version of Netwrix Auditor does not support auditing of Infinite Volumes.

Configure ONTAPI Web Access

Netwrix Auditor uses ONTAPI to obtain the current CIFS audit configuration and force the audit data flush from the internal filer format to an MS Event Viewer compatible format. Netwrix Auditor supports both the SSL and non-SSL HTTP access, trying HTTPS first, and falling back to HTTP if it is unavailable.

  1. Navigate to your cluster command prompt through the SSH/Telnet connection.

  2. Log in as a cluster administrator and review your current web access settings. Make sure that External Web Services are allowed. For example:

    cluster1::> system services web show
    External Web Services: true
    Status: online
    HTTP Protocol Port: 80
    HTTPs Protocol Port: 443
    TLSv1 Enabled: true
    SSLv3 Enabled: true
    SSLv2 Enabled: false
  3. Enable ONTAPI access on the SVM where CIFS server is set up and configured. The example command output shows correct web access settings where vs1 is your SVM name.

    cluster1::> vserver services web show -vserver vs1  
    Vserver Type Service Name Description Enabled
    ---------- ------- -------- ----------------------- ------
    vs1 data ontapi Remote Administrative API true
          Support  
  4. Enable HTTP/HTTPS access. For example:

    cluster1::> vserver services web modify -vserver vs1 -name ontapi -enabled true

  5. Enable only SSL access (HTTPS in Netwrix Auditor). For example:

    cluster1::> vserver services web modify -vserver vs1 -name ontapi -enabled true -ssl-only true

  6. Make sure that the builtin vsadmin role or a custom role (e.g., fsa_role) assigned to your account specified for data collection can access ONTAPI. For example:

    cluster2::> vserver services web access show -vserver vs2
    Vserver Type Service Name Role
    -------------- ------- ------------ ---------------
    vs2 data ontapi fsa_role
    vs2 data ontapi vsadmin
    vs2 data ontapi vsadmin-protocol
    vs2 data ontapi vsadmin-readonly
    vs2 data ontapi vsadmin-volume
    5 entries were displayed.

Configure Firewall Policy

Configure firewall to make file shares and Clustered Data ONTAP HTTP/HTTPS ports accessible from the computer where Netwrix Auditor Server is installed. Your firewall configuration depends on network settings and security policies in your organization. Below is an example of configuration:

  1. Navigate to your cluster command prompt through the SSH/Telnet connection.
  2. Log in as a cluster administrator and review your current firewall configuration. For example:

    cluster1::> system services firewall show
    Node Enabled Logging
    ------------ ------------ -------
    cluster1-01 true false
  3. Create firewall policy or edit existing policy to allow HTTP/HTTPS (note that modifying a policy you may overwrite some settings). For example:

    To... Execute...
    NetApp Clustered Data ONTAP 8.2
    Create a policy

    cluster1::> system services firewall policy create -policy pol1 -service http -vserver vs1 -action allow -ip-list 192.168.1.0/24

    cluster1::> system services firewall policy create -policy pol1 -service https -vserver vs1 -action allow -ip-list 192.168.1.0/24

    Modify existing policy

    cluster1::> system services firewall policy modify -policy pol1 -service http -vserver vs1 -action allow -ip-list 192.168.1.0/24

    cluster1::> system services firewall policy modify -policy pol1 -service https -vserver vs1 -action allow -ip-list 192.168.1.0/24

    NetApp Clustered Data ONTAP 8.3, ONTAP 9.0 - 9.7

    Create a policy

    cluster1::> system services firewall policy create -policy pol1 -service http -vserver vs1 -allow-list 192.168.1.0/24

    cluster1::> system services firewall policy create -policy pol1 -service https -vserver vs1 -allow-list 192.168.1.0/24

    Modify existing policy

    cluster1::> system services firewall policy modify -policy pol1 -service http -vserver vs1 -allow-list 192.168.1.0/24

    cluster1::> system services firewall policy modify -policy pol1 -service https -vserver vs1 -allow-list 192.168.1.0/24

    where pol1 is your Firewall policy name and 192.168.1.0/24 is your subnet where Netwrix Auditor Server resides.

  4. Apply the firewall policy to a LIF.

    cluster1::>network interface modify -vserver vs1 -lif vs1-cifs-lif1 -firewall-policy pol1

    To verify the policy was applied correctly, execute the following:

    cluster1::>network interface show -fields firewall-policy

Configure Event Categories and Log

Perform the following procedures to configure audit:

To configure auditing state, event categories and log

Configure audit settings in the context of Cluster or Storage Virtual Machine (SVM). All examples in the procedure below apply to SVM.

To execute commands in the context of Cluster, add -vserver name, where name is your server name.

  1. Navigate to command prompt through the SSH/Telnet connection.
  2. Log in as a cluster administrator and switch to the context of SVM from the cluster. For example to switch to the SVM called vs1:

    cluster1::> vserver context -vserver vs1

    After a switch, you will be in the context of SVM:

    vs1::>

  3. Create and enable audit. For more information on audit configuration, refer to NetApp documentation. For example:

    To... Execute...

    Create audit

    vs1::> vserver audit create -destination <path to the volume>

    In the example above, the vserver audit create -destination /audit command executed on the vs1 SVM creates and enables audit on the volume /audit.

    NOTE: Netwrix Auditor accesses audit logs via file shares. Make sure the volume you specified is mounted on SVM and shared (e.g., audit$ is a share name and its path is /audit).

    Enable audit

    vs1::> vserver audit enable

  4. Review your audit settings. For example, on ONTAPI 8.3 the default audit is configured as follows:

    vs1::> vserver audit show -instance

    Auditing State: true
    Log Destination Path: /audit
    Categories of Events to Audit: file-ops, cifs-logon-logoff
    Log Format: evtx
    Log File Size Limit: 100MB
    Log Rotation Schedule: Month:
    Log Rotation Schedule: Day of Week:
    Log Rotation Schedule: Day:
    Log Rotation Schedule: Hour:
    Log Rotation Schedule: Minute:
    Rotation Schedules:
    Log Files Rotation Limit: 0

    For ONTAPI 9.0 or later the default audit is configured as follows:

    vs1::> vserver audit show -instance

    Auditing State: true
    Log Destination Path: /audit
    Categories of Events to Audit: file-ops, file-share, audit-policy-change, cifs-logon-logoff
    Log Format: evtx
    Log File Size Limit: 100MB
    Log Rotation Schedule: Month:
    Log Rotation Schedule: Day of Week:
    Log Rotation Schedule: Day:
    Log Rotation Schedule: Hour:
    Log Rotation Schedule: Minute:
    Rotation Schedules:
    Log Files Rotation Limit: 0
  5. Check the following options:

    Option Setting

    Auditing State

    true

    Categories of Events to Audit

    file-ops

    NOTE: Only required if you use Clustered Data ONTAP 8.3, ONTAP 9.0, ONTAP 9.1 or later. You cannot select event categories if you use Clustered Data ONTAP 8.2.

    For ONTAP 9.0 and later, also check the following options: file-ops, file-share, audit-policychange.

    For ONTAP 8.3, just check file-ops.

    Log Format

    "XML" or "EVTX"

  6. Modify the log file size limit—set to 300 MB. Execute:

    vs1::> vserver audit modify -rotate-size 300MB

    300MB is the recommended maximum log size proceeding from performance evaluations. Make sure there is enough disk space allocated for the security logs archives. Depending on the file access activity, audit data may grow rapidly, and the location specified for the security log (and security log auto archives) must be large enough to hold data until it is processed by Netwrix Auditor. You can customize your security log by configuring log rotation schedule. For detailed information, review the Planning the auditing configuration section in Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS.

  7. After configuration, double-check your settings.

    vs1::> vserver audit show -instance

    Auditing State: true
    Log Destination Path: /audit
    Categories of Events to Audit: file-ops, cifs-logon-logoff
    Log Format: evtx
    Log File Size Limit: 300MB
    Log Rotation Schedule: Month:
    Log Rotation Schedule: Day of Week:
    Log Rotation Schedule: Day:
    Log Rotation Schedule: Hour:
    Log Rotation Schedule: Minute:
    Rotation Schedules:
    Log Files Rotation Limit: 0

NOTE: For ONTAP 9.0 and later, also check the following settings: file-ops, file-share, audit-policychange.

For ONTAP 8.3, just check file-ops.

To configure logs retention period

NOTE: This instruction is only effective for NetApp versions older than 8.2.1.

  1. On the computer where Netwrix Auditor Server resides, open Registry Editor: navigate to Start Run and type "regedit".

  2. Navigate to HKEY_LOCAL_MACHINE SOFTWARE Wow6432Node Netwrix Auditor File Server Change Reporter.

  3. In the right-pane, right-click and select New DWORD (32-bit Value).

    NOTE: For the backup logs retention functionality to work properly, you need to specify the CleanAutoBackupLogs name for the newly created registry value.

  4. Double-click CleanAutoBackupLogs. The Edit DWORD Value dialog will open.

  5. This value defines the time period (in hours) after which security event logs archives will be automatically deleted. By default, it is set to "0" (decimal). Modify this value, if necessary, and click OK to save the changes.

  6. NOTE: If the CleanAutoBackupLogs registry value is set to "0", you will have to remove the old logs manually, or you may run out of space on your hard drive.

Go Up