03-13-2019 09:02 AM
Has anyone had issues with File activity monitoring and auditing in DI 6.1.2RP. the configuration is fully setup and file auditing enabled in the filer configuration. The filer in question is EMC Isilon with Cava CEE tools active and installed on a separate server. I have checked the config and IP destination in oneFS to match the CEE. also applied the registry change to confirm all post setup process. However, auditing file activity does not error or show me a root cause to the issue.
File and Classification scanning is a separate process from monitoring. however, the authentication profile is the same credentials for all.
Any pointers or goto's would be helpful. before I lean on support to investigate.
03-13-2019 09:26 AM
Stuart I assume it has never functioned and you would like to ensure the configuration is correct?
Think of it this way; the Isilon when configured to broadcast events, under auditing (protocol) in the administrative GUI or using the 'isi audit' command (process must be running) line, will send to the configured Common Event Enabled (CEE) configured under event forwarding.
That CEE then will transmit the events after decoding them to the endpoint configured in the registry. There should be just the one Key and you can remove the others by setting it to 0 (zero) to disable.
Assuming the network and port (12228) is accepting connections the third party application will take the events and match the path to the one you have configured for the device you are tracking.
In DataInsight (DI) adding the device should be the same name as under the Storage Cluster name in the event forwarding section of the Isilon GUI. This will ensure the events come from the cluster and not one node or the other(s) and match the path to the ifs folder on the device.
There are many errors or misconfigurations possible and you are generating debug logs that Veritas Support could review for you to narrow the scope of where the misconfiguration has occurred if you open a support case with them. Otherwise ensure you have matched these points and validate the celerrad and isilon_util logs are both recording the connection correctly without mistakes. By default these are stored where you installed the DI application which is 'C:\Program Files\DataInsight\log' unless you changed it.
I hope that helps you narrow the scope of where you are investigating.
03-13-2019 09:33 AM
By the way Stuart since you quoted the 'CEE tools active and installed on a separate server', make sure your endpoint entered in its' registry is the @collectorIP under HKEY_LOCAL_MACHINE > SOFTWARE > EMC > CEE > CEPP > Audit > Configuration as per the Administrator's Guide - The EMC CAVA service and the Collector node are running on separate machines, and the EMC CAVA service is being used only by Data Insight.
In this case, add the Data Insight key in the format, SymantecDataConnector@<IP address of the Collector>, to the Endpoint option.
03-14-2019 02:38 AM
Thanks for all the advice and to confirm,
Isilon auditing is enabled and event forwarding to the CEE Server is correct. The CEE and Collector is one node and therefore applied the registry config as symantecdataconnector as per the admin guide. we checked all other config settings and confirmed that the filer celerra service in the credentials were correct by confirmation.
The communication between the Ision and CEE is unrestricted and by stopping the CEE services this produced an event alert in OneFS GUI, hence we know that the network is not preventing data flow.
I have requested the log files and will raise a support case for review as i am at the end of diagnosis options at this point.
Once we overcome this, I will post up the root cause for anyone else who comes across this issue with similar filer auditing complications.
Thanks again for all your advice and support,
04-11-2019 08:43 AM
Were you able to get around your issue Stuart?