Administration Guides

How to Purge or Archive Isilon Audit logs

Home

How to purge or archive Audit Isilon logs

Isilon stores audit messages in archived compressed files and does not have an automatic purge process.  These steps should be used to correctly remove old GZ files and ensure audit protocol is operating normally after the purge process on all nodes in the cluster.

CAUTION!
This procedure will stop capturing audit events on the cluster during the time auditing is disabled. NOTE: We recommend you open an EMC SR with Isilon steps, Superna support cannot support this procedure or trouble shoot steps on the cluster releated to this procedure.



IMPORTANT!
This procedure must be performed using the "root" account on the cluster.  Please consult EMC for an updated procedure.

  1. Stop the ECA cluster

    1. ssh eca master node as ecaadmin

    2. ecactl cluster down

  2. Run the following commands to turn off audit logging

OneFS 8.0.0 and later

  1. isi audit settings global modify --protocol-auditing-enabled=no
  2. isi audit settings global modify --config-auditing-enabled=no (only if enabled before) 
  3. Run the following commands to stop the isi_audit_d, isi_audit_cee and isi_audit_syslog processes from automatically restarting:

    1. isi services -a isi_audit_d ignore

    2. isi services -a isi_audit_cee ignore

    3. isi services -a isi_audit_syslog ignore

  4. Run the following commands to end the isi_audit_d and isi_audit_cee processes:

    1. isi_for_array 'pkill isi_audit_d'

    2. isi_for_array 'pkill isi_audit_cee'

    3. isi_for_array 'pkill isi_audit_syslog'

  5. Run the following command to ensure that no isi_audit processes are running on the cluster:

    1. isi_for_array pgrep -l isi_audit

  6. Run the following commands to change directory to the audit directory.

    1. cd /ifs/.ifsvar/audit

  7. Run the following command to backup the audit directory and allow for the files to be recreated:

    1. mv /ifs/.ifsvar/audit /ifs/.ifsvar/audit.bak

    2. Archive the moved audit data to long term storage to retain a permanent copy of the source data or decide if you want to delete this data by consulting with your compliance department requirements.

  8. Run the following commands to inform the Master Control Program (MCP) to resume monitoring the audit daemons. MCP automatically restarts the audit daemons and reconstructs the audit directory on each node when the isi_audit_d process is running.
    1. isi services -a isi_audit_d monitor
    2. isi services -a isi_audit_cee monitor
    3. isi services -a isi_audit_syslog monitor
  9. Run the following command to check that audit processes have restarted:

    1. isi_for_array -s pgrep -l isi_audit

  10. Run the following command to verify that audit data was removed and reconstructed:

    1. find /ifs/.ifsvar/audit

  11. Run the following command to re-enable audit logging:

    1. OneFS 7.1.0 - 7.2.1:

      1. isi audit settings modify --protocol-auditing-enabled=Yes

      2. isi audit settings modify --config-auditing-enabled=Yes (only if enabled before)

    2. OneFS 8.0.0 and later

      1. isi audit settings global modify --protocol-auditing-enabled=Yes
      2. isi audit settings global modify --config-auditing-enabled=Yes (only if enabled before)
  12. Run the following command to verify log files are being populated after audit processes have restarted:

    1. Reset audit log to current day and time

      1. isi audit settings global modify --cee-log-time "Protocol@2017-11-21 04:13:00" (use a current date and time)

      2. isi_audit_viewer -t protocol  

        1. Verify output from this command returns correctly last logged event.

  13. On ECA master node as ecaadmin user

    1. ecactl cluster up

  14. Login to eyeglass and verify the Managed Services icon shows active and green ECA nodes.  NOTE: heartbeats take 2-5 minutes before the ECA cluster is completely up

  15. If running Ransomware Defender run the Security Guard feature to test that audit messages are being processed correctly

  16. End procedure


Copyright Superna LLC