Administration Guides

How to Purge or Archive PowerScale Audit logs

Home



Onefs > 9.1 Automatic Purge Procedures

  1. NOTE:  This only supports purging logs and does not support archiving gz old audit data for long term archive.
  2. Login to the target cluster as the root user
    1. isi audit settings global modify --auto-purging-enabled=yes  (defaults to 180 days)
    2. To set the retention period to a different value and retain old archive data
      1. isi audit settings global modify --retention-period=365   (sets to 365 days)
  3. How to manually Delete archived audit data
    1. isi audit logs delete --before=2021-01-01  (this command will delete all audit data older than 2021 January 31st) 


Onefs < 9.1 Manual Archive or Purge Procedures


How to purge or archive Audit PowerScale logs

PowerScale stores audit messages in archived compressed files and does not have an automatic purge process.  These steps should be used to correctly remove old GZ files and ensure audit protocol is operating normally after the purge process on all nodes in the cluster.

CAUTION!
This procedure will stop capturing audit events on the cluster during the time auditing is disabled. NOTE: We recommend you open an EMC SR with PowerScale steps, Superna support cannot support this procedure or trouble shoot steps on the cluster releated to this procedure.



IMPORTANT!
This procedure must be performed using the "root" account on the cluster.  Please consult EMC for an updated procedure.

  1. Stop the ECA cluster

    1. ssh eca master node as ecaadmin

    2. ecactl cluster down

  2. Run the following commands to turn off audit logging

OneFS 8.0.0 and later

  1. isi audit settings global modify --protocol-auditing-enabled=no
  2. isi audit settings global modify --config-auditing-enabled=no (only if enabled before) 
  3. Run the following commands to stop the isi_audit_d, isi_audit_cee and isi_audit_syslog processes from automatically restarting:

    1. isi services -a isi_audit_d ignore

    2. isi services -a isi_audit_cee ignore

    3. isi services -a isi_audit_syslog ignore

  4. Run the following commands to end the isi_audit_d and isi_audit_cee processes:

    1. isi_for_array 'pkill isi_audit_d'

    2. isi_for_array 'pkill isi_audit_cee'

    3. isi_for_array 'pkill isi_audit_syslog'

  5. Run the following command to ensure that no isi_audit processes are running on the cluster:

    1. isi_for_array pgrep -l isi_audit

  6. Run the following commands to change directory to the audit directory.

    1. cd /ifs/.ifsvar/audit

  7. Run the following command to backup the audit directory and allow for the files to be recreated:

    1. mv /ifs/.ifsvar/audit /ifs/.ifsvar/audit.bak

    2. Archive the moved audit data to long term storage to retain a permanent copy of the source data or decide if you want to delete this data by consulting with your compliance department requirements.

  8. Run the following commands to inform the Master Control Program (MCP) to resume monitoring the audit daemons. MCP automatically restarts the audit daemons and reconstructs the audit directory on each node when the isi_audit_d process is running.
    1. isi services -a isi_audit_d monitor
    2. isi services -a isi_audit_cee monitor
    3. isi services -a isi_audit_syslog monitor
  9. Run the following command to check that audit processes have restarted:

    1. isi_for_array -s pgrep -l isi_audit

  10. Run the following command to verify that audit data was removed and reconstructed:

    1. find /ifs/.ifsvar/audit

  11. Run the following command to re-enable audit logging:

    1. OneFS 7.1.0 - 7.2.1:

      1. isi audit settings modify --protocol-auditing-enabled=Yes

      2. isi audit settings modify --config-auditing-enabled=Yes (only if enabled before)

    2. OneFS 8.0.0 and later

      1. isi audit settings global modify --protocol-auditing-enabled=Yes
      2. isi audit settings global modify --config-auditing-enabled=Yes (only if enabled before)
  12. Run the following command to verify log files are being populated after audit processes have restarted:

    1. Reset audit log to current day and time

      1. isi audit settings global modify --cee-log-time "Protocol@2017-11-21 04:13:00" (use a current date and time)

      2. isi_audit_viewer -t protocol  

        1. Verify output from this command returns correctly last logged event.

  13. On ECA master node as ecaadmin user

    1. ecactl cluster up

  14. Login to eyeglass and verify the Managed Services icon shows active and green ECA nodes.  NOTE: heartbeats take 2-5 minutes before the ECA cluster is completely up

  15. If running Ransomware Defender run the Security Guard feature to test that audit messages are being processed correctly

  16. End procedure


© Superna Inc