Current Release - Release Notes Easy Auditor
| Release Date | Version |
|---|---|
| 02/15/2024 | 2.8.0-23418 |
- What's New in Superna Eyeglass Easy Auditor Edition Release 2.8.0 (02/15/2024)
- Supported OneFS releases
- Supported Eyeglass releases
- Inter Release Functional Compatibility
- End of Life Notifications
- New in Superna Eyeglass Easy Auditor Edition Release 2.6.4 (11/28/2023)
- New in Superna Eyeglass Easy Auditor Edition Release 2.6.3 (09/28/2023)
- New in Superna Eyeglass Easy Auditor Edition Release 2.6.2 (09/01/2023)
- Fixed in 2.6.2
- EA-172 Built-In scheduled report results are displayed in the Manual report section
- EA-191 Stale Access Report shows incorrect entries
- New in Superna Eyeglass Easy Auditor Edition Release 2.6.1 (08/03/2023)
- Fixed in 2.6.0
- New in Superna Eyeglass Easy Auditor Edition Release 2.5.12 (05/09/2023)
- Fixed in 2.5.12
- EA-295 Bulk Ingest job fails due to spark workers
- New in Superna Eyeglass Easy Auditor Edition Release 2.5.11-23110 (04/03/2023)
- Fixed in 2.5.11 - 23110
- EA-232 Bulk Ingest with non-default path inter-working with RWD
- EA-284 Bulk ingest list does not display all the files
- EA-285 bulk ingestion GUI timeout at 3.7 minutes - still need to increase
- New in Superna Eyeglass Easy Auditor Edition Release 2.5.10 (03/06/2023)
- Fixed in 2.5.10
- EA-241 bulk ingestion GUI timeout to collect gz files for the GUI timeout needs to be increased to 5 minutes
- Support Removed in Eyeglass Release 2.5.9
- Deprecation Notices
- New in Superna Eyeglass Easy Auditor Edition Release 2.5.9.1 (02/14/2023)
- New/Fixed in 2.5.9.1
- EA-167 Bulk Ingest is not retrieving archives created on the same day
- New in Superna Eyeglass Easy Auditor Edition Release 2.5.9 (11/30/2022)
- New/Fixed in 2.5.8
- New in 2.5.8.1-22116
- Fixed in 2.5.8.1-22116
- New in 2.5.8.1-22100
- Fixed in 2.5.8.1-22100
- Deprecated in 2.5.8.1-22080
- Built In Reports Deprecated
- New in 2.5.8.1-22080
- Built-In Access Report Now Reports per share
- Fixed in 2.5.8.1-22080
- T21840 Easy Auditor - DLP trigger affected by quota sync schedule
- New/Fixed in 2.5.8-22028
- New in 2.5.8-21330
- Fixed in 2.5.8-21330
- T22171 - Log4j Vulnerability - Upgrade to Log4j 2.17.0 (2.5.8-21330 and higher Log4j 2.17.0 )
- New in 2.5.8-21306
- NEW - OneFS 9.3 Support
- T19711 Easy Auditor new validation that selected path is on an audited Access Zone
- Fixed in 2.5.8-21306
- T22033 Log4j Vulnerability - CVE-2021-44228
- T20936 Bulk Ingest of Old Audit Data is not functional
- Technical Advisories
- Known Issues
- Reporting
- T5907 No record for failed user query in Finished Reports
- T6145 User with Eyeglass read-only position cannot run a custom query
- T6149 Count Table and Access Report queries store unnecessary query parameters
- T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name
- T6313 Report Query Builder allows filter on Unlicensed Cluster
- T6338 File Ext Input-only in the first line
- T6339 Report Query Naming
- T6349 Running Report Job State does not immediately reflect a cancelled Job
- T6350 Easy Auditor Running Reports window inactive
- T6404 Saved Custom User Queries show unrelated Built-In Query
- T7049 Finished Report display issue for Duration
- T9837 Warning on Wait for Spark Job
- T10911 Share/Stale Access Report issue when AD has nested groups
- T11752 Custom Real-time Audit policy User selection filtering
- T11890 Able to save query without a name
- T13573 Delete parent folder with subfolders shows duplicates in Where Did My Folder Go
- T14722 Issues with custom report where path selected contains special language characters
- T15037 Easy Auditor does not report files with multiple extensions correctly
- T15582 Easy Auditor issues where path has & or brackets
- T19561 Easy Auditor scheduled reports may not run
- T20078 Emailed built-in report may contain user SID
- T20661 Large Report cannot be downloaded from Windows
- T22708 Access Report only reports on shares using AD Group permissions
- T22719 Access Report reports extra information when reporting on share with same name in multiple Access Zone
- T22720 Access Report not compatible with LDAP retrieval of AD Users and Groups
- T22731 Access Report cannot be displayed in the GUI with large number of permissions
- T22738 Access Report does not report on nested groups
- Active Auditing
- T8878 Cannot save DLP trigger for a different NE but same path
- T6305 Invalid username causes Wiretap error
- T7547 Wiretap does not show user name for NFS events
- T12876 DLP trigger cannot be added
- T15198 Active Auditor Triggers may have inaccurate Signal Strength
- T15250 The command to reset Active Auditor event queue must be run twice
- T16980 Active Auditor events Affected Files-CSV may not show all events
- T19629 Expired Active Auditor Events not archived to Event History if Ransomware Defender has Automatic Learning enabled
- T21226, T22604 Active Auditor Snapshot functionality follows Ransomware Defender Snapshot configuration
- T8694 Robo Audit may show Success when it did not run
- T11880 Robo Audit fails when configured to run on more than one cluster
- T15175 Existing Robo Audit Logs lost formatting after upgrade to 2.5.6
- General
- T5858 ecactl commands do not switch to ecaadmin user
- T5915 Event retrieval stopped by Disable/Enable of Protocol Monitoring on the PowerScale
- T15457 HTML 5 vmware vcenter bug on OVA deployment
- T6097 UI Desktop Unexpected Behaviour
- T6617 PowerScale Directory Selector does not display hidden directories
- T8105 Alarm EAU0002 has no detailed information for failed auditor report
- T19929 Easy Auditor Directory Selector returns "Error retrieving directory info from cluster"
- EA-171 Bulk Ingest folder is not created automatically
- EA-193 Bulk ingest job is not working with turboaudit REST API
- Known Limitations Reporting
- Conditions under which audit events are not processed
- T6260 Stale Access Report Known Limitations
- T6478 Stale Access and Share Access Report AD User Limitation
- T18936 Rerun of query required
- Active Auditing
- T11540 Active Auditor may report on Audit Failure events
- T12380 Ransomware Defender Ignore List settings are applied to Active Auditor analysis
- EA-79 [Active Auditor-Active Event ] Predicted signal doesn't show its type & value
- General
- T8281 hbase major compaction affects queries
- T16137 Anyrelease restore does not restore all Ransomware Defender and Easy Auditor settings
- T16821 anyrelease restore restrictions for restore to 2.5.7
- T16499 Easy Auditor reports double events
What's New in Superna Eyeglass Easy Auditor Edition Release 2.8.0 (02/15/2024)
Supported OneFS releases
8.2.0.x
8.2.1.x
8.2.2.x
9.0
9.1
9.2.x
9.3
9.4 via the February RUP 9.4.0.12 (PSP-3079) released Feb 8th 2023
9.4.0.14
9.5.x.x (minimum version 9.5.0.1)
9.5.0.5Supported Eyeglass releases
Superna Eyeglass Easy Auditor Version | Superna Eyeglass Version |
| 2.6.3-23292 | 2.6.3-23292 |
| 2.6.2-23282 | 2.6.2-23282 |
| 2.6.1-23250 | 2.6.1-23250 |
| 2.6.0-23219 | 2.6.0-23219 |
| 2.5.12-23175 | 2.5.12-23175 |
| 2.5.11-23110 | 2.5.11-23110 |
| 2.5.10-23087 | 2.5.10-23087 |
| 2.5.9-22251 | 2.5.9-22251 |
| 2.5.9-22231 | 2.5.9-22231 |
| 2.5.8.1-22116 | 2.5.8.1-22116 |
| 2.5.8.1-22100 | 2.5.8.1-22100 |
| 2.5.8.1-22080 | 2.5.8.1-22080 |
| 2.5.8-22028 | 2.5.8-22028 |
| 2.5.8-21330 | 2.5.8-21330 |
| 2.5.8-21306 | 2.5.8-21306 |
| 2.5.7.1-21161 | 2.5.7.1-21161 |
| 2.5.7.1-21140 | 2.5.7.1-21140 |
| 2.5.7-21096 | 2.5.7-21096 |
| 2.5.7-21081 | 2.5.7-21081 |
| 2.5.7-21068 | 2.5.7-21068 |
| 2.5.6-20263 | 2.5.6-20263 |
Inter Release Functional Compatibility
| OneFS 8.2 and 9.x releases | OneFS 9.x releases | |
|---|---|---|
| Reporting | Untested | Untested |
| Active Auditing | Untested | Untested |
End of Life Notifications
End of Life Notifications for all products are available here.New in Superna Eyeglass Easy Auditor Edition Release 2.6.4 (11/28/2023)
New in Superna Eyeglass Easy Auditor Edition Release 2.6.3 (09/28/2023)
New in Superna Eyeglass Easy Auditor Edition Release 2.6.2 (09/01/2023)
Fixed in 2.6.2
EA-172 Built-In scheduled report results are displayed in the Manual report section
EA-191 Stale Access Report shows incorrect entries
Stale Access Report shows duplicated entries for users who accessed the share recently
Workaround:
- import CSV into excel
- sort by last access date (make sure records that have last access are at the top of the sheet)
- remove duplicates on the user column.
- Data that remains is accurate.
New in Superna Eyeglass Easy Auditor Edition Release 2.6.1 (08/03/2023)
New in Superna Eyeglass Easy Auditor Edition Release 2.6.0 (06/29/2023)
Fixed in 2.6.0
EA-314 'Cannot retrieve report information from DB' error found during Query
Cannot monitor the query job progress during the query job is running.
New in Superna Eyeglass Easy Auditor Edition Release 2.5.12 (05/09/2023)
Fixed in 2.5.12
EA-295 Bulk Ingest job fails due to spark workers
Each time when trying to start a Bulk Ingest job, job fails to to spark workers.
Workaround: make sure that this line `- /opt/superna/mnt/bulkingestion:/opt/superna/mnt/bulkingestion:shared is added on volumes for spark-worker in docker-compose.yml.
If there isn’t such line in docker-compose.yml please add it and run ecactl cluster exec ecactl cluster services restart --container spark-worker
New in Superna Eyeglass Easy Auditor Edition Release 2.5.11-23110 (04/03/2023)
Refer to the previous 2.5.10 for what's new.
Fixed in 2.5.11 -23110
EA-232 Bulk Ingest with non-default path inter-working with RWD
RWD is not detecting events if Bulk Ingest has an archive path set up to a non-default path.
EA-284 Bulk ingest list does not display all the files
Bulk ingest list does not display all the files
EA-285 bulk ingestion GUI timeout at 3.7 minutes - still need to increase
bulk ingestion GUI timeout at 3.7 minutes
New in Superna Eyeglass Easy Auditor Edition Release 2.5.10 (03/06/2023)
Refer to previous 2.5.9.1 builds for what's new.
Fixed in 2.5.10
EA-241 bulk ingestion GUI timeout to collect gz files for the GUI timeout needs to be increased to 5 minutes
bulk ingestion GUI timeout to collect gz files for the GUI timeout needs to be increased to 5 minutes
Support Removed in Eyeglass Release 2.5.9
Following removed in 2.5.9:
- Data access report - this report is being deprecated due to low usage and is replaced by the Search and Recover Who owns what? report to determine top users consuming space on a path.
- Top users report (creating and deleting) - these reports are being deprecated due to low usage and redundant to the widely used Where Did My Folder Go? reporting and Custom Triggers for Active Auditing.
- Count table report - this report is not required for end user / administrator and is being removed from the user interface
- Threat Detector 01 - this report is not required for end user / administrator and is being removed from the user interface
- Threat Detector 02 - this report is not required for end user / administrator and is being removed from the user interface
Deprecation Notices
No Deprecation Notice in this release.
New in Superna Eyeglass Easy Auditor Edition Release 2.5.9.1 (02/14/2023)
The bulk Ingestion path is updated. The path changed in system.xml to the default one /ifs/.ifsvar/audit/logs/ . The path can be updated with this command as well : igls config settings set --tag=<tagname> --value=<value> where tagname is bulkingestpath and the value is the new path where the gz files are.
New/Fixed in 2.5.9.1
EA-167 Bulk Ingest is not retrieving archives created on the same day
As a Bulk Ingest user, I want to be able to use archives created in the last 24 hours. Now we can only use it to ingest archives older than 1 day.
New in Superna Eyeglass Easy Auditor Edition Release 2.5.9 (11/30/2022)
Added support for enhanced triggers on directory events in easy auditor. Added GUI support for bulk ingestion of old audit records.
New/Fixed in 2.5.8
New in 2.5.8.1-22116
Refer to previous build information.
Fixed in 2.5.8.1-22116
Refer to previous build information.
New in 2.5.8.1-22100
Refer to previous build information.
Fixed in 2.5.8.1-22100
Refer to previous build information.
Deprecated in 2.5.8.1-22080
Built In Reports Deprecated
The following Built In Reports have been deprecated as indicated in the deprecation notice:
- Data access report - this report has been deprecated due to low usage and is replaced by the Search and Recover Who owns what? report determining top users consuming space on a path.
- Top users report (creating and deleting) - these reports have been deprecated due to low usage and are redundant to the widely used Where Did My Folder Go? reporting and Custom Triggers for Active Auditing.
- Count table report - this report is not required for the end user/administrator and has been removed from the user interface
- Threat Detector 01 - this report is not required for the end user/administrator and has been removed from the user interface
- Threat Detector 02 - this report is not required for the end user/administrator and has been removed from the user interface
New in 2.5.8.1-22080
Built-In Access Report Now Reports per share
The Built-In Access Report now reports on selected share permission rather than all shares for a selected cluster.
Fixed in 2.5.8.1-22080
T21840 Easy Auditor - DLP trigger affected by quota sync schedule
DLP trigger is no longer working in 2.5.8 as the quota inventory collected on the new schedule is not available to assess the trigger.
Resolution: Quota inventory is now available for DLP trigger operation.
New/Fixed in 2.5.8-22028
Refer to previous build information.
New in 2.5.8-21330
Refer to previous build information.
Fixed in 2.5.8-21330
Security
T22171 - Log4j Vulnerability - Upgrade to Log4j 2.17.0 (2.5.8-21330 and higher Log4j 2.17.0 )
New in 2.5.8-21306
NEW - see What's New in 2.5.8 here.
NEW - OneFS 9.3 Support
Support for OneFS 9.3 is introduced in release 2.5.8.
T19711 Easy Auditor new validation that selected path is on an audited Access Zone
Easy Auditor path selector now verifies whether the selected path falls under an Access Zone with protocol auditing enabled.
Fixed in 2.5.8-21306
T22033 Log4j Vulnerability - CVE-2021-44228
Resolution: log4j version updated to 2.15.0 which has patch for the vulnerability.
T20936 Bulk Ingest of Old Audit Data is not functional
The ability to bulk ingest old audit data is not functional as of 2.5.7.1-21140 release.
Resolution: Bulk Ingest of audit data is now functional. Requires ECA nodes to be running OpenSUSE 15.3. If ECA nodes not running this OpenSUSE version need to redeploy the 15.3 ECA nodes and backup and restore configuration file and mount file.
The PowerScale Directory selector currently has a maximum list size of 1000 so that environments with more than 1000 directories on the PowerScale some directories will be missing.
Resolution: Directory selector now displays the first 1000 folders and an additional folder shown as ... Select the "..." will display the next 1000 folders and so on.
Technical Advisories
Known Issues
Reporting
T5907 No record for failed user query in Finished Reports
If a user-based query fails, there is no record of the failed report in the Finished Reports.
Workaround: None Required - Email notification is provided for the failed query.
This does not affect path-only queries.
T6145 User with Eyeglass read-only position cannot run a custom query
In the Report Query Builder, a user who only has read-only permissions can only Load a previously saved query to review its setting. From this interface, no load can be run.
Workaround: Administrator with full privileges must create and save a query, after which a user with read-only permission can run it from the list.
T6149 Count Table and Access Report queries store unnecessary query parameters
If you save the Count Table or Access Report query, disabled report parameters may be saved with the report definition even though the do not apply.
Workaround: None required. Extra parameters are ignored.
T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name
In the Stale Access and Access Reports, the cluster is identified by its GUID instead of displaying the cluster name.
Workaround: To verify which cluster the report is for, from the Eyeglass web open the Inventory View. Right click on a cluster name and select “Show Properties” to view the cluster GUID.
T6313 Report Query Builder allows filter on Unlicensed Cluster
The Report Query Builder does not block the selection of an unlicensed cluster.
Workaround: None required. File activity/events are not stored for unlicensed clusters, and as such, any report would return with 0 records.
T6338 File Ext Input-only in the first line
Report Query File Ext filter is only editable in the first line. Clicking anywhere else in the box will not let you enter any text
Workaround: None required. Enter the File Ext filter at the top of the box.
T6339 Report Query Naming
Saved Report Query names can only contain 0 to 9, a to z (lowercase) and A to Z (uppercase) without any spaces, - or _ .
Workaround: None available.
T6349 Running Report Job State does not immediately reflect a cancelled Job
When a Running Auditor Job is cancelled, the Running Jobs view continues to show the Running state until the canceled task has been completed.
Workaround: None required.
T6350 Easy Auditor Running Reports window inactive
The Easy Auditor Running Reports window may become inactive such that expired reports are not removed, and you cannot click on a Report to see details of the execution.
Workaround: Refresh the browser session.
T6404 Saved Custom User Queries show unrelated Built-In Query
A saved Customer User Query details will incorrectly show
Report Picker: Data access report - users who are writing the most/least amount of data
even though this custom report is not related to this built-in query.
Workaround: None required - other query information is relevant and accurate.
T7049 Finished Report display issue for Duration
Finished Report Duration column does not display the entire duration required to complete the query.
Workaround: None available. The duration can be seen in the Running Jobs view while the query is still in running state.
T7049 Finished Report display issue for Duration
Finished Report Duration column does not display the entire duration required to complete the query.
Workaround: None available. The duration can be seen in the Running Jobs view while the query is still in running state.
T7437/T12178 Employee Exit Report may not complete
In large environment with high event rate, the 30 day Employee Exit Report may not complete or it may complete with a large number of records but viewing/download of results limited to 10,000 records.
Workaround: Modify the query for less than 30 days to reduce number of records in report or build a custom report using the Report Query Builder.
T7823 Email Report shows success when error with attachment
Emailing report shows as success even when there is an issue in attaching the report.
Workaround: Re-run the report or contact support at support.superna.net for assistance.
T9837 Warning on Wait for Spark Job
A Warning may appear on a Running Report Job Details for the Wait for Spark Job step with info “warning: Applicationid could not be retrieved” without impacting the completion of the query itself.
Workaround: None required
T10911 Share/Stale Access Report issue when AD has nested groups
The built in Share Access and Stale Access Reports do not show user access to a share for those users that are members of a nested subgroup of the AD group configured in the share permissions.
Workaround: None available.
T11752 Custom Real-time Audit policy User selection filtering
To select a name from the User drop-down list on a Custom Real-time Audit policy trigger you must first type the first letter of the user domain (name format is DOMAIN\name) after which you can type any other letter from user name for further filtering. Leave a space between first letter and next letter if letters are not adjacent in user name. Example below
Workaround: None required.
T11890 Able to save query without a name
The GUI allows saving of query without name. Query can be run but cannot be deleted. Only one query without a name will be able to be saved.
Workaround: Enter name when saving a query.
T13573 Delete parent folder with subfolders shows duplicates in Where Did My Folder Go
Where Did My Folder Go search results for a parent deleted folder where subfolders were also deleted duplicates entries for some folders.
Workaround: None required
T14722 Issues with custom report where path selected contains special language characters
Custom report where path selected contains special language characters may either not run or will complete with 0 results.
Workaround: Selecting a path higher up in the directory tree without special language characters may return results where special language characters not displayed correctly. Note that Wiretap and Where Did My Folder Go provide an option for reporting on these paths.
T15037 Easy Auditor does not report files with multiple extensions correctly
For the case where a file has multiple extensions in the Easy Auditor report the first extension only is reported. For example file.pdf.gz is reported as a pdf not as a gz file.
Workaround: None available.
T15582 Easy Auditor issues where path has & or brackets
Easy auditor has following issues for path with &:
- user or path search where path contains & return 0 results
- DLP trigger cannot be saved where path contains &
- Mass Delete trigger where path contains & returns 0 results
Workaround: Select path above path with & when defining custom search, DLP or Mass Delete triggers
Easy auditor has following issues where path contains bracket
- Wiretap, Where did My Folder Go, Active Auditor triggers not functioning
Workaround: No workaround available
T19561 Easy Auditor scheduled reports may not run
Under some circumstances the license state for a Powerscale cluster is lost after which scheduled reports may fail to run.
Workaround: Manually run the scheduled query for the desired timeframe.
T20078 Emailed built-in report may contain user SID
The summary in the email body for some built in reports shows user SID instead of the associated user id.
Workaround: The attached CSV file has SID resolved to user id.
T20661 Large Report cannot be downloaded from Windows
There is an issue downloading reports with very large number of records from Windows using Chrome browser. On download a "Loading" message appears but once the Loading message stops, no download is started. This issue does not appear on MAC with Chrome browser.
Workaround:
1) On Windows, large reports can be successfully downloaded using Firefox browser build 72
2) The file is generated and present on the Eyeglass appliance and could be retrieved using a tool such as WinSCP. The report files are located on the Eyeglass appliance in the folder: /srv/www/htdocs/csv
T22708 Access Report only reports on shares using AD Group permissions
The Access Report can only be used to report on permissions for shares using AD Groups. Share permissions to AD Users directly or well known user/group such as Everyone results in an error when running the report.
Workaround: None available.
T22719 Access Report reports extra information when reporting on share with same name in multiple Access Zone
If there are multiple Access Zone configured on the PowerScale and those Access Zone contain shares with the same name, reporting on one of those shares will report for all shares of that name and not be filtered on the Access Zone selected.
Workaround: None required.
T22720 Access Report not compatible with LDAP retrieval of AD Users and Groups
If Eyeglass is configured to use LDAP for retrieval of AD Users and Groups, the Access Report cannot report on share access as it relying on PowerScale API calls for that information.
Workaround: None available.
T22731 Access Report cannot be displayed in the GUI with large number of permissions
If the resulting Access Report has more than 1000 permissions, the report cannot be viewed from the Easy Auditor GUI. Opening the report causes the GUI to freeze.
Workaround: Download report with large number of permissions to view it.
T22738 Access Report does not report on nested groups
The Access Report only reports on the users in the parent group where a share has permissions configured with nested groups.
Workaround: None available.
Active Auditing
T8878 Cannot save DLP trigger for a different NE but same path
With 2 licensed clusters a Data loss prevention policy cannnot use the exact same path on both clusters if entering 2 differnent policies one for each cluster.
Work around: none only the first cluster and path can be added.
T6305 Invalid username causes Wiretap error
If you enter an invalid username that cannot be resolved when setting up a Wiretap active auditing job it causes the job creation to fail with the following error:
Failed to create new wiretap:
Server error when processing request: java.lang.NullPointerException
Workaround: Enter a username that can be resolved in the documented supported format.
T7547 Wiretap does not show user name for NFS events
For events generated over NFS protocol, Wiretap does not include user name in the event information. Only client IP address is displayed.
Resolution: A custom query can be built using the Report Query Builder based on path and timeframe in order to view user name.
T12876 DLP trigger cannot be added
An error (Error saving response) occurs when adding a DLP trigger if there is an existing directory quota without data-protection overhead option enabled on the the path that a DLP trigger is being configured for.
Workaround: If possible, delete the existing quota and allow new quota to be created as part of adding the DLP trigger. Note that the directory quota that is created will be created with the data-protection overhead option enabled.
T15198 Active Auditor Triggers may have inaccurate Signal Strength
Active Auditor trigger processing (DLP, Mass Delete, Custom Triggers) may receive duplicate events and as a result show a higher Signal Strength than is actually the case.
Workaround: None required. The duplicate events will cause early detection of configured triggers. The associated CSV for files involved in the detection is correct.
T15250 The command to reset Active Auditor event queue must be run twice
The command igls adv eventTriggers set --operation=reset --topic=ea must be run twice to clear the queue.
Workaround: Execute the command a second time to clear the queue.
T16980 Active Auditor events Affected Files-CSV may not show all events
Under some circumstances the Affected Files-CSV may not show all events for the Active Auditor trigger as the timeframe for the report may result in some events being excluded.
Workaround: Use the Report Query Builder to run a query with the same conditions and user as the associated trigger and a timeframte that starts before the detected time. Typically starting query an hour prior to the event would ensure all events were listed but may also include some audit events that are not related to to the trigger.
T19629 Expired Active Auditor Events not archived to Event History if Ransomware Defender has Automatic Learning enabled
If the Ransomware Defender settings has Automatically Learn.... setting selected, an Active Auditor event that matches criteria for Automatic Learning encounters an error when it expires which prevents it from being archived to the Event History list. Impact: There is no impact on the detection of the Active Auditor event only on expiry the event is not moved to the event history as it should be.
Workaround: Event can be moved to the Event History by manually archiving as unsolved from the Action menu for the event.
T21226, T22604 Active Auditor Snapshot functionality follows Ransomware Defender Snapshot configuration
The snapshot behaviour for Active Auditor Mass Delete and manual snapshot creation follow the configuration for snapshot budget, and snapshot enable/disable in the Ransomware Defender / Snapshots window. Ransomware Defender snapshot logic for user share snapshot is followed if configured rather than a snapshot for the mass delete path.
Workaround: Do not use the Create Snapshot checkbox in the Easy Auditor / Active Auditor window to manage Active Auditor snapshots. It does not have any effect. Use the Ransomware Defender / Snapshots window to enable / disable snapshots. Important - configuration here also affects snapshot management for Ransomware Defender. User share snapshot will also protect the mass delete path as user share would provide access to this location in the filesystem.
Robo Audit
T8694 Robo Audit may show Success when it did not run
Robo Audit may show as having successfully completed when in fact it did not run. For example:
Robo Audit configured but disabled
Robo Audit misconfigured and enabled
Workaround: Open the Robo Audit logs to see details of Job Execution.
T11880 Robo Audit fails when configured to run on more than one cluster
When configured to run on more than one cluster, Robo Audit job will succeed for one cluster but fail for the subsequent cluster.
Workaround: Configure Robo Audit to only run on one cluster.
T15175 Existing Robo Audit Logs lost formatting after upgrade to 2.5.6
Any existing Robo Audit logs viewed from the Eyeglass GUI will have lost the formatting after upgrading to 2.5.6.
Workaround: None required. New logs will have the correct formatting.
General
T5858 ecactl commands do not switch to ecaadmin user
If you are logged into an ECA node as root user and execute an ecactl command, you are prompted to login as the ecaadmin user to continue but even though the console indicates that the login as ecaadmin is underway the login never completes and the command cannot be executed.
Workaround: Login to ECA as ecaadmin user when using ecactl commands.
T5915 Event retrieval stopped by Disable/Enable of Protocol Monitoring on the PowerScale
If you disable / enable Protocol Auditing on the PowerScale cluster the ECA does not recover and does not begin reading events once Protocol Auditing enabled again.
Workaround: If you need to disable/enable Protocol auditing down the ECA cluster first
Ecactl cluster down
Then disable Protocol Auditing on the PowerScale cluster
After you have enabled Protocol Auditing on PowerScale cluster, the bring the ECA back up:
ecactl cluster up.
T6004 PowerScale Directory Selector Usage
In order to populate a cluster in the Directory Selector a directory must be selected in the file tree.
Workaround: None required. Once cluster is populated a path can be selected from the tree or typed in but must begin with /ifs .
T15457 HTML 5 vmware vcenter bug on OVA deployment
Some versions of vmware vcenter HTML user interface have a known issue with OVA properties being read correctly post power on, leading to first boot issues.
Workaround: use the Flash client as a work around.
T6097 UI Desktop Unexpected Behaviour
If you move a window to the edge of the Eyeglass desktop it may become stuck in that position.
Workaround: Refresh browser.
T6617 PowerScale Directory Selector does not display hidden directories
Directories that start with a dot (.) are not displayed in the PowerScale Directory Selector.
Workaround: Use the PowerScale Directory Selector to enter \ifs\ and then enter the remainder of the path manually.
T8091 Login Monitor Report does not have Sorting
When viewing the Login Monitor Report Built-In query results from the GUI, sorting on columns Logons, Logoffs, and failed Logons is not available.
Workaround: Download the report csv file and open in spreadsheet for sorting and filtering of data.
T8105 Alarm EAU0002 has no detailed information for failed auditor report
The alarm Info for EAU0002 alarm "Auditor report failed" does not have any detailed information on cause of report failure.
Workaround: In Easy Auditor / Running Reports tab select the report that failed and in the Job Details expand the tree and select the Info link for the failed step.
T8249 Canceling Easy Auditor Running Report results in Critical severity alarm
Cancelling a running auditor report results in a Critical Severity alarm.
Workaround: None required. This alarm is informational only and does not indicate any critical issue in Easy Auditor.
T19929 Easy Auditor Directory Selector returns "Error retrieving directory info from cluster"
The Directory Selector directory tree display encounters an issue displaying the tree when the folder structure count (including files) exceeds 100,000.
Workaround: In the Directory Selector, select the cluster and the first folder "ifs" then manually enter the remainder of the path. Important: path is case sensitive and must match the filesystem path.
EA-171 Bulk Ingest folder is not created automatically
Bulk Ingest folder is not created automatically
workaround:
1 mkdir -p /opt/superna/sca/data/bulkingest
2touch /opt/superna/sca/data/bulkingest/bulkingest.json
3chown sca:users /opt/superna/sca/data/bulkingest/bulkingest.json
EA-193 Bulk ingest job is not working with turboaudit REST API
Bulk ingest job is not working with turboaudit REST API
Known Limitations Reporting
Conditions under which audit events are not processed
In the following situations, audit events will not be processed, and any audit events which occur while processing is down are dropped - they are not recovered by post processing:
ECA NFS mount is down: Each ECA node is responsible for reading audit events for a specific set of PowerScale nodes. While the ECA NFS mount is down, audit events for these PowerScale nodes are dropped.
ECA down: Each ECA node is responsible for reading audit events for a specific set of PowerScale nodes. While the ECA NFS mount is down, audit events for these PowerScale nodes are dropped.
T6260 Stale Access Report Known Limitations
1) The Stale Access Report Built-In query does not report on activity for shares under following conditions:
- Share access by AD user with run as root permissions
- Share access by AD group where AD group has nested group and access by user in sub-group
T6361 Reporting for shares with local user permissions unsupported
Reports generated against shares which have a local PowerScale user permission configured may give unexpected results in the report and may cause email notification to fail.
T6478 Stale Access and Share Access Report AD User Limitation
Reports have been successfully generated against AD environment with up to 4000 users is current limit, Future release to extend this limit.
T2842 Login Monitor Report Known Limitations
The Login Monitor Report Built-In query has following Known Limitations:
- NFS login is not reported
- Failed login due to invalid password, or invalid user are reported by user SID
- A login where user does not appropriate share permission is reported as a Logon and Logoff together
T18936 Rerun of query required
Query may need to be re-run if the ECA OS product requirements have not been met for disk latency as this can cause search jobs to timeout in Eyeglass. The job may still complete by reviewing the finished jobs report tab. If the report shows error you will need to re-run the job. OS latency or memory issues can cause this and permanent fix should move the ECA VM's to flash based storage. This command can be run to look at disk statistics:
ecactl cluster exec iostat -xyz 6 6
This command will return a sample of disk IO per ECA. Consult documentation on latency requirements.
Active Auditing
T6061, T6465 Wiretap event rate display maximum of 25 events / s
Wiretap Watch window is limited to displaying events at a maximum of 25 events/s. If there are more than 25 event/s which match the Wiretap filter this will result in events being dropped and not displayed.
Workaround: Define filter with smaller scope by adding a user and defining more precisely the path in the filter. A report may also be run using same filter to retrieve all related results.
T7500 DLP Known Limitations
DLP Active Auditing has following Known Limitations:
- Small Files DLP threshold affected by PowerScale Quota Usage Reporting
For small files, PowerScale Quota Usage reports a larger usage than actual storage consumed. When setting a DLP threshold you must consider the threshold% against the quota reported usage. For example, if actual space consumed by 1 small files is 20b but quota usage is reported by PowerScale as 8K then the threshold to detect copy of that file is not 100%, it is 20b/8K.
- DLP generate 1 signal when threshold crossed for any size of copy
Any copy that crosses the configured threshold will generate only 1 signal - whether the copy is one time the threshold configured or many times the threshold configured.
T7525 Active Auditor Affected Files also shows Ransomware Defender Affected Files
When viewing the Affected Files for an Active Auditor event, any files associated wtih a Ransomware Defender event that has occurred at the same time are also displayed.
Workaround: Download the csv file and use the path associated with the Active Auditor event from the GUI to filter the results.
T8744 No event processing once Signal Strength passes 2 times Critical Threshold
For the case where both Ransomware Defender and Easy Auditor are licensed, reaching Signals processed count of 2 times Ransomware Critical threshold for a particular user limit is applied independently for Ransomware Defender and Easy Auditor.
Workaround: None available.
T11540 Active Auditor may report on Audit Failure events
Active Auditor may report on failed audit events.
Workaround: Reporting of failed audit events can be disabled on the PowerScale audit settings. Please contact support.superna.net for more information on disabling reporting on failed audit events.
T12380 Ransomware Defender Ignore List settings are applied to Active Auditor analysis
Analysis of file events for Active Auditor triggers will ignore a user, IP or path configured in the Ransomware Defender Ignore list.
Workaround: None available.
EA-79 [Active Auditor-Active Event ] Predicted signal doesn't show its type & value
General
T8281 hbase major compaction affects queries
An hbase major compaction will prevent queries happening at the same time from completing.
Workaround: Re-run query once hbase major compaction has been completed.
T16137 Anyrelease restore does not restore all Ransomware Defender and Easy Auditor settings
There is no restore of settings from release 2.5.4 and earlier. For release 2.5.4 and earlier continue to capture all Ransomware settings (False Positive, Ignore List, Allowed Extensions, Security Guard) and Easy Auditor settings (Active Auditor Trigger settings, RoboAudit). Post restore verify settings and update where required before cluster up on ECA.
In all cases, restoring an Eyeglass backup using the --anyrelease option will not restore following Ransomware Defender and Easy Auditor settings:
Ransomware Defender: Event History, Threats Detected
Easy Auditor: Finished Reports, Scheduled Reports, Saved Queries
T16821 anyrelease restore restrictions for restore to 2.5.7
Ransomware Defender, Easy Auditor and Performance Auditor deployments cannot use the anyrelease restore option to upgrade to a new appliance running 2.5.7. For case where a backup & restore is required due to 42.3 OS on original deployment, a backup & restore to 2.5.6 will have to be done first followed by an upgrade to 2.5.7 or inplace OS upgrade prior to 2.5.7 upgrade.
T16499 Easy Auditor reports double events
In some cases it will be expected that a single operation such as deleting a folder is reported by the SMB protocol or Isilon as multiple delete events that appear as duplicates. Easy Auditor will record events as logged by Isilon and display all recorded events which may appear as duplicate but in fact is expected.