- Reporting
- T8736 Searching for data > than 8 day range may result in stackover flow error during search
- General
- T5678 Manage Services CPU and RAM show n/a
- T6450 some ecactl commands result in error
- T5907 No record for failed user query in Finished Reports
- T6145 User with Eyeglass read-only position cannot run a custom query
- T6149 Count Table and Access Report queries store unnecessary query parameters
- T6227 Finished Report display issue for Date Time Range
- T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name
- T6313 Report Query Builder allows filter on Unlicensed Cluster
- T6338 File Ext Input only in first line
- T6339 Report Query Naming
- T6349 Running Report Job State does not immediately reflect a cancelled Job
- T6350 Easy Auditor Running Reports window inactive
- T6404 Saved Custom User Queries show unrelated Built In Query
- T7049 Finished Report display issue for Duration
- T10911 Share/Stale Access Report issue when AD has nested groups
- T10895 Share/Stale Access Report in Error when AD contains distribution groups
- Active Auditing
- T8175 Upgrade from 2.5.2 to 2.5.3 wiretap settings are lost
- T8878 Cannot save DLP trigger for a different NE but same path
- T6074 Wiretap Open Files List not updated
- T6305 Invalid username causes Wiretap error
- T6466 Deleted Wiretap not removed from filter processing
- T6467 Wiretap Event type blank for Directory Create / Delete, File Create, File Set ACL, Directory Rename
- T5858 ecactl commands do not switch to ecaadmin user
- T5915 Event retrieval stopped by Disable/Enable of Protocol Monitoring on the PowerScale
- T6097 UI Desktop Unexpected Behaviour
- T6451 Extra ECA Node listed in Manage Services with IP 0.0.0.0
- T8105 Alarm EAU0002 has no detailed information for failed auditor report
- Reporting
- Conditions under which audit events are not processed
- T6260 Stale Access Report Known Limitations
- T6478 Stale Access and Share Access Report AD User Limitation
What’s New in Superna Eyeglass Easy Auditor Edition
Release 2.5.3, 2.5.4
What’s New! In Superna Eyeglass Easy Auditor Edition Release 2.5.3, 2.5.4 can be found here.
Supported OneFS releases
8.0.0.x
8.0.1.x
8.1.x.x
Supported Eyeglass releases
Superna Eyeglass Easy Auditor Version | Superna Eyeglass Version |
| 2.5.4-19106 | 2.5.4-19106 |
| 2.5.4-18266 | 2.5.4-19106 2.5.4-18275 2.5.4-18266 |
2.5.3-18257 | 2.5.4-18275 2.5.4-18266 2.5.3-18251 |
Inter Release Functional Compatibility
OneFS 8.0 - OneFS 8.0.1 | OneFS 8.0.1 - OneFS 8.1 | OneFS 8.0 - OneFS 8.1 | |
Reporting | Untested | Untested | Untested |
Active Auditing | Untested | Untested | Untested |
End of Life Notifications
Description | End of Life Date |
End of Support for 2.5.0, 2.5.1, 2.5.2 Releases All customers running the above releases should upgrade to the latest release using upgrade guide located here. Numerous functional and performance improvements exist in later releases so earlier releases are end of support with all new cases requiring an upgrade. | July 31, 2019 |
Issues Fixed in this Release
Reporting
T8736 Searching for data > than 8 day range may result in stackover flow error during search
Any User or path search that contains few records over a long period of time may result in an error during the search that prevents partial results from being returned and the search is aborted.
Work Around: Reduce the number of days in the search below 8 days. If more days are required to search, create multiple searches with different start dates.
Planned Patch to adddress this issue is planned.
T6579 Timeout may prevent error on retrieving finished reports where large number of reports exist
When opening the Easy Auditor -> Finished Reports you may experience a comms failure error on population of the list. This is usually a result of default timeout expiring before being able to retrieve all records.
Resolution: Report data now retrieved as page is requested.
—————————————————–
General
T5678 Manage Services CPU and RAM show n/a
The CPU and RAM information for the ECA components is not populated.
Resolultion: CPU and RAM information now displayed for the ECA components.
—————————————————–
T6450 some ecactl commands result in error
The following ecactl commands have an error:
ecactl cluster status
Resolution: ecactl cluster status command now returns disk usage and up time for each ECA component.
—————————————————–
Known Issues
Reporting
T5907 No record for failed user query in Finished Reports
If a user based query fails, there is no record of the failed report in the Finished Reports.
Workaround: None Required - Email notification is provided for the failed query.
This does not affect path only queries.
—————————————————–
T6145 User with Eyeglass read-only position cannot run a custom query
In the Report Query Builder a user who only has read-only permissions can only Load a previously save query to review it’s setting. From this interface no load can be run.
Workaround: Administrator with full privileges must create and save a query after which a user with read-only permission can then run it from the list.
—————————————————–
T6149 Count Table and Access Report queries store unnecessary query parameters
If you save the Count Table or Access Report query, disabled report parameters may be saved with the report definition even though the do not apply.
Workaround: None required. Extra parameters are ignored.
—————————————————–
T6227 Finished Report display issue for Date Time Range
Finished Report Date Time Range may not correctly reflect the query date time definition. The display may show an incorrect date range or may be empty for some reports.
Workaround: None required. The data retrieved correctly reflects the query date time definition.
—————————————————–
T6293 Stale Access Report and Access Report display Cluster GUID instead of Cluster Name
In the Stale Access and Access Reports, the cluster is identified by its GUID instead of displaying the cluster name.
Workaround: To verify which cluster the report is for, from the Eyeglass web open the Inventory View. Right click on a cluster name and select “Show Properties” to view the cluster GUID.
—————————————————–
T6313 Report Query Builder allows filter on Unlicensed Cluster
The Report Query Builder does not block selection of an unlicensed cluster.
Workaround: None required. File activity / events are not stored for unlicensed clusters and as such any report would return with 0 records.
—————————————————–
T6338 File Ext Input only in first line
Report Query File Ext filter is only editable in first line. Clicking anywhere else in the box will not let you enter any text
Workaround: None required. Enter File Ext filter at the top of the box.
—————————————————–
T6339 Report Query Naming
Saved Report Query names can only contain 0 to 9, a to z (lowercase) and A to Z (uppercase) without any spaces, - or _ .
Workaround: None available.
—————————————————–
T6349 Running Report Job State does not immediately reflect a cancelled Job
When a Running Auditor Job is cancelled, the Running Jobs view continues to show the Running state until the cancel task has been completed in its entirety.
Workaround: None required.
—————————————————–
T6350 Easy Auditor Running Reports window inactive
The Easy Auditor Running Reports window may become inactive such that expired reports are not removed and you cannot click on a Report to see details of the execution.
Workaround: Refresh the browser session.
—————————————————–
T6404 Saved Custom User Queries show unrelated Built In Query
A saved Customer User Query details will incorrectly show
Report Picker: Data access report - users who are writing most/least amount of data
even though this custom report is not related to this built in query.
Workaround: None required - other query information is relevant and accurate.
—————————————————–
T7049 Finished Report display issue for Duration
Finished Report Duration column does not display the entire duration required to complete the query.
Workaround: None available. The duration can be seen in the Running Jobs view while the query is still in running state.
—————————————————–
T7049 Finished Report display issue for Duration
Finished Report Duration column does not display the entire duration required to complete the query.
Workaround: None available. The duration can be seen in the Running Jobs view while the query is still in running state.
—————————————————–
T7437 Employee Exit Report may not complete
In large environment with high event rate, the 30 day Employee Exit Report may not complete.
Workaround: Modify the query for less than 30 days to reduce number of records in report or build a custom report using the Report Query Builder.
—————————————————–
T7823 Email Report shows success when error with attachment
Emailing report shows as success even when there is an issue in attaching the report.
Workaround: Re-run the report or contact support at support.superna.net for assistance.
—————————————————–
T8444 Issue viewing Employee Exit Report with large number of records
When viewing an Employee Exit report with a large number of records from the Eyeglass GUI, the browser may become unresponsive when expanding view to see all records for a day.
Workaround: Download the associated csv file and view using spreadsheet application.
—————————————————–
T10911 Share/Stale Access Report issue when AD has nested groups
The built in Share Access and Stale Access Reports do not show user access to a share for those users that are members of a nested subgroup of the AD group configured in the share permissions.
Workaround: None available.
—————————————————–T10895 Share/Stale Access Report in Error when AD contains distribution groups
The Share Access and Stale Acces built in reports will fail to complete when AD has distribution groups configured.
Workaround: None available
Active Auditing
T8175 Upgrade from 2.5.2 to 2.5.3 wiretap settings are lost
In the Wiretap tab any settings need to be deleted and re-added before they are active
T8878 Cannot save DLP trigger for a different NE but same path
With 2 licensed clusters a Data loss prevention policy cannnot use the exact same path on both clusters if entering 2 differnent policies one for each cluster.
Work around: none only the first cluster and path can be added.
T5955 Wiretap Watch window cannot scroll horizontal
In the Wiretap Watch window you are not able to scroll in the horizontal direction in either section of the window.
Workaround: None available in Watch window. A report could be generated using same criteria and timeframe for review once event of interest are known.
—————————————————–
T6074 Wiretap Open Files List not updated
File which is added to the Wiretap Open Files list may not be removed when the file is closed.
Workaround: None required. The real time event display will indicate which files are actively open.
—————————————————–
T6305 Invalid username causes Wiretap error
If you enter an invalid username that cannot be resolved when setting up a Wiretap active auditing job it causes the job creation to fail with the following error:
Failed to create new wiretap:
Server error when processing request: java.lang.NullPointerException
Workaround: Enter a username that can be resolved in the documented supported format.
—————————————————–
T6466 Deleted Wiretap not removed from filter processing
When you delete a Wiretap from the Eyeglass GUI, it is no longer displayed and cannot be selected but in the backend it continues to be active and filter is applied to incoming events. If the deleted filter has a broad scope, it may result in dropped events for a smaller scope query as per Known Limitations T6061/T6465.
Workaround: Contact support for assistance in resolving this issue.
—————————————————–
T6467 Wiretap Event type blank for Directory Create / Delete, File Create, File Set ACL, Directory Rename
The Wiretap Watch window Event type column is empty for following event types:
Directory Create
Directory Delete
File Create
File Set ACL
Directory Rename
Workaround: None Available in the Watch window. You may run a report with the same filter and timeframe to review these events.
—————————————————–
T7547 Wiretap does not show user name for NFS events
For events generated over NFS protocol, Wiretap does not include user name in the event information. Only client IP address is displayed.
Workaround: A custom query can be built using the Report Query Builder based on path and timeframe in order to view user name.
—————————————————–
T8241 Affected Files display limited to 100 files
Any messages displayed indicating that more than 100 files can be displayed are inaccurate.
Workaround: None Required. Affected files display limited to 100 regardless of what the UI states. To review any additional files involved, download CSV will retrieve last hour in current release up to 50,000 records.
—————————————————–
T8437 Download csv for Active Auditor event may not show all Affected Files
The download csv created for Active Auditor event may not contain all Affected Files (up to 50,000 record limit).
Workaround: Use the Report Query Builder to build a custom report with events taking the relevant user, path and time period from the event information in the Active Auditor GUI.
—————————————————–
Robo Audit
T8694 Robo Audit may show Success when it did not run
Robo Audit may show as having successfully completed when in fact it did not run. For example:
Robo Audit configured but disabled
Robo Audit misconfigured and enabled
Workaround: Open the Robo Audit logs to see details of Job Execution.
—————————————————–
General
T5858 ecactl commands do not switch to ecaadmin user
If you are logged into an ECA node as root user and execute an ecactl command, you are prompted to login as the ecaadmin user to continue but even though the console indicates that the login as ecaadmin is underway the login never completes and the command cannot be executed.
Workaround: Login to ECA as ecaadmin user when using ecactl commands.
—————————————————–
T5915 Event retrieval stopped by Disable/Enable of Protocol Monitoring on the PowerScale
If you disable / enable Protocol Auditing on the PowerScale cluster the ECA does not recover and does not begin reading events once Protocol Auditing enabled again.
Workaround: If you need to disable/enable Protocol auditing down the ECA cluster first
Ecactl cluster down
Then disable Protocol Auditing on the PowerScale cluster
After you have enabled Protocol Auditing on PowerScale cluster, the bring the ECA back up:
ecactl cluster up.
—————————————————–
T6004 PowerScale Directory Selector Usage
In order to populate a cluster in the Directory Selector a directory must be selected in the file tree.
Workaround: None required. Once cluster is populated a path can be selected from the tree or typed in but must begin with /ifs .
—————————————————–
T6097 UI Desktop Unexpected Behaviour
If you move a window to the edge of the Eyeglass desktop it may become stuck in that position.
Workaround: Refresh browser.
—————————————————–
T6451 Extra ECA Node listed in Manage Services with IP 0.0.0.0
The Manage Services window may show an additional ECA Node with IP address 0.0.0.0. It is Inactive and therefore results in an ECA Node Inactive alarm. Otherwise has no negative impact on functionality.
Workaround: Remove the extra ECA node with IP address of 0.0.0.0 from Manage Services by selecting the associated “x”.
—————————————————–
T6617 PowerScale Directory Selector does not display hidden directories
Directories that start with a dot (.) are not displayed in the PowerScale Directory Selector.
Workaround: Use the PowerScale Directory Selector to enter \ifs\ and then enter the remainder of the path manually.
—————————————————–
T8091 Login Monitor Report Sorting does not work
When viewing the Login Monitor Report Built-In query results from the GUI, sorting on columns Logons, Logoffs, and failed Logons does not work.
Workaround: Download the report csv file and open in spreadsheet for sorting and filtering of data.
—————————————————–
T8105 Alarm EAU0002 has no detailed information for failed auditor report
The alarm Info for EAU0002 alarm "Auditor report failed" does not have any detailed information on cause of report failure.
Workaround: In Easy Auditor / Running Reports tab select the report that failed and in the Job Details expand the tree and select the Info link for the failed step.
—————————————————–
T8249 Canceling Easy Auditor Running Report results in Critical severity alarm
Cancelling a running auditor report results in a Critical Severity alarm.
Workaround: None required. This alarm is informational only and does not indicate any critical issue in Easy Auditor.
—————————————————–
Known Limitations
Reporting
Conditions under which audit events are not processed
In the following situations audit events will not be processed and any audit events which occur while processing is down are dropped - they are not recovered by post processing:
ECA NFS mount is down: Each ECA node is responsible for reading audit events for a specific set of PowerScale nodes. While the ECA NFS mount is down, audit events for these PowerScale nodes are dropped.
ECA down: Each ECA node is responsible for reading audit events for a specific set of PowerScale nodes. While the ECA NFS mount is down, audit events for these PowerScale nodes are dropped.
—————————————————–
T6260 Stale Access Report Known Limitations
1) The Stale Access Report Built-In query does not report on activity for shares under following conditions:
- Share access by AD user with run as root permissions
- Share access by AD group where AD group has nested group and access by user in sub-group
—————————————————–
T6361 Reporting for shares with local user permissions unsupported
Reports generated against shares which have a local PowerScale user permission configured may give unexpected results in the report and may cause email notification to fail.
—————————————————–
T6478 Stale Access and Share Access Report AD User Limitation
Reports have been successfully generated against AD environment with up to 4000 users. Reports against larger AD environments may fail.
—————————————————–
T2842 Login Monitor Report Known Limitations
The Login Monitor Report Built-In query has following Known Limitations:
- NFS login is not reported
- Failed login due to invalid password, or invalid user are reported by user SID
- A login where user does not appropriate share permission is reported as a Logon and Logoff together
—————————————————–
Active Auditing
T6061, T6465 Wiretap event rate display maximum of 25 events / s
Wiretap Watch window is limited to displaying events at a maximum of 25 events/s. If there are more than 25 event/s which match the Wiretap filter this will result in events being dropped and not displayed.
Workaround: Define filter with smaller scope by adding a user and defining more precisely the path in the filter. A report may also be run using same filter to retrieve all related results.
—————————————————–
T7500 DLP Known Limitations
DLP Active Auditing has following Known Limitations:
- Small Files DLP threshold affected by PowerScale Quota Usage Reporting
For small files, PowerScale Quota Usage reports a larger usage than actual storage consumed. When setting a DLP threshold you must consider the threshold% against the quota reported usage. For example, if actual space consumed by 1 small files is 20b but quota usage is reported by PowerScale as 8K then the threshold to detect copy of that file is not 100%, it is 20b/8K.
- DLP generate 1 signal when threshold crossed for any size of copy
Any copy that crosses the configured threshold will generate only 1 signal - whether the copy is one time the threshold configured or many times the threshold configured.
—————————————————–
T7525 Active Auditor Affected Files also shows Ransomware Defender Affected Files
When viewing the Affected Files for an Active Auditor event, any files associated wtih a Ransomware Defender event that has occurred at the same time are also displayed.
Workaround: Download the csv file and use the path associated with the Active Auditor event from the GUI to filter the results.
—————————————————–
T8744 No event processing once Signal Strength passes 2 times Critical Threshold
For the case where both Ransomware Defender and Easy Auditor are licensed, reaching Signals processed count of 2 times Ransomware Critical threshold for a particular user will stop processing events for both Ransomware Defender and Active Auditor. This would only be a factor in the unlikely event that a Ransomware Security event and Active Audit event (Mass Delete, DLP) occurred at the same time for the same user.
Workaround: None available.
—————————————————–
General
T8281 hbase major compaction affects queries
An hbase major compaction will prevent queries happening at the same time from completing.
Workaround: Re-run query once hbase major compaction has completed.
—————————————————–