CTERA Activity Auditing Configuration
The Netwrix Activity Monitor can be configured to monitor file system activity on CTERA Edge Filer appliances.
The monitoring process relies on the SMB auditing feature of the CTERA Edge Filer. A local audit log file is generated by each Edge Filer and audit events from these files are collected by the CTERA Portal. The CTERA Portal forwards the events from the Edge Filers to the Activity Monitor Agent through the Messaging and Syslog services.
To prepare CTERA for monitoring:
- Provision an account.
- Enable auditing on the CTERA Edge Filer.
- Enable Messaging and Edge Filer Syslog services on the CTERA Portal.
Provision Account
Netwrix Activity Monitor uses the CTERA Portal API to retrieve information about portals, Edge Filers, their auditing configurations, and optionally to enable syslog forwarding automatically. To access the API, Activity Monitor requires an account in the CTERA Portal with the Read Only Administrator role.
Step 1 – Log in to the CTERA Portal web interface. In the global administration view, select Users > Administrators.
Step 2 – Click New Admin, specify a username, password, email, and the Read Only Administrator role.
This credential will then be used when configuring the Activity Monitor Agent to monitor the CTERA portal.
Enable Auditing on CTERA Edge Filer
The CTERA Edge Filer can generate audit log events for the SMB access. Audit events are stored in a local file and then forwarded to the CTERA Portal for further processing. The audit log is disabled by default and must be enabled.
Follow the steps to enable SMB audit logs.
Step 1 – Log in to the Edge Filer web interface. In the Configuration view, select Logs > Audit Logs.
Step 2 – Select the Enable CIFS/SMB Audit Logs option.
Step 3 – Specify a share to save the audit logs in the Save log files option. If a share does not exist, create a new one first.
NOTE: CTERA recommends that SMB Audit logging is saved to a folder that is local on the Edge Filer and not synced to the cloud. For example, in the root of vol1, which can then be used to create a share.
Step 4 – Adjust the Keep closed files for parameter. Otherwise, use the default value.
Step 5 – Check all events except the Read Extended Attributes event in Events to log list. If you do not require monitoring of Directory Read/List operations, which typically generate a high volume of data, uncheck the List Folder Read Data event.
Step 6 – Make sure that Log permission changes in human readable format is unchecked.
Step 7 – Click Save.
To verify that the auditing is enabled, generate some file activity and check the share specified in
Step 3. An audit log should be created in audit.log.dir/audit.log
.
See the Auditing SMB File Access article in the CTERA Edge Filer Administrator Guide for additional information.
Enable Services on CTERA Portal
The following services must be enabled and configured on the CTERA Portal:
- CTERA Messaging Service -– Enables sending notifications to various consumers, including the Edge Filer Syslog service.
- CTERA Edge Filer Syslog Service – Consolidates audit events from Edge Filers and sends them to the Activity Monitor Agent and other consumers.
Both services are disabled by default and must be enabled. The Messaging service must be enabled first.
Enable the Messaging Service
See the Managing the CTERA Messaging Service article in the CTERA Portal Global Administrator Guide for additional information on requirements and recommendations for production and POC environments.
Step 1 – Before setting up the Messaging Service in the web interface, first initialize the messaging components with the following CLI command:
set /settings/platformServicesSetting/enabled true
Initialization takes a few minutes.
Step 2 – Log in to the CTERA Portal web interface. In the global administration view, select Services > Messaging.
Step 3 – To add a new messaging server, click Add Messaging Servers. Select the servers to use as messaging servers. Click Save.
NOTE: In a production environment, designate three servers as messaging servers. In a small or
test environment, CTERA supports using a single messaging server, typically the main database
server. However, in all other cases, exactly three servers must be assigned as messaging servers.
See the
Managing the CTERA Messaging Service
article for additional information.
Step 4 – Deploying the messaging service takes a few minutes. The status will change to STARTING and then to ACTIVE. Wait until the status is ACTIVE before proceeding to the next step.
NOTE: If the status does not change to ACTIVE, the log files need to be collected from
/usr/local/lib/ctera/work/logs/services
directory.
See the
CTERA Messaging Service Logs
article for additional information.
Enable the Edge Filer Syslog Service
Ensure the Enable the Messaging Service section is completed before proceeding to enable the Syslog Service.
The Edge Filer Syslog Service can be configured in two ways:
- Automatically by the Activity Monitor using the API from CTERA Portal.
- Manually using the CTERA Portal web interface.
It is recommended to configure the service automatically. With automatic configuration, the Activity Monitor Agent will apply the settings and perform periodic checks to ensure correctness. To enable automatic configuration, use the Enable Edge Filer Syslog auditing option in the host properties and specify credentials to access the CTERA Portal API.
Follow the steps to configure the Edge Filer Syslog Service manually.
Step 1 – Configure monitoring of the CTERA Portal in the Activity Monitor Console.
Step 2 – Add a CTERA host on the Monitored Hosts page and specify the portal host name, username, password, and complete the wizard.
Step 3 – Enable the newly added host.
Step 4 – Copy a TLS certificate file, certca.pem
, from
%ProgramData%\Netwrix\Activity Monitor\Agent\Data
folder on the agent's server.
Step 5 – Log in to the CTERA Portal web interface. In the global administration view, select Services > Edge Filer Syslog.
Step 6 – Click Add a Server.
Step 7 – Specify the FQDN of the agent or IP address in the Addressfield.
Step 8 – Specify 4488 in the Port field.
NOTE: The default port can be changed in the properties of the agent on the CTERA page.
Step 9 – Change the protocol to TCP/TLS.
Step 10 – Click Server Certificate > Select File to upload the file collected at Step 2.
Step 11 – Click Save.
Step 12 – Click Enable in the status bar.
The status will change to STARTING. If the CTERA Portal manages to connect to the Activity Monitor Agent, the status changes to ACTIVE. If not, review the error message and check Logs & Alerts > System Log for details.
See the Managing the Edge Filer Syslog Service article in the CTERA Portal Global Administrator Guide for additional information.