User Manual – NTP Software File Auditor_rev_1.0_4372EF
Contents
1. Client S Share Name WOLWOLO JHOMEWCAPTURE PNG Osama WOLIWOLO HOMENCOPY 2 OF NEVY BITMAP IMAGE BMP DOTNET CRITICALSITES LOCAL Mahmoud DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud DOTNET CRITICALSITES LOCAL Administrators 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 4 2011 4 43 27 PM Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 35 55 PM WOLIVOLO HOMENWCOPY 2 OF NEW MICROSOFT EXCEL WORKSHEET XLS DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 35 55 PM WOLIVOLO HOMEUCOPY 2 OF NEW MICROSOFT WORD DOCUMENT DOC DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 35 55 PM WOLWVOLO DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud HOMENWCOPY 2 OF NEW TEX LDOC LIME Directory Permission Changed This report allows directories whose permissions have changed The report displays the directory name the host IP address the user name the date the policy name the client name the share name and the permission details based on Osama the specified criteria Directory permission changed Directory Name 3 142. DOTNET CRITICALSITES LOCAL Mahmoud 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 nN Copyright 2012 by NTP Software All rights reserved 29 Permission Changed This type of report allows you to review the file s whose permission s has changed among user The report displays the name of the file whose permission has changed the directory where the file exists the host IP address the user name the policy name the client and the share name as well as the permission details within the specified criteria File Permissions Changed From 3 14 2011 4 11 45 PM To 3 15 2011 4 04 30 PM Number of records 503 File Name COPY 2 OF Directory S WOLIVOLO 10 20 2 57 User Name z Policy Client Share S Permission Name Name Name Details DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 58 10 PM NEVY MICROSOFT WORD DOCUMENT DOC 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3414 2011 4 58 10 PM COPY 2 OF R TXT DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 58 10 PM COPY 3 OF CAPTURE PNG DOTNET CRITICALSITES LOCAL Administrator 3414 2011 4 58 10 PM OPY 3 OF NEV MICROSOFT EXCEL WORKSHEET XLS DOTNET CRITICALSITES LOCAL Administrator 3414 2011 4 58 10 PM COPY 3 OF COPY 3 OF NEV MICROSOFT WORD DOCUMENT DOC 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4
3. NTP Software File Auditor User Manual June 2012 This manual details the method for using NTP Software File Auditor from an administrator s perspective Upon completion of the steps within this document NTP Software File Auditor will be used to monitor file and directory operations for users within your enterprise community Table of Contents ECUN E SUNNY aa E E A EE E E E A 4 NTP Software File Auditor Configuration essseessessseesresesrrsrrreesrrsssrresrreesrrresrrresresrrresreresns 5 Setting NTP Software File Auditor Properties ssesssssesssresesrrsesrrresrrresrreserresrrrresresrereseeess 6 Setting the NTP Software File Auditor Security Level ccccccsesseceseeeeseeesecseeeeeseneess 6 Setting the NTP Software File Auditor Database c cc cecccccssecccceseceeeeececeeeeceseueseesess 7 Setting the NTP Software File Auditor EMail ccceccccesccccesseseeeeeceeeeeseeeeeeseeeeneeeees 10 Setting the NTP Software File Auditor Miscellaneous Options cccccseeeeseeeeeeeeeees 11 POIO re WOM encores tadennes E E lt aesaeasnaevactesermemnessdacbeneasneenrsstoceansae 12 Creating File Audit POLiCieS cccccsssccsssccneccesecccesceceeecececseeueeseeeseseetseeteueeseneceegass 13 NCW TI SCR OUI CS vance aacracioesstracoutoaapnnccraneoo Hiewac A E E 21 WWE SI AN CG oaeen e E EE EE EEO E 22 NTP Software File Auditor Reports sssesssserseerenssrrrssrreserrresrrensrressrresreresrtresse
4. 2011 4 11 45 PM al id 4 fi of i2 gt bi Start Date Host 100 v Directory Permissions Changed From 3 14 2011 4 11 45 PM To 3 15 2011 4 13 44 PM Number of records Directory 3 WOLWOLO HOMEWCOPY 2 OF NEVY MICROSOFT EXCEL VWWORKSHEET XLS 503 10 20 2 57 User Name DOTNET CRITICALSITES LOCAL Administrator 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 10 20 2 57 End Date 3 15 2011 4 13 44 PM eg Find Next 34 2011 4 35 55 PM Select a format Export S Client ETT 3 14 2011 4 58 10 PM ag you to review all Ss Permission Details WOLWOLO HOMEWCOPY 2 OF NEVY MICROSOFT WORD DOCUMENT DOC 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 58 10 PM WOLWOLO SHOMEWCOPY 2 OF RIXT 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 58 10 PM WOLWOLO WHOMEWCOPY 3 OF CAPTURE PNG 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 58 10 PM WOLWOLO WHOMENWCOPY 3 OF NEVY MICROSOFT EXCEL WORKSHEET XLS 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 58 10 PM WOLWOLO 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 Directory Moved This report allows you to review all directories that have moved The report displays the source path the destination path the host na
5. 58 10 PM 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 Clicking on the View link of the Permission Details field displays more details as outlined below Files permission changed l4 4E of3 gt pi 100 x Find Next Select a format x Export File Permissions Changed File Name COPY 2 OF R TXT User Name Everyone Has Full Control Has Execute Has Read Has Read Attributes Has Read Extended Attributes Has Write Has Append Has Write Attributes Has Write Extended Attributes Has Delete Has Read SD Has Change DACL Has Take Ownership Previous Current ee 3 Policy Reports category has one view the Policy by Date report d 4 The Directory Reports category has eight views Directory Summary Directory Audit Directory Created Directory Renamed Directory Deleted Deleted Files by Start Date 10 14 2009 5 09 14 AM Policy DemoPolicy MKT POL Dev MK x Bal i dq 1 Policy by Date of 23 gt Pi From 10 14 2009 5 09 14 AM To 5 3 2011 6 52 08 AM Number of records 1000 MKT POL User6 MKT POL User6 Galactic com Clo Galactic com Clo ver Directory Path HOME BusinessSh ares HOME BusinessSh ares na 3i rashad na731 rashad End Date 5 3 2011 8 52 08 AM QO8 460A0 am W 10 Access Type File Open For Write File Open For irite t Date i 1044 2009 aasayed
6. Export a amp Most accessed directories Number of records 5 Directory Path Number of Accesses SHOME BusinessShares SHOME BusinessShares Finance User0007 WTimeSheets SHOME BusinessShares Finance Wser0007 Invoices SHOME BusinessShares Finance Wser0002Unyvoices HOME BusinessShares DevelopmentWser0001 Projects in Progress F TP Projecti Copyright 2012 by NTP Software All rights reserved 35 j eA a Copyright 2012 by NTP Software All rights reserved Directory Owner Changed This report allows you to review all directories whose owners have changed The report displays the directory name the previous and new owners the host IP address the user name the date the policy name the client name and the share name based on the specified criteria Directory owner changed Directory Name Host a 14 2011 4 11 45 PM a 100 7 Start Date id 4 fi of5 gt Di Find Next Directory Owners Changed From 3 14 2011 4 11 45 PM To 3 15 2011 4 13 11 PM Number of records 180 Directory WOLWOLO HOMEWNEVY MICROSOFT EXCEL WORKSHEET XLS Osama Previous Owner DOTNET CRITICALSITES LOCAL Mahmoud New Owner DOTNET CRITICALSITES LOCAL Abdalla Hassan fi0 20 2 57 v End Date 3 15 2011 4 13 11 PM Hal Select a format J Export 10 20 2 57 ag User Name 5S DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 45 44 PM Policy S
7. MKT POL aasayed xp 4502 Machine etingJser0006 Old Stuff 7 59 04 AM Marketing HOME BusinessShares Sup Galactic comNormandy na731 rashad 1044 2009 MKT POL aasayed xp 4502 Machine portWser001210ld Tickets 7 38 56 AM Support HOME BSusinessShares Sup Galactic com Normandy na 31 rashad 1044 2009 MKT POL aasayed xp 4502 Machine portiUser001 2 0ld Tickets 7 38 56 AM Support NHOME BusinessShares Sale Galactic comXantara na731 rashad 1044 2009 MKT POL Sales aasayed xp 4502 Machine sWser0011 0ld Recordsi 7 33 30 AM NHOME BusinessShares Sale Galactic com antara na 31 rashad 1044 2009 MKT POL Sales aasayed xp 4502 Machine sWser0011 Old Records 7 33 29 AM NHOME BusinessShares Sale Galactic com Merrill na 31 rashad 10 14 2009 MKT POL Sales aasayed xp 4502 Machine sWser000giOld Customers 7 21 45 AM NHOME BusinessSharesiMark Galactic com Clover na731 rashad 1044 2009 MKT POL aasayed xp 4502 Machine etingJser0008 France Plans 7 04 47 AM Marketing f Deleted Files by Directory This report allows you to review all the deleted files grouped by directory The report s input is the directory name and or the host and or the date range The report displays the user s name who has deleted the file s the path from which the file was deleted the file name the host name the file size the date on which the file was deleted the client name used to perform the
8. Setup has enough information to start copying the program files fF you want to review or change any settings click Back If you are satished with the settings click Nest to begin copying files Curent Settings Destination Path C Program Files 7 PSoftware File Auditor for NAS Components to install File Auditor Administration Tool Start Menu Folder NTF Software File Auditor for HAS i Back Cancel Installshield D S E Copyright 2012 by NTP Software All rights reserved 65 7 When the file installation is complete a dialog box offers you the opportunity to view the readme file If you do not want to view the readme file at this time clear the option Yes want to view the readme file Click Finish With this step NTP Software File Auditor installation is completed NTP Software File Auditor for NAS Setup HTP Software Installation Wizard for File Auditor for HAS Complete The Installation Wizard has successtully installed File 4uditor for MAS Click Finish to exit the wizard Administering NTP Software File Auditor through an NTP Software File Auditor Admin Client Running on a Different Machine 1 Click Start gt Programs gt NTP Software File Auditor gt NTP Software File Auditor Admin 2 Inthe Smart Policy Manager dialog box specify the Smart Policy Manager Server to which you want to connect Smart Policy Manager Enter the name of the Smart Policy Manager server to c
9. como bax rpqgre at coms att 10 2 The File Reports category has nine different views File Summary File Audit Files Changed Files Deleted Files Renamed Files Created Deletion Compliance Owner Changed and Permission Changed a File Summary This report allows you to review the count of all the audited files It also displays a breakdown for the count of deleted renamed created or changed files You can click the count next to any file operation to display a detailed list of the specified file operation File summary StartDate 3 3 2010 8 23 23 AM S EndDate 3 5 2010 10 47 23 AM Ea view Report id 4 fi ofi gt pi 75 Find Next Select a format z Export g File Summary Report Number of audited files Number of deleted files Number ofcreated iles Number ofrenamed files Number ofchanged tiles Copyright 2012 by NTP Software All rights reserved 25 b File Audit This report allows you to review all the file operations performed The report input is the file name and or the host name and or the file operation performed and or the file type and or the date range The report displays the file name the directory name where the specified file is located the user name accessing the file access type access date the name of the policy applied on the directory the client name and the share name within the specified criteria File Name AhmedIG na731 rasha
10. directory path in which the file is located the user name accessing the file the access type the access date the name of the policy applied the client name and the share name within the specified criteria File Type Jbmp cpp doc h rtf tmp txt 7 Access Type Fite renamed File Close 7 start Date 10 14 2009 5 09 14 AM Ei End Date 5 3 2011 8 45 25 AM a ESP i 4 i f4 bn e O Ala Ouk 10 Find Next Files Changed From 10 14 2009 5 09 14 AM To 5 9 2011 6 45 25 AM Number of records 152 Directory 2 2 Access 3 Change Policy Client S Share Path Type Date Name Name Name HOME Business na731 rashad Galactic co File Rename 1044 2009 MKT POL aasayed xp IG Machine Shares Marketing miPlatt 7 59 00 AM Marketing 4502 WserD006 Africa Customers HOME Business na731 rashad Galactic co File Rename 10 14 2009 MKT POL aasayed xp IG Machine Shares Marketing miPlatt 7 56 20 AM Marketing 4502 Wser000610ld Stuff HOME Business na 31 rashad Galactic co File Rename 1044 2009 MKT POL Dey aasayed xp IG Machine Shares Develop miTopper 7 50 07 AM 4502 mentiser0005 Projects in ProgressiGIS Projecti HOME Susiness na731 rashad Galactic co File Rename 1044 2009 MKT POL Dey aasayed xp liG Machine Copyright 2012 by NTP Software All rights reserved 26 d Files Deleted This report allows you to review all the files that have been dele
11. directory paths and share paths For share paths all you need to do is add a share name For directory paths the format depends on the NTP Software File Auditor edition being used For NAS NetApp edition the directory path format is vol lt vo lume name gt lt some directory gt optional subdirectory another optional subdirectory For NAS EMC the directory path format is lt file system mount path gt lt some directory gt optional subdirectory another optional subdirectory For BlueArc or Hitachi editions the directory path format is fs lt volume name gt lt some directory gt optional subdirectory another optional subdirectory When testing policies you have created perform the tests from an independent machine that is not running NTP Software File Auditor Copyright 2012 by NTP Software All rights reserved 12 Creating File Audit Policies This section walks you through creating a typical file audit policy We will create a file audit policy for all your user home directories in a typical server configuration This policy will be applied to all users in your Users directory 1 In the NTP Software Smart Policy Manager hierarchy view locate the Filer Celerra EVS you added earlier If necessary click the plus sign adjacent to this entry to expand the tree Then click the plus sign next to File Auditor to expand the policy types 2 Right click File Audit Policies and select New gt Fol
12. scanning period NOTES a Set the Time Period to Immediate Past if you wish to notify the user of all the matching operations that occurred in a past period Set the Time Period to Specific Period if you wish to notify the user of all the matching operations that occurred within a specific time period ignoring any operations that occurred at any other time 5 Use the Operations section to check the operations you want the BOT to monitor You can either check all operations or select individual operations to monitor Operations Select All File Open For Read Fie Open For write File Create File Rename File Delete File Close File Move Director Create E Director Rename Directory Delete E Directo Move A S i i O e Owner Change Permission Change 6 Use the Hours section to specify the scanning exact time Hours All Hours Specific Hours of the Day Start of Period i200 AM End of Period i200 Jan L S E Copyright 2012 by NTP Software All rights reserved 44 7 You can specify additional criteria for other operations details such as file extensions the user who performed the operation etc o Client Machine Name of IP TAGT2 42K8 NOTES a The Minimum Operation Count defines the minimum number of operations that should match for the BOT to notify the user b The Minimum File Size defines the minimum file size that counts as an operation f
13. sign adjacent to the name of the Windows based server on which you installed NTP Software File Auditor Right click File Auditor under that entry and select Properties to open the NTP Software File Auditor Configuration screen Click the EMC Connector tab Click the Add button Enter the name of your CIFS server the control station IP user name and password and then click OK 10 Click OK in the NTP Software File Auditor Configuration screen You are now ready to move on and create some File Auditor policies Copyright 2012 NTP Software 86 Preparing the BlueArc Titan or Hitachi NAS NOTE Refer to this section only if you have BlueArc Titans or Hitachi Hitachi NASs attached to your environment If you do not have BlueArc Titans or Hitachi Hitachi NASs you should not apply the instructions specified in this section Preparing the BlueArc Titan Hitachi NAS for NTP Software File Auditor Management To prepare the Titan Hitachi NAS server the following must be taken into consideration 1 For each EVS virtual server managed by NTP Software File Auditor at least one CIFS server name must be created and must join the same domain as the NTP Software File Auditor machine 2 The logon account used to register with the Titan server the account that will be assigned to the NTP Software File Auditor service needs to be a member of the Titan server s local group Backup Operators which can be added from the Titan Se
14. xp 7 59 46 AM 4502 10 14 2009 aasayed xp 7 59 43 AM 4502 Find Next Client Share Name Name IG Machine Machine MKT POL User6 MKT POL User6 MKT POL User6 Galactic com Clo Galactic com Clo ver Galactic com Clo ver HOME BusinessSh ares HOME BusinessSh ares HOME BusinessSh ares na 31 rashad na 3i rashad na 31 rashad File Open For Write File Open For White File Open For Write 1044 2009 aasayed xp 7 59 42 AM 4502 1044 2009 aasayed xp 7 59 38 AM 4502 1044 2009 aasayed xp 7 59 36 AM 4502 Machine Machine IG Machine MKT POL Support MKT POL User6 Galactic com Clo ver Galactic com Clo ver HOME BusinessSh ares Support HOME BusinessSh ares MKT POL Finance Galactic comiClo ares Finance HOME BusinessSh na 31 rashad na731 rashad na731 rashad File Open For Write File Open For Write File Qpen For Arite 1044 2009 aasayed xp 7 59 33 AM 4502 1014 2009 aasayed xp 7 59 33 AM 4502 1044 2009 aasayed xp 7 59 25 AM 4502 Machine Machine IG Machine Folder Deleted Files Count by Folder and Most Accessed Folders d Directory summary Start 3 3 2010 8 33 59 AM End aii 3 3 2010 6 33 59 AM Ha Date Id 4 fi oft D bi a Directory Summary Report Humber of audited directo nes 4 Humber of deleted directo nes Humber o
15. you do not have NetApp Filers you should not apply the instructions specified in this section Enabling the fpolicy Management Service NetApp Filers NTP Software File Auditor requires NetApp Filers to run Data ONTAP version 6 5 or later excluding version 7 1 If your Filer is running a version prior to 6 5 you must upgrade your operating system before you proceed Please refer to your Network Appliance documentation for instructions Although NTP Software File Auditor does not install any components on the NetApp Filer you will need to enable the Data ONTAP fpolicy management service For more information on NetApp Filers consult NetApp Customer Support Bulletin CSB 0704 02 Fpolicy Update for Data ONTAP Apply the following steps to enable the Data ONTAP fpolicy management service 1 Log onto the NetApp Filer with an account that has administrative privileges 2 Atthe prompt enter the following command fpolicy create NTPSoftware_FA screen 3 Enter the following command fpolicy enable NTPSoftware_FA 4 To verify that CIFS file policies are now enabled enter the following command fpolicy show NTPSoftware_FA 5 If you want File Auditor to record Permission and Owner changes for your files and directories you will need to enable CIFS SetAttr feature of fpolicy enter the following comand fpolicy options NTPSoftware_FA cifs_setattr on NOTE If you don t have any File Audit Policy that monitors Permission Change or Ow
16. 03e8 1000 A Mozila lag PredllacPathChars REG DWORD oxO0000400 1024 ee aRfproxyserver REGSE 10 20 2 44 MUT lad UserGrpCacheExpireDays REG DWORD OxQ000000F 15 eer ene ae Ag UserGrpCacheRefreshMinutes REG DWORD Ox0000001e 30 Notepad NTP Software NTFSoftware J EmecProxy 9 File Auditor Sy ECS 2 ia File Auditor Reports of Conkains commands For working with the whole registry 2 e On the NTP Software File Auditor machine restart the NTP Software File Auditor EMC Connector Service a Open the Windows Service Manager from Control Panel Administrative tools Services b Restart the NTP Software File Auditor EMC Connector Service Copyright 2012 by NTP Software All rights reserved 83 Preparing the EMC Celerra for NTP Software File Auditor Management For any Celerra that will be managed by NTP Software File Auditor once the server is started and has mounted its root filesystem go to the etc directory and create the cepp conf file if it does not exist You have to edit this file to include your CEPP pool description NOTE The cepp conf file must contain at least one line defining the pool of CEPP servers If the line is too long you can add at the end of each line pool name lt poolname gt servers lt IP addri gt lt IP addr2 gt preevents lt event1 gt lt event2 gt postevents lt event3 gt lt event4 gt posterrevents lt event5 gt lt event6 gt opt
17. 2012 by NTP Software All rights reserved NTP Software File Auditor Configuration The NTP Software File Auditor Configuration Wizard appears once the NTP File Auditor installation completes It enables you easily to add the Filer Celerra or EVS to be monitored by the NTP Software File Auditor application To use the NTP Software File Auditor Configuration Wizard please follow these steps 1 Click Start gt Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor for NAS Configuration Wizard 2 Click the View Pre Wizard Checklist button and gather the required information before continuing Click Next 3 Enter the name of your Filer Celerra or EVS Click Finish D S E Copyright 2012 by NTP Software All rights reserved 5 Setting NTP Software File Auditor Properties NOTE For all the screens displayed in this user manual an NTP Software File Auditor for NAS NetApp IBM N Series edition is used Please note that screenshots differ depending on the NTP Software File Auditor edition being installed Setting the NTP Software File Auditor Security Level The NTP Software File Auditor Properties tab enables you to set up several application properties including the application security level To adjust your NTP Software File Auditor application security level please follow these steps 1 On the left tree view expand the MySite node A Right click NTP Software File Auditor under My
18. Directory Name Host JahmediG na 31 rashad Start Date 10 14 2009 5 09 14 4M giil End Date 5 3 2011 5 44 11 AM E Access Type Directory Create Directory De 7 id 4 1 f6 gt H e O Alsa Bw we 100 Find Next Directory Audit From 10 14 2009 5 09 14 AM To 5 3 2011 5 44 11 AM Number of records 249 Directory S Access Access S Policy S Client S Name Type Date Name Name HOME BusinessShar Galactic com Plat na731 rashad Directory 1044 2009 MKT POL aasayed xp 4502 IG Machine esiMarketingwWser000 it Delete 7 59 04 AM Marketing Old Stuff HO ME SusinessShar Galactic com Plat na731 rashad Directory 1044 2009 MKT POL aasayed xp 4502 IG Machine esiMarketingwJser000 it Rename 7 58 47 AM Marketing New Folder HOME SusinessShar Galactic com Plat na731 rashad Directory 1044 2009 MKT POL aasayed xp 4502 IG Machine esiMarketingwJser000 t 7 57 31 AM Marketing iNew Folder HOME BusinessShar Galactic com Plat na731 rashad Directory aasayed xp 4502 Machine t es MarketingJser000 Rename 7 56 07 AM Marketing BiNew Folderi HOME BusinessShar Galactic com Plat na731 rashad _ Directory 10 14 2009 MKT POL aasayed xp 4502 IG Machine es MarketingJser000 t Create 7 56 04 AM Marketing New Folder c Directory Created This report allows you to review all the directories created The report s input is the date range and or the directory name and or the host name Th
19. E SMTP Domain SMTP DOMAIN HAME Sender s Address SENDER ADDRESS wo biy server requires authentication Username SERVER USERNAME User Domain USER DOMAIN Password Test Mail Settings Statue Not sent yet Cancel Apply Help L SE Copyright 2012 by NTP Software All rights reserved 10 Setting the NTP Software File Auditor Miscellaneous Options The NTP Software File Auditor Properties tab enables you to set up several application properties including the application miscellaneous options To adjust your NTP Software File Auditor application miscellaneous options please follow these steps 1 Right click NTP Software File Auditor under the main application container 2 Click Properties on the pop up menu 3 Click the Misc Options tab Clear the Inherit Directory Connector Properties box and select the appropriate directory connector option STP Software File 4uditor Configuration Inherit Directory Connector Properties Use Active Directory Connector to retrieve email addresses C Use LOAP Connector to retrieve email addresses Primary Host Secondany Host LOAF Mail Name LEAF Fort LEAF Pork LEAF Filter Hame Cancel Apply Help Copyright 2012 by NTP Software All rights reserved 11 Policy Creation This section outlines standard NTP Software File Auditor procedures for creating a File Auditor policy NOTES e NTP Software File Auditor monitors two main types of paths
20. NOTE You can view that feature if you have a NetApp Filer attached to the NTP Software File Auditor application b For the Celerra click the plus sign next to Celerra Directories to view the volumes located on that Celerra NOTE You can view that feature if you have an EMC Celerra attached to the NTP Software File Auditor application c For the EVS click the plus sign next to EVS Directories to view the volumes located on the EVS NOTE You can view that feature if you have an EVS attached to the NTP Software File Auditor application Copyright 2012 by NTP Software All rights reserved 21 Viewing Shares This section shows how you can view all the shared directories located on a certain Filer Celerra or EVS 1 In the NTP Software Smart Policy Manager hierarchy view locate the Filer Celerra Titan or Hitachi NAS with shared directories you want to view If necessary click the plus sign adjacent to this entry to expand the tree 2 Click the plus sign next to File Auditor a For the Filer click the plus sign next to Filer Shares to view the volumes located on that Filer NOTE You can view that feature if you have a NetApp Filer attached to the NTP Software File Auditor application b For the Celerra click the plus sign next to Celerra Shares to view the shared folders located on that Celerra NOTE You can view that feature if you have an EMC Celerra attached to NTP Software File Auditor applica
21. P Software All rights reserved 79 Apply the following steps to edit the cepp conf file NOTE Replace server_2 with the name of the server you want to configure 1 Log on to the Celerra control station as su a Type mount server_2 mnt2 to mount the root filesystem Create mnt2 if it does not exist and replace server_2 with your server name if you are configuring a different server b Type cd mnt2 etc and look for the file cepp conf Create the file if it does not exist c Use vi to edit the cepp conf file Edit the servers field to use the IP address of the machine running NTP Software File Auditor The result should look something like this pool name cqm servers 10 30 3 5 7 preevents option ignore reqtimeout 5000 retrytimeout 750 2 Type server_config server_2 v cepp stop and press Enter 3 Type server_config server_2 v cepp start and press Enter These steps create the configuration that allows NTP Software File Auditor to register with and manage your Celerra They must be completed before you attempt to configure NTP Software File Auditor Copyright 2012 by NTP Software All rights reserved 80 Adding a Celerra to the NTP Software File Auditor Policy Hierarchy Next you need to add your EMC Celerra to the collection of servers being monitored by NTP Software File Auditor L Run NTP Software File Auditor Admin by clicking Start gt All Programs gt NTP Software File Auditor f
22. Services b Look for NTP Software EMC Proxy Service entry and make sure its status is Started Copyright 2012 by NTP Software All rights reserved 82 e On the NTP Software File Auditor machine you need to specify the machine on which NTP Software QFS resides To do this perform the following steps a Goto the following key in the registry editor HKEY_ LOCAL_MACHINE SOFTWARE NTPSoftware File Auditor ECS b Create a string value called ProxyServer if it does not exist c Set the ProxyServer value to the machine IP or name of the NTP Software Quota and File Sentinel machine e On the NTP Software File Auditor machine Make sure that the NTP Software EMC Proxy Service is disabled a Open the Windows Service Manager from Control Panel Administrative tools Services b Look for NTP Software EMC Proxy Service entry right click this entry and select Stop c Right click NTP Software EMC Proxy Service entry and select Properties then in the General tab change Startup type to Disabled lee Registry Editor Eile Edit wiew Favorites Help A Installshield m JavaSort Data lab Default REG 52 value not set Ld JreMetrics itz CelerraRefreshTime REG_DWORD Ox0000000a 10 0 Licenses ABJEMC6_52_CS51_LastBackup REG_BINARY db 07 05000600 1b 00 03 00 34 o H Macromedia Bg PermissionsChangingLifetim REG_DWORD 0x0000001e 30 A Microsoft 82 PreallochumPaths REG_DWORD ox0000
23. Site navigate to the Windows server node and select Properties from the Menu 3 Click the Security tab Clear the Inherit Security box and check the Enable Security checkbox Click Add to choose the users or groups for which you want to apply security options Enable Security ti Everyone Remove HNonGwner Permissions Local Policies Inherited Policies Properties Full Control Q o o Read Only id je yE None C Last Modified by Cancel Apply Help 4 Click the NAS EMC BlueArc Hitachi Connector tab to add remove the NetApp EMC Titan s Hitachi NAS es to be managed a SDA SO SSNS Copyright 2012 by NTP Software All rights reserved 6 Setting the NTP Software File Auditor Database The NTP Software File Auditor Properties tab enables you to set up several application properties including the application database Your application database configuration should be adjusted before creating any file audit policies because all of the events monitored through the File Auditor policies are saved to your configured database To configure the database please follow these steps 1 Right click NTP Software File Auditor under the main application container My Organization in this example 2 Right click NTP Software File Auditor under Organization Node and select Properties from the Menu 3 On the Database Configuration tab clear the Inherit Database Configuration box enter the correct informa
24. TF Software File Auditor administrative client If pou choose not to install these components you may still install the NTF Software File Auditor service but you will not be able to configure it fror this machine bea OINAS Connector Od MB of space required on the C drive 1721 70 MB of space available on the C drive Installshield IOIO Back Cancel IMPORTANT Because we only need the Admin User Interface to manage and configure the policies we checked the Admin Client only We are not seeking a full NTP Software File Auditor installation L S E Copyright 2012 by NTP Software All rights reserved 63 5 Specify the program folder using the default program folder is recommended and click Next The setup program adds program icons to the program folder NTP Software File Auditor for NAS Setup Select Program Folder Pleage select a program folder NTF Software File Auditor for HAS Access IBM ACCESSONEs Administrative Tools Adobe Audio Related Programs Canon iPT800 series Canon IP1800 seres Manual Canon Utilities Card Scanning Solutions netallsntrela 6 Click Next when the Start Copying Files dialog box appears assuming that the destination paths are correct NTP Software File Auditor setup begins transferring files to the specified locations NTP Software File Auditor for NAS Setup l x Start Copying Files T Review settings before copying files ae i iii SE ave
25. TP Software All rights reserved 55 Installing the NTP Software Smart Policy Manager Admin Component 1 Log onto your local computer using an account with administrator privileges 2 On the NTP Software Product Installation page click your product installation link under the Product Components section 3 When prompted to install NTP Software Smart Policy Manager click Yes to launch the Installation Wizard a NIP Software Smart Policy Manager is not installed on your system You need it to run this application Sy If you do not install Smart Policy Manager the setup will exit Do you want to install Smart Policy Manager at this time 4 In the NTP Software Smart Policy Manager installation welcome dialog box click Next NTF Software Smart Policy Manager Setup Wizard x Welcome to the NTP Software Installation Wizard for Smart Policy Manager The Installation Wizard will install Smart Policy Manager on your computer Click next to continue Cancel Copyright 2012 by NTP Software All rights reserved 56 5 Select accept the terms of the license agreement in the License Agreement dialog box and then click Next NTP Software Smart Policy Manager Setup Wizard i x License Agreement Please read the following license agreement carefully T p Sb oare NTF Software Smart Policy Managel T M End User License By using or copying the accompanying software You are ind
26. Type Directory Create Directory De Start Date 10 14 2009 5 09 14 AM 3 End Date 5 3 2011 8 53 20 AM iiz Host JahmediG na 31 rashad 7 EEn 41 fF 23 gt nH e Of GMwe 10 Find Next User Audit From 10 14 2009 5 09 14 AM To 5 3 2011 8 53 20 AM Number of records 1000 Directory 3 Host S Access 3 LS Policy S amp S Client Share Path Type Name Name Name Galactic com Clo HOME Business na731 File Open For 1044 2009 MKT POL aasayed xp IG Machine ver Shares rashad Write 7 59 46 AM User6 4502 Galactic com Clo HOME Business na 31 File Open For 1044 2009 MKT POL aasayed xp G Machine Shares rashad Write 7 59 43 AM User6 4502 HOME Business na731 File Open For 1044 2009 MKT POL aasayed xp Machine Shares rashad Write 7 59 42 AM User6 4502 HOME Business na731 File Open For 1044 2009 MKT POL aasayed xp Machine Shares rashad Write 7 59 38 AM User6 4502 Galactic com Clo HOME Business na731 File Open For 1044 2003 MKT POL aasayed xp IG Machine Shares rashad Write 7 59 36 AM User6 4502 Galactic com Clo Support HOME Business na731 1044 2009 MKT POL aasayed xp Machine ver Shares rashad 7 59 33 AM User6 4502 Galactic comiClo User0014 HOME Business na731 File Open For 10 14 2009 MKT POL aasayed xp Machine Shares Support rashad write 7 59 33 AM Support 4502 c Access History This report allows you to review all
27. Windows Registry Editor and go to the key HKEY_LOCAL_MACHINE SOFTWARE NTPSoftware File Auditor Bot and change the value DemoModeOn to 1 2 Restart the service and the BOT interface 3 You will notice some BOTs defined in the BOT editor After Hours Access HIPAA Auditing Mgmt Admin Watch Quota Share Financial Qtr Rpts Wikileaks Disgruntled employee Serial Edits 4 Open the BOT Editor and configure your email settings Please refer to the Email Configuration section 5 Add your email to the Selected Targets list in the Notification settings for each BOT at least one Please refer to How to Define a BOT 6 Check your Inbox you should find an email from the BOT service listing some demo operations L E Copyright 2012 by NTP Software All rights reserved 53 NTP Software Smart Policy Manager NTP Software Smart Policy Manager Overview The first step in using NTP Software File Auditor is to lay out your strategy for managing users file and directory operations Before doing this though let us look at our underlying policy based rules engine NTP Software Smart Policy Manager NTP Software Smart Policy Manager allows you to monitor your users file and directory operations in a way that is a unique fit to your organization If you manage by geography or administrative unit you can use that plan If you manage by class of machine that approach works just as well Often companies use a mixed mode perhap
28. ain h HOME Business Shares Develop mentiser0005 Projects in WNA731 RASHAD IHOME BusinessShares Developments Galactic com T opper Copyright 2012 by NTP Software All rights reserved 7 50 07 AM l 4 1014 2009 MKT POL Dev aasayed xp IG Machine 4502 27 f Files Created This type of report allows you to review all the files that have been created The report s input is the date range and or the file name and or the file type and or the user account The report displays the file name the directory path in which the file exists the user name the access type which is file create the access date the policy name the client name and the share name within the specified criteria AhmedIG na731 rashad Start Date 10 14 2009 5 09 14 AM gizil End Date 5 3 2011 8 46 17 AM EE File Type bmp cpp doc h rtf tmp txt 7 ESTER i q 1 f6 nM e Oi G Bw wr 100 Find Next Files Created From 10 14 2009 5 09 14 AM To 5 3 2011 8 46 17 AM Number of records 235 File Name Directory User 2 Create S Policy S Client Share Path Name Date Name Name Name HOME BusinessShar na 31 rashad Galactic comP 10 14 2009 MKT POL aasayed xp IG Machine es MarketingUser000 latt 7 58 56 AM Marketing 4502 6 Africa Customers HOME BusinessShar Ina731 rashad Galactic com P 1014 2009 MKT POL aasayed xp IG Machine es MarketingUse
29. all NTP Software File Auditor onto a node server apply the following steps 1 It is necessary to install NTP Software File Auditor manually on each of the added nodes on Node 1 in this example Choose the option Adding to an enterprise installation during the local NTP Software Smart Policy Manager installation 2 Right click the site container and select New gt Container to create a container for the cluster Give the new container the cluster name NTP Software Smart Policy Manager TM Miel x File Edit View Options Help amp I X E T ERs My Organization Name Type Status Description Created Modified RSE File Auditor Bcatroo Server Available 1 12 10 08 39 37 1 12 10 08 39 41 ae z Bsqavfiler Filer Available 1 12 10 09 05 15 1 12 10 09 05 17 Bcelerran EMccel Available 211 10 17 32 25 2 1 10 17 32 27 BB vfiler2 Filer Available 3 4 10 20 01 18 3 9 10 08 20 12 BB vfiler1 Filer Available 3 9 10 08 18 00 3 9 1008 20 13 JaNode 1 Filer Available 3 14 10 10 25 43 3 14 10 10 25 48 gd Cluster 1 J CAIROQA2003FA H ag sqavfiler JB Celerrans40 ala Note 1 ei cluster 1 Container 3 14 10 10 09 29 3 14 10 10 11 08 E gg vfiler1 EErile Auditor FileAuditor Available 3 14 10 10 09 43 3 14 10 10 09 43 ge vfiler2 8 object s CAIROQAZ003FA LocalHost 7 3 Click the existing server node and while holding down the mouse button drag and drop the server onto the cluster container to
30. alog box Click Next NTF Software Smart Policy Manager Setup Wizard x Select Features Select the features setup will install i efeware Select the features you want to install and deselect the features you do not want to install Description gE Smart Policy Manager Service dase 5 mart Policy A anager Admin Selecting this option will install all of the components required to run the Smart Policy Manager administrative client 2 040 MB of space required on the C drive 1756 38 MB of space available on the C drive InstallShield Back Cancel 8 The Start Copying Files dialog box prompts you to begin copying files NTP Software Smart Policy Manager Setup Wizard l x Start Copying Files T Review settings before copying files 7 i i Yave Setup has enough information to start copying the program files IF you want to review or change any settings click Back IF you are satished with the settings click Nest to begin copying files Current Settings Destination Path C Program Files S mart Policy Manager Components to install Smart Policy Manager Administration Tool InstallShield Copyright 2012 by NTP Software All rights reserved 58 9 When the file installation is complete a dialog box offers you the opportunity to view the readme file which may contain documentation updates and other items If you do not want to view the readme file at this time clear the option Yes
31. and search for users groups in Active Directory select the user group and click OK The selected user group will be added to the Exempt users list New File Audit Directory Policy Ed General Monitored Events File Criteria Directories Exempted Subdirectories Audited Users and Groups Exempt Users and Groups Notifications DB Maintenance Accounts g BUILTIN Administrators ret BUILTIN Backup Operators gij BUILTIN Replicator NT AUTHORITYSSYSTEM Add Edit Remove Cancel Apply Help Copyright 2012 by NTP Software All rights reserved 16 8 Click the Notifications tab then click the Add button On the Email Configurations Properties dialog General tab specify the notification related details including the notification name description and message format On the Email Settings Tab specify the email subject and the email body customize the displayed information about the authorized users and the associating events and choose the detail level On the Notification Settings Tab specify the notification frequency along with the types of events you wish to receive On the Recipients Tab specify the user s who should receive the email Email Configurations Properties General Email Settings Notification Settings Recipients Notification Mame Notification 1 Notification Description Insert Notification 1 description Message Format i Plain Text Ema
32. ans Hitachi NASs as full participants in storage environments audited by NTP Software File Auditor In light of this fact you will need to install the NAS EMC BlueArc Hitachi connector on one of the Windows 2000 Windows Server 2003 or Windows Server 2008 machines in your environment This can be an existing server or workstation or a standalone system To be audited by NTP Software File Auditor version 6 5 or later excluding version 7 1 of the Data ONTAP operating system for Filers or version 5 6 36 2 or later of the DART operating system for Celerras or version 6 1 1684 18 of the BOS operating system for Titans or version 6 1 1684 18 of the NOS operation system for Hitachi NASs is required NTP Software File Auditor can be used to audit Filers Celerras Titans Hitachi NASs Filer clusters Celerra clusters Titan clusters and Hitachi NAS clusters or any combination of these systems NTP Software File Auditor imposes no restrictions on how you monitor your file and directory operations You can impose policies on individual files directories users and or groups of users To install NTP Software File Auditor a login with administrator rights is needed You will be installing three different services the NTP Software Smart Policy Manager service the NTP Software File Auditor service and the NAS BlueArc Hitachi connector service Your hardware should be appropriate for the services running on each machine Copyright
33. arketingWser RASHADIHOME Busi rashad latt 7 58 47 AM Marketing 4502 0006New Folder nessShares Marketing Wser00064 frica Customers HOME BusinessSh WNA731 na 3t Galactic comP 1044 2009 MKT POL aasayed xp IG Machine ares Marketingiwser RASHAD HOME Busi rashad latt 7 56 07 AM Marketing 4502 0006New Folder nessShares Marketing Wser0006iOld Stuff HOME BusinessSh WWA731 na 3t Galactic comiT 1044 2009 MKT POL aasayed xp IG Machine ares Development RASHAD IHOME Busi rashad opper 7 48 29 AM Dev 4502 User0005 nessShares Developm Completed entWser0005 Projects New Folder Completed Projects GDS Project Se SN ae gS NUS Copyright 2012 by NTP Software All rights reserved 28 h Deletion Compliance This type of report allows you to review the files deleted over the specified compliance period The report s input is the compliance period in months the host name and the file type The report displays the files deleted over the specified period Compliance period in months File Type oe bmp cpp doc h rtf tmp txt 7 Files deleted over a period of 12 months 100 compliant i Owner Changed This type of report allows you to review the file s whose owner s has changed The report displays the name of the file whose owner has changed the previous owner the new owner the host IP address the user name the policy name the client a
34. c comP 1044 2009 MKT POL aasayed xp IG Machine MarketingJser0006 RASHADIHOME Busi latt 7 56 07 AM Marketing 4502 New Folderi nessShares Marketing WeserD00610ld Stuffit HOME BusinessShares WNA731 na v31 rashad Galactic com T 1044 2009 MKT POL Dev aasayed xp IG Machine DevelopmentWser0005 RASHAD HOME Busi opper 7 48 29 AM 4502 Completed hessShares Developm Projects New Folderi entwWser0005 Completed ProjectsiGDS Projecti Copyright 2012 by NTP Software All rights reserved 33 e Directory Deleted This report allows you to review all the deleted directories The report s input is the date range and or the directory name and or the host name The report displays the name of the deleted directory the user s name performing the directory delete operation the date in which the directory was deleted the name of the policy governing this directory deletion operation the client name used to perform the directory delete operation and the share name based on the specified criteria Directory Name Start Date 10 14 2009 5 09 14 AM Ei End Date 5 3 2011 5 37 43 AM gr Bill i 41 fi e O Alsa Bw 100 Find Next Directory Deleted From 10 14 2009 5 09 14 AM To 5 9 2011 5 37 43 AM Number of records 18 Directory Name 2 UserName amp Delete 3 Policy S Client Deleted Date Name Name NHOME BusinessShares Mark Galactic com Platt na 31 rashad 1044 2009
35. ctory you enter here will be appended to the managed directores or shares to make the full list of the exempted directoires Subdirectones Subfolder Add Edt Remove OF Cancel Apply Help 10 Click the Audited User and Groups tab choose whether you want to audit all users within your environment or specify certain user s to audit New File Audit Directory Policy General Monitored E vents File Criteria Directories Exempt Users and Groups Notifications DE Maintenance Exempted Subdirectories Audited Users and Groups Audit Certain Users Accounts Add Edit Remove Cancel Apply Help L SE Copyright 2012 by NTP Software All rights reserved 20 11 Click OK to close the New File Audit Directory Policy dialog box NTP Software File Auditor will create the new directory policy which will be inherited by all systems from this point down in your hierarchy Viewing Directories This section shows how you can view all the directories that are located on a certain Filer Celerra or EVS 1 In the NTP Software Smart Policy Manager hierarchy view locate the Filer Celerra or EVS containing directories you want to view If necessary click the plus sign adjacent to this entry to expand the tree 2 Click the plus sign next to File Auditor a For the Filer click the plus sign next to Filer Directories to view the volumes located on that Filer
36. d Start Date 10 14 2009 5 09 14 AM EE End Date 5 3 2011 8 44 37 AM a3 Access Type Fite Close File Create File Dele 7 File Type Jbmp cpp doc h rtf tmp txt Sal i Ai f 2 A e O Alsa aaukr 100m Find Next File Audit From 10 14 2009 5 09 14 AM To 5 9 2011 8 44 37 AM Number of records 1000 Directory 3 S Access 3 ccess S Policy S amp S Clien S Share Path Type Date Name t Name WELLL e HOME Business Shares Marketing Wser000610ld Stuffi na 31 rashad Galactic com P latt File Delete 10 4 2009 7 59 04 AM MKT POL Marketing aasayed xp 4502 Machine HOME Business Shares Marketing WserD00610ld Stuff na 31 rashad Galactic comiP latt File Open For Read 10 4 2009 7 59 04 AM MKT POL Marketing aasayed xp 4502 4 G Machine HOME Business Shares Marketing WserD006 Africa Customers na 31 rashad Galactic comP latt File Open For Write 10 4 2009 7 59 00 AM MKT POL Marketing aasayed xp 4502 G Machine HOME Business Shares Marketing na 31 rashad Galactic com P latt File Rename 104 4 2009 7 59 00 4M MKT POL Marketing aasayed xp 4502 G Machine c Files Changed This report allows you to view all the changed files The report input is the file name and or the host name and or the date range and or the file type s The report displays the file name
37. d date Please enter the list of users and the time period to get the Historical data From From 9 1 2011 IE To 10 1 2011 Ei Micheal Howard Nancy Ramirez Mark Benning each name in a seperate line _ Retrieve Data Copyright 2012 by NTP Software All rights reserved 38 4 File Auditor displays the specified date range the specified users and calculates the overall size of the data retrieved for the DX server Review the details and click Confirm to proceed Windows Internet Explorer KReportsViewer index htn O m x a NTP Software File Auditor X management of unstructured data NTP Software File Auditor Reports Historical Data By user and date Please confirm the data to be retreived as per the criteria shown below 8 2 2011 12 00 AM To 8 5 2011 12 00 AM confirm _Go back and do some changes NOTE Please make sure your primary SQL Server has enough space for the retrieved data before you press the Confirm button 5 File Auditor will retrieve the old data and insert it in the same database that File Auditor uses 6 You can now select any report and the report results will contain the historical data Copyright 2012 by NTP Software All rights reserved The second method is as follows 1 Run NTP Software File Auditor Administrator by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor Reports Selec
38. der Policy Using Directories 3 In the New File Audit Directory Policy dialog box click the General tab Enter a name and a description for your new policy New File Audit Directory Policy Exempted Subdirectories Audited Users and Groups Exempt Users and Groups Notifications DE Maintenance General Monitored E vents File Criteria Directories Policy Name Policy 1 Description Monitoring Directories Created Distinguished Name Policy Owner Last Modified by Created Wednesday December 01 2010 11 06 14 AM Modified Wednesday December 01 2010 11 06 14 Ar Cancel Apply Help Copyright 2012 by NTP Software All rights reserved 13 4 Click the Monitored Events tab check the event s you want to monitor from the list of events Check the Store monitored events into the database checkbox if you wish to store the monitored events in the File Auditor database You can clear the Store monitored events into the database checkbox if you wish to use the notifications option without recording the events to the File Auditor database New File Audit Directory Policy el Exempted Subdirectories Audited Users and Groups Exempt Users and Groups Notifications DB Maintenance General Monitored Events File Criteria Directories Check the events you want to monitor Directory Rename This option monitors the rename of directories in the managed paths shares Directory Crea
39. e NTP Software File Auditor user interface the Filer Celerra or EVS is assigned to only one server node and must be reassigned manually from a previously assigned node A Filer Celerra or EVS cannot communicate with more than one NTP Software File Auditor server at a time Installing the NTP Software File Auditor in Clustered Environments To install NTP Software File Auditor in a clustered environment apply the following steps 1 Install NTP Software File Auditor on a server as described in NTP Software File Auditor installation guides 2 After NTP Software File Auditor is installed successfully open NTP Software File Auditor to find the global container My Organization in this example at the top of the hierarchy Click the plus sign to expand the container 3 Click the plus sign to expand your site container My Site in this example in the second tier of the hierarchy Notice the installation server Primary Server in this example in the third tier of the hierarchy The NTP Software File Auditor application is also in the third tier NTP Software Smart Policy Manager TM fel Fa File Edit Yiew Options Help amp Gs X E D EE E My Organization H E File Auditor E G My Site H E CAIROQAZ003FA GREN sqavfiler mgs Celerrans40 gs vfiler1 H vfiler2 clmy Site 1 12 10 08 39 37 1 12 10 08 39 37 EBrile Auditor FileAuditor Available NTP Software F 3 4 1019 51 48 3 4 10 19 51 48 El 2 obj
40. e count of each operation performed including the count of the deleted renamed moved files the count of the created changed owner changed permission changed files the count of the created deleted directories and the count of the renamed directories files In addition it displays a list of the most used client names along with the count of operation s performed using the specified IP address Number of deleted files Number of renamed files Number of moved files Number of created files Number of deleted directories Number of created directories Last activity Date Time 10 14 2009 7 59 04 AM L 4 Number of changed files Number of owner changed files Number of permission changed files Number of renamed directories Used Client Machine Names Top 5 used client machines Client Name aasayed xp 4502 View All Pa Number of operations done from the IP 100 A Copyright 2012 by NTP Software All rights reserved 23 b User Audit This report allows you to review all the file and directory operations performed by user s The report input is the user account and or the access type and or the date range and or the host name The report displays the user s name the object name the directory path the host name the operation performed the date the operation was performed the policy name the client and the share name within the specified criteria User Account Access
41. e oldest records will be removed as defined in the Required Action below Maximum number of records allowed fi 000 Thousands The maximum size of the database will be approximately 13 67 GB Required Action Overwrite old records ExportasXML Export as raw data Export Path Re On the Database Maintenance Settings dialog under the Age Limit section use the Remove records older than field to set the number of days weeks months years File Auditor should keep records in the primary database after which File Auditor will attempt to back them up Based on the Required Action field File Auditor can delete old records from the database export old records to a comma separated file export aging records to an XML file export aging records to a database you specify on the SQL server instance you specify or use On Demand Data Movement ODDM to back up old records File Auditor Reports retrieve old records for reporting purposes You can configure File Auditor to use your On Demand Data Movement ODDM by setting two fields those are e The temp share which is a temporary share on your primary server that ODDM uses as a source for files to back up The Service account for File Auditor services must have Read Write and Delete permissions on this share For information about ODDM Primary Servers please refer to the NTP Software ODDM Administration Web Site User Manual e The Web Service which is a URL to the ODDM Web Ser
42. e report displays the name of the created directory the user s name performing the directory create operation the date in which the directory was created the name of the policy governing this directory creation operation the IP address of the machine used to perform the directory create operation and the share name based on the specified criteria Directory Name AhmedIG na731 rashad Start Date 10 14 2009 5 09 14 AM gi End Date 5 3 2011 8 51 00 AM al E I 41 FIP aA e OW G BO 100 Find Next Directory Created From 10 14 2009 5 09 14 AM To 5 3 2011 8 51 00 AM Number of records 126 Directory Name UserName Create Date Policy Created Name HOME BusinessShares Mark Galactic com Platt na 31 rashad 10 14 2009 7 57 31 MKT POL aasayed xp 4502 Machine etingiJser0006 New Folder AM Marketing HOME BusinessShares Mark Galactic com Platt na731 rashad 10 14 2009 7 56 04 MKT POL aasayed xp 4502 IG Machine tingJser0006 New Folderi AM Marketing WHOME BusinessShares Fina Galactic com Platt na 31 rashad 10 4 2009 7 53 16 MKT POL aasayed xp 4502 Machine nceWser0006 TimeSheets AM Finance HOME BusinessShares Fina Galactic com Platt na 31 rashad 104 4 2009 7 53 15 MKT POL aasayed xp 4502 Machine nceWser0006Ynvoices AM Finance HOME BusinessShares Fina Galactic com Toppe na 31 rashad 10 14 2009 7 50 23 MKT POL aasayed xp 4502 Machine nceWser0005 TimeSheets r AM Finance HOME Busine
43. ect s CAIROQAZO03FA LocalHost Ai Copyright 2012 by NTP Software All rights reserved 69 4 Right click the site container My Site in this example and then select New gt Container from the pop up menu to create your cluster container Give the new container the name of the cluster In the example we have used Cluster 1 as the name NTP Software Smart Policy Manager TM ijel Fa File Edit View Options Help 8 SB X amp E Te EE a My Organization E File Auditor GF Cluster 1 a3 CAROQAZ003FA H S sqavfiler Server Available Filer Available Filer Available Filer Available BB celerran EMCCel Available el cluster 1 Container 1 12 10 08 39 37 3 4 10 20 01 18 3 9 10 08 18 00 1 12 10 09 05 15 2 1 10 17 32 25 3 14 10 10 09 29 Modified 1 12 10 08 39 41 3 9 10 08 20 12 3 9 10 08 20 13 1 12 10 09 05 17 2 1 10 17 32 27 3 14 10 10 09 29 BREN Celerrans40 H gg yfiler1 EGrile Auditor FileAuditor Available 3 14 10 10 09 43 3 14 10 10 09 43 JB vfiler2 El 7 object s CAIROQAZ003FA LocalHost 2 5 Right click the cluster container Cluster 1 in this example and select New gt NTP Software File Auditor from the pop up menu It is necessary to install NTP Software File Auditor manually on each server you want to add to the tree Node 1 and Node 2 in this example Choose the option Adding to an enterprise installation during the local NTP Software Smart Policy Mana
44. eeeneceeeneeeeens 68 Installing the NTP Software File Auditor in Clustered Environments 69 LLL SSS eed Copyright 2012 by NTP Software All rights reserved 2 Installing the NTP Software File Auditor Onto a Node Server cececcceseseceeeeseeeeees 72 Network Attached Storage NAS Preparations cccccccscsssecceseeseecesseeeeceseeneseeseeeeeeees 74 Preparing the NetApp Filer ccccccescccsecccseccenecceecsceseceeeeceeeeceeesetsueceeeeeeeseteneetens 74 Enabling the fpolicy Management Service NetApp Filers cccccccceesseeeeeeeeeees 74 Adding Your Filer to the NTP Software File Auditor Policy Hierarchy eases 76 FED ale WOE VGC CLO el seennbsircsorapron er i N EE NAE 77 Preparing EMC Celerra to be managed by File AUCItOF ccccceeccceeeseeeeseeenseeeneeees 77 Preparing File Auditor Windows Machine Scenario A ccccseccssesceeeeseeenseeeneeeens 77 Adding a Celerra to the NTP Software File Auditor Policy Hierarchy eseese 81 Preparing File Auditor Windows Machine Scenario B cccccssecceeeeseeeeeeeeeeeens 82 Preparing the BlueArc Titan or Hitachi NAS cc ccccccssccceseceeesecteeceeeececenseseeceeeceeeneens 87 Preparing the BlueArc Titan Hitachi NAS for NTP Software File Auditor Management EEN PAAA EEE AA A OEE AE E O T OE ET 87 Adding an EVS to the NTP Software File Auditor Policy Hierarchy cccccceeeeseeeees 88 About NTP SOftWArE wassasacn
45. efinition is not met The Notify if matches found or not sends an email notification every time the BOT executes 15 Save the BOT after specifying the BOT criteria You must save the changes before selecting another BOT from the existing BOTs list otherwise you will lose your changes You may choose to close at any time 16 Use the History tab to check the scans done along with the matches that the BOT found with the File Auditor database if any Definition Schedule Notifications History o Started Finished Results found 2N0 2021 4309AM 210 2012 238 09AM 2 10 2012 2 38 09 AM 20 2012 24309AM 2 10 2012 2 42 09 AM 20 2012 25309 AM 2 10 2012 2 52 09 AM 210 2012 233409AM 2 10 2012 2 32 09 AM 2710 2012 2308 09 AM 2710 2012 3 08 09 AM Mot Found if Show history with no results LN SDN ON aK SY Copyright 2012 by NTP Software All rights reserved 49 Default BOTs File Auditor BOTs ship with a set of default BOTs they provide examples of how File Auditor BOTs are used The user can also edit the default BOTs to satisfy his needs a NTP Software File Auditor BOTs File Configure Help LE After Hours Access L HIPAA Auditing ne Ownership Change Audit J Permission Change Audit Le Large File Audit es Financial Otr pts Leh Wikileaks es Disgruntled employee Leh Serial Edits 1 After Hours Access This BOT is used to discover any operations done after hours It runs ever
46. enamed This type of report allows you to review all the files that have been renamed The report s input is the file name and or the host machine name and or the date range and or the file type The report displays the original file name before the change the new file name after the rename the directory path in which the file is located the user name the date the file was accessed the policy name the client name and the share name within the specified criteria File Name O Host Start Date 10 14 2009 5 09 14 AM Ei File Type bmp cpp doc h rtf tmp txt x oe f4 gt e Of G w 100 Files Renamed From 10 14 2009 5 09 14 AM To 5 3 2011 6 50 12 AM JahmediG na 31 rashad End Date 5 3 2011 8 50 12 AM gr Find Next Number of records 152 Origina l File Readme txt Directory 3 Path HOME Business Shares Marketing Wser0006 4frica Customers New Directory Path WNA731 RASHADIHOME BusinessShares MarketingJser00 OB Africa Customers Galactic com P latt Rena Policy me Name Date 1044 2009 MKT POL 7 59 00 AM Marketing Client Name aasayed xp IG Machine 4502 ScreenShoot b mp HOME Business Shares Marketing wWser006told Stuffi WNA731 Galactic com P RASHADIHOME latt BusinessShares MarketingJser00 06 0ld Stuffit 10 14 2009 MKT POL 7 56 20 AM Marketing aasayed xp liG Machine 4502 CGISM
47. f renamed directories files 75 r 3 3 2010 5 44 50 AM E Find Next Number ofcreated directories 4 Select a format Export Policy by Date This report allows you to review all the policy details within a certain date range The report s input is the date range and or the policy name The report displays the policy name the user name the directory path on which the policy applies the access type the access date the machine IP address and the share name within the specified criteria Directory Summary This report allows you to review the count of all the audited directories It also displays a breakdown for the count of deleted renamed or created directories You can click the count next to any directory operation to display a detailed list of the specified directory operation View Report la Ta A Copyright 2012 by NTP Software All rights reserved od b Directory Audit This report allows you to review all the directory operations performed The report s input is the directory name and or the host name and or the date range and or the access type The report displays the directory name the user name accessing the directory access type access date the name of the policy applied on the directory the client name and the share name You can choose to display the previous information within a certain date range and or for a certain access type s and or for a certain directory name
48. fications The Potential Notification Targets lists the available email accounts from which you can select If you move an email from the Potential Notification Targets list to the Selected Notification Targets list the BOT will notify these users NTP Software File Auditor BOTs Configuration ox File Configure Help Define the parameters for the Business Overwatch Task BOT BOT 1 Definition Schedule Notifications History Notification Targets Selected Notification Targets trigent2 trigent2 ntpgreat com trigent3 trigent3 ntpgreat com trigent_test trigent_test ntpgreat com Notification type C Notify if matches found C Notify if matches not found Notify if matches found or not Add email target Name TY Emit o Add Add new task Save Close 13 You may add email accounts from the Add Email Target panel by providing the target name and the email address Click the Add button Add email target Name E mail Copyright 2012 by NTP Software All rights reserved 48 14 Specify when notifications should be sent Notification type C Notify if matches found Notify if matches not found f Notify if matches found or not NOTES The Notify if matches found sends an email notification only if the criteria defined in BOT definition is met The Notify if matches not found sends an email notification only if the criteria defined in BOT D
49. file delete operation and the share name based on the specified criteria Directory Name AhmedIG na 31 rashad StartDate 10 14 2009 5 09 14 AM E EndDate 5 3 2011 8 48 09 AM gr A i 4 1 fi gt H e Of 4GAB a w 10 Find Next Deleted files by directory Number of records 28 Size 2 Delete Client S Share Date Name Name Galactic comiRober HOME BusinessShares D TMP1 tmp na 31 rashad 1044 2009 aasayed xp 4502 IG Machine tson evelopmentUser0001 5 22 21 AM Projects On HoldiDD Project Galactic comwvboyd WHOME BusinessShares D TMP1 tmp na 31 rashad 10 14 2009 aasayed xp 4502 liG Machine evelopmentWser0002 5 29 57 AM Projects in Progress Click Project Galactic comwvboyd HOME BusinessShares Su New Text na 31 rashad 104 4 2009 aasayed xp 4502 liG Machine pportWser0002 Ticket Document txt 5 35 10 AM 00010 Galactic comiVolco HOME BusinessSharesiD New Text na 31 rashad 1044 2009 aasayed xp 4502 IG Machine tt evelopmentUser0003 Document txt 5 39 25 AM Projects Delivered OFS Projecti Galactic com Volco HOME BusinessSharestD team notes na731 rashad 1044 2009 aasayed xp 4502 IG Machine tt evelopment User0003 meeting txt 5 44 21 AM Projects in Progress FTP Projecti Lo S E Copyright 2012 by NTP Software All rights reserved 34 g Deleted Files Count by Directory This report allows you to review the number of de
50. files in the last hour C O Copyright 2012 by NTP Software All rights reserved 50 File Auditor Database and Email Settings File Auditor Business Overwatch Tasks scan the File Auditor database and send email notifications once they finds the pattern you defined for a task This section shows how to point File Auditor BOTs to a certain File Auditor database and how to add your email server configurations Database Settings Once the BOT editor starts it will load all the BOTs defined in the database that you entered during installing File Auditor You can also point the BOT Editor to a different database f BOT Editor Configure Define the parameters for the Business Overwatch Task BOT Ud HIPPA Auditing r Mort Admin Watch Je Quotas Share Definition Schedule Notifications History a Database Configurations f Operations IY Select A Database Server Info Server SQLServer Database FileAuditorD atabase Log on to the server TP File Open T File Great T File Delet File Move a Directoy T Directory F genet Windows Authentacation C SoL User name l Password ate H OUTS i C AllHour Test Connection O e eea ae Start End C File or Directory Name Copyright 2012 by NTP Software All rights reserved sil Email Configuration You can configure the email server that File Auditor BOTs should use
51. ger installation on each node and point to the first NTP Software File Auditor server Copyright 2012 by NTP Software All rights reserved 70 6 Open the cluster container in the NTP Software Smart Policy Manager hierarchy and use the drag and drop method to move the nodes into the cluster container They will appear at the same level as the container File Auditor application as shown here NTP Software Smart Policy Manager TM File Edit Yiew Options Help amp a B X A gt FH My Organization Name Type Status ___ Description Modified H E File Auditor e4 My Site H E File Auditor aaa Cluster 1 EQ File Auditor me Node 1 JB Node 2 H E CAIROQA2003FA See sqavfiler 9B Celerrans40 HES vfiler1 ge vfiler2 1 objects CAIROQA2003FA LocalHost Ui 7 Click the plus sign next to the NTP Software File Auditor application you have just added to view the global cluster policies Create all policies within this application that will be applied to both nodes They will be propagated automatically to all nodes within the container D S E Copyright 2012 by NTP Software All rights reserved 71 Installing the NTP Software File Auditor onto a Node Server This feature enables administrators to group servers Filers and Celerras logically to reflect their organizational physical structure creating policies under a node that can be inherited by all the machines of that node To inst
52. he collection of servers recognized by NTP Software File Auditor right click the Filer you just added and select New gt File Auditor Application Next you need to associate the policies you will create here with a Filer In the NTP Software Smart Policy Manager hierarchy view the left pane click the plus sign adjacent to the name of the Windows based server on which you installed NTP Software File Auditor Right click File Auditor under that entry and select Properties to open the NTP Software File Auditor Configuration screen Click the NAS Connector tab Click the Add button Enter the name of your Filer vFiler and click OK 10 Click OK in the NTP Software File Auditor Configuration screen You are now ready to move on and create some File Auditor policies Copyright 2012 by NTP Software All rights reserved 76 Preparing the EMC Celerra NOTE Refer to this section only if you have one or more EMC Celerras attached to your environment If you do not have EMC Celerras you should not apply the instructions specified in this section Preparing EMC Celerra to be managed by File Auditor Preparing File Auditor Windows Machine Scenario A This section describes how to prepare your EMC Celerra if you have either of the following environments e If you do not have an NTP Software Quota and File Sentinel QFS installation in your environment e f you have NTP Software and NTP Software Quota and File Sen
53. icating your acceptance of the terms of this license IF you do not agree to the terme of this license please return the product UMOPENED to your place of purchase for a full refund GRANT OF LICENSE NTF Software grants you the right to use Smart Policy Manager PRODUCT on one computer solely for Your or your company s own intemal use In addition to the specified quantity of copies you may make one 1 additional copy as a backup to the orginal However you may not cause the software to execute or be loaded Into the active memory of more computers than the above specitied quantity at any one time In addition the PAODUCT ts licensed solely for the management of local storage do not accept the terms of the license agreement Back Cancel InstallShield 6 In the Choose Destination Location dialog box browse to the needed location and then click Next NTP Software Smart Policy Manager Setup Wizard x Choose Destination Location T Select folder where setup will install files f E Setup will install NTF Software Smart Policy Manager in the following folder To install to this folder click Nest To install to a different folder click Browse and select another folder Destination Folder C Program Files Sroart Policy Manager Browse InstallShield Copyright 2012 by NTP Software All rights reserved 57 7 Select only the Smart Policy Manager Admin component in the Select Features di
54. il Configurations Properties Fa General Email Settings Notification Settings Recipients Email Subject Notification n for policy p Email Body This is a notification email for the specified events generated by audit users through policy 2p on served Zs The email contains a table of audited users along with events details generated by them Please choose the the columns to be displayed l Recerwed Time Order By iser Account Received Time i Path User Copyright 2012 by NTP Software All rights reserved 17 General Email Settings Motification Settings Recipient Notification Frequency Notify for every operation Kioii na more than once ever 1 Minute s z Event types you want to recenve IM Notify Owner Notify Other Recipients Other Recipients List Add Edit Remove Cancel Help Email Configurations Properties E Copyright 2012 by NTP Software All rights reserved 18 New File Audit Directory Policy Notification 1 Ingert Notification 1 description 9 Click the Exempted Subdirectories tab Click the Add button and type the subdirectory you want to exempt from the monitored directories list New File Audit Directory Policy Ea General Monitored E vents File Criteria Directories Esempt Users and Groups Notifications DE Maintenance Exempted Subdirectories Audited Users and Groups E ach subdire
55. ing you to administer the NTP Software File Auditor service running on a different machine This kind of NTP Software File Auditor Admin Client installation enables NTP Software File Auditor administrators to administer NTP Software File Auditor easily when it is installed on all the servers over the entire network This can be done through a local user interface that is easily installed on the administrator s local machine For an NTP Software File Auditor administrator to be able to use the NTP Software File Auditor Admin Client the NTP Software Smart Policy Manager Admin and NTP Software File Auditor Admin components should be installed on the administrator s local machine per the following instructions IMPORTANT NOTES There is a slight difference in the installation of NTP Software Smart Policy Manager and NTP Software File Auditor on an NTP Software File Auditor Server versus the installation on an administrator s local machine NTP Software File Auditor Admin Client User Interface is using RPC to communicate to the NTP Software Smart Policy Manager service Therefore NTP Software File Auditor Administrator needs to have permissions to run and execute RPC on the managed machine A standard user does not have RPC Permission by default Thus if the user performing the administration is not an administrator in the domain the user needs to be added to the Distributed COM Users group on the machine to be managed Copyright 2012 by N
56. ion ignore or denied reqtimeout lt time out in ms gt retrytimeout lt time out in ms gt ADDITIONAL NOTES Each event can include one or more or all of the following events e OpenFileNoAccess e OpenFileRead e OpenFileWrite e CreateFile e CreateDir e DeleteFile e DeleteDir e CloseModified e CloseUnmodified e RenamefFile e RenameDir e SetAclFile e SetAclDir Postevents and posterrevents are not supported in NTP Software File Auditor We recommend turning them off to improve performance Dropping those two fields from the CEPP will stop the Celerra from generating events of those types At least one event one pool and one server per pool must be defined Copyright 2012 by NTP Software All rights reserved 84 Recommended timeout values e The recommended value for regtimeout is 5000 e The recommended value for retrytimeout is 750 Apply the following steps to edit the cepp conf file 1 Log onto the Celerra control station as su a Type mount server_2 mnt2 to mount the root filesystem Create mnt2 if it does not exist and replace server_2 with your server name if you are configuring a different server b Type cd mnt2 etc and look for the file cepp conf Create the file if it does not exist c Use vi to edit the cepp conf file Edit the servers field to use the IP address of the machine running NTP Software File Auditor and the machine running NTP Software QFS The result should lo
57. itor operations on files with the specified extension Only one extension is allowed Wildcards are used e g mp will match with file extensions as mp3 or mp4 h Wildcards supported are Zero or more characters Exactly one character LN DAC SO NaC Copyright 2012 by NTP Software All rights reserved 46 8 On the Schedule tab select whether the BOT is to run only once or recurrently One Time f Recurring 9 Select the BOT start time Notifications History Details Start Monday Februar 13 2012 razoa Recur every 5 Minutes 10 If you selected the BOT to be recurring select how often it should run When the BOT runs it will notify the administrator about any behavior that matches the BOT that occurred during the specified time period The minimum reoccurring time is 5 minutes Notifications l History Details Start Monday February 13 2012 Fa209 4M FRecur every 5 Minutes 11 You can enable disable the BOT by checking un checking the Enabled checkbox A disabled BOT will not send notification emails or generate history Details Start Monday Nove C Recurring Enabled Copyright 2012 by NTP Software All rights reserved 47 12 From the Notifications tab specify the email accounts to receive notifications when the BOT runs The Selected Notifications Targets lists the recipients of noti
58. leted files with a directory The report s input is the date range and or the directory name The report displays the folder path and the number of files deleted within the specified directory directories within the specified date range Deleted files count by directory Start Date 10 14 2009 5 09 14 AM a Poa 1 14 2011 10 42 51 AM al Directory OSEN Name id 4 p ofi gt bli 75 z Find Next Select a format Export AN a g Deleted files count by directory Number ofrecords 21 Number of files WOME s he ss Shares Deve bpme ate e OOTP rect b Progres s FTP Project WOMEW ts he sz Shares De ue bpme wt erno MP roects b Progres s S MSParse h WOMBEW ts he sz Shares Weve bpme rte e OODFONM Sti trLearn bg 1 Project WOMB ts hess Shares Sab s Use 10011 0K Records WOME ts hess Shares Sapportuk e OOOTT ket 0016 WOMB ts he ss Shares Sippo e 00120 Thketss WOME ts he ss Shares Si ppor e OOOZTCket O00 104 h Most Accessed Directories This report allows you to review the most accessed directories The report s input is the date range and or number of most accessed directories to display The report displays the directory path and the number of times each directory was accessed Most accessed directories Start Date 10 14 2009 5 09 14 AM eal AG 1 14 2011 10 46 24 AM eal View top 5 folders Maximum number 2147483647 id 4 fi of1 gt pil 100 Find Next Select a format
59. m Platt Readme txt HOME BusinessShares File Close 10 14 2009 MKT POL aasayed xp 4502 Machine MarketingUser000610ld 7 56 46 AM Marketing t t Galactic com Platt Readme txt HOME BusinessShares File Open For 1044 2009 MKT POL aasayed xp 4502 Machine write MarketingWser0006iOld 7 56 42 AM Marketing Galactic com Platt Readme txt HOME BusinessShares File Open For 10 14 2009 MKT POL aasayed xp 4502 IG Machine MarketingJser000610ld Write 7 56 42 AM Marketing Galactic comiwood readme txt HOME BusinessShares File Open For 1014 2009 MKT POL aasayed xp 4502 Machine SupportiUser001 3iTicket Write 7 42 26 AM Support Copyright 2012 by NTP Software All rights reserved 24 d Most Active Users This report allows you to review the most active users with the users activities sorted in a descending or ascending order The report input is the date range and or the number of most active users to view The report displays the user name and the number of activities performed by this user within the specified criteria Most active users Start Date 3 3 2010 6 23 23 AM a a 3 5 2010 10 47 23 AM a view Report View top fo o oo users Maximum number 2147483647 id 4 fi ofi gt Pil 75 Find Next Select a format Export a g Most active users Number ofrecords 5 Number of activities fe at com Doka 20 10 rateom 23 Doka rpqgre atcom io pgr at
60. manage perform the following steps NOTES If your QFS installation is older than version 7 1 you cannot manage the same EMC Celerra that QFS manages with File Auditor If QFS and File Auditor are both installed on the same machine consult the section Prepare EMC Celerra to be managed by File Auditor If you do not have QFS in your environment consult the section Prepare EMC Celerra to be managed by File Auditor Configure EMC Celerra Event Enabler CEE Follow these steps to prepare the Windows machine that hosts NTP Software QFS e Before installing NTP Software QFS you have to make sure that Celerra Event Enabler CEE version 4 2 2 or later is appropriately installed and configured in your environment Contact EMC for further information on this configuration e NTP Software File Auditor requires the EMC Celerra to run DART version 5 6 36 2 or later If your Celerra is not running version 5 6 36 2 or later you must upgrade your operating system before you proceed Refer to your EMC documentation for instructions e After installing the Celerra Event Enabler on the NTP Software QFS machine you need to specify the software with which the CEE will register To do this set ntp for the following key HKEY_LOCAL_MACHINE SOFTWARE EMC CelerraEvent Enabler CEPP CQM Configuration EndPoint e Make sure that the NTP Software EMC Proxy Service is started a Open the Windows Service Manager from Control Panel Administrative tools
61. me the user name the date the directory was moved the policy name the client name and the share name Directory moved Directory Name Host Nnas 25TB v Start Date 27172011 4 03 54 AM E End Date 6 4 2012 11 59 59 PM fis Users 4 4 o OP Selecta format E Export A Directory Moved Note Records from 2 1 2011 5 50 56 AM to 3 7 2011 6 30 07 AM are archived and must be retrieved before they will appear in this report Click here to retrieve archived records From 2 1 2011 4 03 54 AM To 6 4 2012 11 59 59 PM Number of records 2 Destination Path 3 Host S UserName 3 Move Policy Client Name Share Date Name WOLIOLO WOLWOLO NAS 25TB Galactic com Mark 24 2011 Monitor All HOMEVACCOUNTING SHOMEVACCOUNTING WBILL Benning 4 07 04 AM WSERSWBILL desktop galactic com HO Benning 4 07 04 AM desktop galactic com Wo WOLY 731 ng Galactic com Mark 2 1 2011 Monitor lll mbenning OLO WHOMEACCOUNTING HOMEA CCOUNTINGUBILL ahassan WSERSWBILL Retrieving Records Archived via ODDM There are two methods to retrieve the archived records the first method is as follows 1 Run NTP Software File Auditor Administrator by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor Reports 2 Click Prepare Historical Data 3 Specify the time period and the user s you wish to retrieve their activities Click the Retrieve Data button Historical Data By user an
62. move the server into the cluster hierarchy 4 Right click the cluster container and select New gt NTP Software File Auditor from the pop up menu L E Copyright 2012 by NTP Software All rights reserved 72 5 To view the global cluster policies click the plus sign next to the NTP Software File Auditor application you have just added NTP Software Smart Policy Manager TM OF x File Edit View Options Help My Organization EG File Auditor n Server Available 1 12 10 08 39 37 1 12 10 08 3 SE Site gE i Filer Available 3 4 10 20 01 18 3 9 10 08 20 g Fie Auditor i Filer Available 3 9 10 08 18 00 3 9 10 08 20 ae 8 noc i Filer Available 1 12 10 09 05 15 1 12 10 09 0 n auditor Celerran EMCCel Available 2 1 10 17 32 25 2 1 10 17 32 ei cluster 1 Container 3 14 10 10 09 29 3 14 10 10 1 H E CaIROQAz003FA RE a n al si n i mt e BS sqavfiler EGlFile Auditor FileAuditor Available 3 14 10 10 09 43 3 14 10 10 0 me Celerrans40 me vfiler1 H S vfiler2 gt 7 object s CAIROQA2003FA LocalHost 4 Create all policies within this application that will be applied to both nodes They will be propagated down automatically to all nodes within the container Copyright 2012 by NTP Software All rights reserved 73 Network Attached Storage NAS Preparations Preparing the NetApp Filer NOTE Refer to this section only if you have NetApp Filers attached to your environment If
63. nd the share name within the specified criteria File Owners Changed From 3 14 2011 4 11 45 PM To 3 15 2011 4 02 02 PM Number of records 180 WOLIVOLO HOME DOTNET CRITICALSITES LOCAL Mahmoud Osama DOTNET CRITICALSITES LOCAL Abdalla Hi Host ahmedIG na731 rashad 10 20 2 57 fi A e Of G Ba w 100 Deletion Compliance Report DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 45 44 PM WOLWOLO DOTNET CRITICALSITES LOCAL Mahmoud Osama DOTNET CRITICALSITES LOCAL Administrators 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 43 27 PM WOLIYOLO DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 35 55 PM WOLWVOLO WOLIWOLO HO DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrators DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 3 14 2011 4 35 55 PM DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 35 55 PM WOLWOLO ors DOTNET CRITICALSITES LOCAL Mahmoud Osama 10 20 2 57 DOTNET CRITICALSITES LOCAL Administrator 34 2011 4 35 55 PM WOLIVOLO DOTNET CRITICALSITES LOCAL Vdministrators
64. ner Change events then you should disable CIFS SetAttr feature Copyright 2012 by NTP Software All rights reserved 74 These steps create the configuration that allows NTP Software File Auditor to register with and manage your Filer They must be completed before you try to configure NTP Software File Auditor Later in this document a File Auditor policy server with be registered with the Filer No further Filer administration is required NOTES e Data ONTAP versions 7 0 6 and 7 2 2 contain a number of fixes that address stability and memory issues related to fpolicy functionality in Data ONTAP For NetApp Filers NetApp strongly recommends that customers using fpolicy move to one of these Data ONTAP versions or later excluding version 7 1 e The Data ONTAP 7 1 release family is currently not supported with fpolicy Copyright 2012 by NTP Software All rights reserved 75 Adding Your Filer to the NTP Software File Auditor Policy Hierarchy Next you need to add your Filer to the collection of servers being monitored by NTP Software File Auditor L Ji 8 9 Run NTP Software File Auditor Admin by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor for NAS Admin Right click My Site and select New gt Filer You will be prompted to enter a name The name you enter here must match the name of your NetApp Filer Now that you have added your Filer to t
65. nsreeseeeeseeee 23 Retrieving Records Archived via ODDM cccccsecccseccceececeneceeeneceeneceeeeceeenceeeueceeeceneneens 38 File Auditor Business Overwatch Tasks BOTS ccccccccccssesceescsseuesseeesseeeseeeueeseeuseusens 42 Dener EdC aT O Tean 42 DeU BOT eea E A A E E 50 File Auditor Database and Email Settings ccccccscccssccceseceeeneeeeneceeeceeenceeeeeseeeceeeneens 51 Database SENES arenar E E E E OEE E E 51 EMI CONE Ul AIO e E A 52 File Auditor BOTs Demo Mode osssseessessssssseeessssssssrrressssssserrreressssssserrressssssseseeressseeeereesesse 53 NTP Software Smart Policy Manager sessssssseeresesrrsssrersrrrnsrrressrrrssrrnsseresstreserreseesereeseeee 54 NTP Software Smart Policy Manager Overview ssessssssreserreserrresrrerssressrrresreresrrreseeee 54 Managing the NTP Software File Auditor Service through an NTP Software File Auditor Admin Client Running on a Different Machine ccccccsecccsseseceesececeeseceeeeeceteneeseneess 55 Installing the NTP Software Smart Policy Manager Admin Component 00808 56 Installing the NTP Software File Auditor Admin COMPONENL cccccceeseceeeeeeeeeeeees 60 Administering NTP Software File Auditor through an NTP Software File Auditor Admin Client Running on a Different Machine ccccccsssecccesecccceseeceeeseceeeeceeeeeeeeeeeeeeeeeeees 67 Installing File Auditor in Clustered Environments ccccceseccsssecceeeceeeeceeees
66. ok something like this pool name cqm servers 10 30 3 57 10 30 3 58 preevents option ignore reqtimeout 5000 retrytimeout 750 2 Type server_config server_2 v cepp stop and press Enter 3 Type server_config server_2 v cepp start and press Enter NOTE Replace server_2 with the name of the server you want to configure These steps create the configuration that allows NTP Software File Auditor to register with and manage your Celerra They must be completed before you try to configure NTP Software File Auditor Copyright 2012 by NTP Software All rights reserved 85 Adding a Celerra to the NTP Software File Auditor Policy Hierarchy Next you need to add your EMC Celerra to the collection of servers being monitored by NTP Software File Auditor L Run NTP Software File Auditor Admin by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor for NAS Admin Right click My Site and choose New gt Celerra You will be prompted to enter a name The name you enter here must match the name of your CIFS server Now that you have added your CIFS server to the collection of servers recognized by NTP Software File Auditor right click the CIFS server you just added and select New gt File Auditor Application Next you need to associate the policies you will create here with a CIFS server In the NTP Software Smart Policy Manager hierarchy view the left pane click the plus
67. onnect to Fino Smart Policy Manager Server is specified the local server Will be used Smart Policy Manager Server MYSERVER Browse Cancel Help NOTE The Smart Policy Manager Admin component is installed on the local machine so there is no Smart Policy Manager service installed Thus NTP Software File Auditor cannot talk to the local Smart Policy Manager service because it does not exist so we specify the Smart Policy Manager service with which NTP Software File Auditor should communicate In very large organizations you may have offices all over the world Make sure you connect to the server s at a reasonable distance to maintain good speed As shown the NTP Software File Auditor Admin Client User interface is displayed with MYSERVER as a node in the left menu tree and all the NTP Software File Auditor policy details To connect to more than one Smart Policy Manager service at the same time click File gt Active Server and then insert the server name or the server IP address This allows you to add all the servers on your entire network administer them as needed Copyright 2012 by NTP Software All rights reserved 67 Installing File Auditor in Clustered Environments NOTES NTP Software File Auditor requires a manual setup by an administrator for clustered environments Although the Connector service can be started on the servers on which NTP Software File Auditor was installed in th
68. or NAS gt NTP Software File Auditor for NAS Admin Right click My Site and choose New gt Celerra You will be prompted to enter a name The name you enter here must match the name of your CIFS server Now that you have added your CIFS server to the collection of servers recognized by NTP Software File Auditor right click the CIFS server you just added and select New gt File Auditor Application Next you need to associate the policies you will create here with a CIFS server In the NTP Software Smart Policy Manager hierarchy view the left pane click the plus sign adjacent to the name of the Windows based server on which you installed NTP Software File Auditor Right click File Auditor under that entry and select Properties to open the NTP Software File Auditor Configuration screen Click the EMC Connector tab Click the Add button Enter the name of your CIFS server the control station IP user name and password and then click OK 10 Click OK in the NTP Software File Auditor Configuration screen You are now ready to move on and create some File Auditor policies Copyright 2012 by NTP Software All rights reserved 81 Preparing File Auditor Windows Machine Scenario B This section describes how to prepare your EMC Celerra If you have an installation of NTP Software Quota and File Sentinel QFS 7 1 or higher on a different machine and you want QFS to manage the same EMC Celerra that File Auditor will
69. or the BOT c The User defines the full name of the user a BOT monitors Leave this field blank if you wish to search for all operations done by all users This field does not accept account names and does not accept group names only full names are accepted Wildcards and can be used e g you can enter Mark which will match all users whose first name is Mark d The Client System name or IP defines the computer name IP a BOT monitors Leave this field blank to monitor access from all computers This field accepts only one computer name or one IP Wildcards are used Examples e To match a range of IPs the IP can be entered as 10 20 2 this will match any IP in the range 10 20 2 0 to 10 20 2 255 e To match only the range of IPs from 10 20 2 1 to 10 20 2 9 the filter 10 20 2 is used e The Path defines the path the BOT monitors The BOT will only monitor operations on files or directories that reside on the specified path Only one path supported for each BOT Wildcards are used e g vol volO Users this will match with any subdirectory of Users f The File or Directory Name defines a certain file or directory name to match Only one file or directory name is allowed Wildcards are used e g Sales this will match all folders files that contains the word Sales within it g The Extension defines the extension the BOT monitors The BOT will mon
70. please close the dialog box and rerun the report Historical Data By user and date Data retrieved successfully 8 The report will show the date with the archived records included File Auditor Business Overwatch Tasks BOTs File Auditor Business Overwatch Tasks BOTs are configured to run regularly against the File Auditor database to detect users unexpected behavior For example BOTs can warn administrators when a user downloads hundreds of files or gain access to secure or sensitive information they can also warn of hacking attacks when a user deletes important files etc When a BOT runs it searches the database for a specified user activity and notifies administrators accordingly via email NOTE For File Auditor BOTs to function properly a File Auditor policy must exist that monitors your NAS Device and is configured to store users activity into a database Defining or Editing a BOT A BOT has the following main parameters 1 Definition 2 Schedule 3 Notifications NTP Software File Auditor BOTs Configuration OR x File Configure Help Define the parameters for the Business Overwatch Task BOT BOT 1 Definition Schedule Notifications History BOT Name Bor 1 Operations Tl Select All I File Open For Read Tl File Open For write Time Period Options Immediate Past Time Span 7 Hours Tl File Create Tl File Rename Specific Period I File Dele
71. r EVS 10 Click OK 11 Click OK in the NTP Software File Auditor Configuration screen You are now ready to move on and create some File Auditor policies Copyright 2012 NTP Software 88 About NTP Software NTP Software puts users in charge of their file data and is the only company providing file data management solutions that deliver all of the enterprise class features needed to understand manage monitor and secure file data completely NTP Software is a global leader and has been chosen by the majority of Fortune 1000 companies and thousands of customers in private and public sectors for providing leadership through superior solutions professional services experience and trusted advice NTP Software delivers a single solution across the entire data storage environment from individual files and users to an entire global enterprise across thousands of systems and sites NTP Software reduces the cost and complexity associated with the exponential growth of file data and is located on the web at www ntpsoftware com NTP Software Professional Services NTP Software s Professional Services offers consulting training and design services to help customers with their storage management challenges We have helped hundreds of customers to implement cost effective solutions for managing their storage environments Our services range from a simple assessment to in depth financial analyses For further assistance in creating the mos
72. r000 latt 7 56 35 AM Marketing 4502 Bild Stuffi NHOME BusinessShar na731 rashad Galactic com P 1044 2009 MKT POL aasayed xp lic Machine es MarketingUser000 latt 7 56 12 AM Marketing 4502 Old Stuffit HOME BusinessShar na731 rashad Galactic com P 1044 2009 MKT POL aasayed xp IG Machine 4502 es Finance User0006 latt 7 53 16 AM Finance WimeSheets uly Invoice xls HOME BusinessShar na 31 rashad Galactic com P 1044 2009 MKT POL aasayed xp IG Machine es Finance User0006 latt 7 53 16 AM Finance 4502 g Files Moved This type of report allows you to review all the files that have been moved The report s input is the date range and or the file name and or the file type and or the host name The report displays the file name the source path and the destination path of the moved file the host name the date on which the file was moved the policy name the machine IP address and the share name within the specified criteria Start Date 10 14 2009 5 09 14 AM BE End Date 5 3 2011 3 19 17 PM es File Type Emp cpp doc h rtf tmp txt 7 Bill i 41 f3 aH e OF 4 A we 100 Find Next Files Moved From 10 14 2009 5 09 14 AM To 5 3 2011 3 19 17 PM Number of records 103 2 Source Destination S User S Moye 3 Policy S Client Path Path Name Date Name Name HOME BusinessSh WNA731 na 3t Galactic com P 1044 2009 MKT POL aasayed xp IG Machine ares M
73. rver command line interface CLI using the following command localgroup add Backup Operators lt FQDomainName AccountName gt 3 The File Filtering feature must be enabled To enable it use the following command fsm set allow ntp file filtering true Copyright 2012 NTP Software 87 Adding an EVS to the NTP Software File Auditor Policy Hierarchy Next you need to add your EVS to the collection of servers being managed by NTP Software File Auditor 1 Run NTP Software File Auditor Admin by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor for NAS Admin 2 Right click My Site and choose New gt EVS 3 You will be prompted to enter a name The name you enter here must match the name of your EVS 4 Now that you have added your EVS to the collection of servers recognized by NTP Software File Auditor right click the EVS you just added and select New gt File Auditor Application 5 Next you need to associate the policies you will create here with an EVS In the NTP Software Smart Policy Manager hierarchy view the left pane click the plus sign adjacent to the name of the Windows based server on which you installed NTP Software File Auditor 6 Right click File Auditor under that entry and select Properties to open the NTP Software File Auditor Configuration screen 7 Click the BlueArc Hitachi Connector tab 8 Click the Add button 9 Enter the name of you
74. s geography a department and a machine type NTP Software Smart Policy Manager has the flexibility you need to make using NTP Software File Auditor simple Once you have laid out your management structure NTP Software Smart Policy Manager provides policy replication throughout your enterprise It allows machines to access the policies in their containers and inherit policies from all levels above that point in your hierarchy You no longer need to configure and manage the machines on your network one by one As you start to configure the software you have installed begin with the top level container under the root organization in the following example My Site This is the Global Network configuration whose container is created during installation NTP Software Smart Policy Manager TM Oy x File Edit wiew Options Help S Se X 2 gt E My Organization Modified Ea My Site EEfFile Auditor FileAuditor Available 12 14 0910 12 14 0910 KAEN MAZROLUH TST E E E E R E ESS Server 1 EERE File Auditor Ge File Audit Policies H A Filer Directories lft Filer Shares 1 objects MAZROUH TST Local Host E Copyright 2012 by NTP Software All rights reserved 54 Managing the NTP Software File Auditor Service through an NTP Software File Auditor Admin Client Running on a Different Machine This section provides step by step instructions for installing the NTP Software File Auditor Admin Client enabl
75. ssShares Fina Galactic com Toppe na731 rashad 40 14 2009 7 50 22 MKT POL aasayed xp 4502 IG Machine 3 nceWser0005 Invoices AM Finance Copyright 2012 by NTP Software All rights reserved 32 d Directory Renamed This report allows you to review all the renamed directories The report s inputs are the directory name and or the host name and or the date range The report displays the original directory name before the renaming operation the new directory name after renaming the user s name performing the directory rename operation the date on which the directory was renamed the name of the policy governing this directory rename operation the IP address of the machine used to perform the directory rename operation and the share name based on the specified criteria AhmedIG na731 rashad 10 14 2009 5 09 14 AM EE End Date 5 3 2011 5 47 12 AM Bil n 41 f3 Wile OF 4GB we 10 Find Next Directory Renamed From 10 14 2009 5 09 14 AM To 5 3 2011 5 47 12 AM Number of records 103 Original New User S Rename Policy Client Share amp Directory Directory i Name Date Name Name Name Name Name HOME BusinessShares WNA 31 na 31 rashad Galactic com P 1044 2009 MKT POL aasayed xp IG Machine MarketingJser0006 RASHADIHOME Busi latt 7 58 47 AM Marketing 4502 New Folderi hessShares Marketing Wser0006 4frica Customers HOME BusinessShares WNA 731 na 31 rashad Galacti
76. t any report you wish to view specify the report input and click View Report File Auditor Reports will look up the database to see if there are any archived files based on the criteria specified If archived data exists that has not previously been retrieved File Auditor will display the following note Note Records from oldest Archived record to newest archived record are archived and must be retrieved before they will appear in this report Click Here to retrieve archived records Click the Click Here to retrieve archived records option and File Auditor will display the specified date range and the specified users and will calculate the overall size of the data retrieved for the DX server Review the details and click Confirm to proceed Windows Internet Explorer SReportsviewerlindex htr O B he Lx NTP Software File Auditor X management of unstructured data NTP Software File Auditor Reports Historical Data By user and date Please confirm the data to be retreived as per the criteria shown below 8 2 2011 12 00 AM To 8 5 2011 12 00 AM Joy Alan Mike 20MB confirm Go back and do some changes 6 A progress dialog will show the progress of the data retrieval Historical Data By user and date Retrieving data Recalling 1 files using ODDM data importer Co Cancel Copyright 2012 by NTP Software All rights reserved 40 7 Once the data has been retrieved
77. t cost effective Storage Management Infrastructure please contact your NTP Software Representative at 800 266 2755 or 603 622 4400 Copyright 2012 NTP Software 89 The information contained in this document is believed to be accurate as of the date of publication Because NTP Software must constantly respond to changing market conditions what is here should not be interpreted as a commitment on the part of NTP Software and NTP Software cannot guarantee the accuracy of any information presented after the date of publication This user manual is for informational purposes only NTP SOFTWARE MAKES NO WARRANTIES EXPRESS OR IMPLIED IN THIS DOCUMENT NTP Software and other marks are either registered trademarks or trademarks of NTP Software in the United States and or other countries Other product and company names mentioned herein may be the trademarks of their respective owners NTP Software products and technologies described in this document may be protected by United States and or international patents NTP Software 20A Northwest Blvd 136 Nashua NH 03063 Toll Free 800 226 2755 International 1 603 622 4400 Web Site http www ntpsoftware com Copyright 2012 NTP Software All rights reserved All trademarks and registered trademarks are the property of their respective owners Doc 4372EF Copyright 2012 NTP Software 90
78. te WVirectory Rename Directory Delete Directory Move File Open for Read C File Open for Write JOwner Change Permission Change IV Store monitored events into the database Copyright 2012 by NTP Software All rights reserved 14 5 Click the File Criteria tab Click the Add button select the files that you wish to monitor and the associated patters will be displayed automatically you can also specify a custom pattern Examples of custom patterns are using to manage all files and using rtf doc to manage all Word files NOTE If the Patterns list is empty the policy will audit all of the file s Mew File Audit Directory Policy Exempt Users and Groups Notifications DE Maintenance Exempted Subdirectories Audited Users and Groups General Monitored E vents File Criteria Directories Patterns E Common Audio Files ee Add Edit Remove Cancel Apply Help Copyright 2012 by NTP Software All rights reserved 6 Click the Directories tab Click the Add button type the appropriate directory path for your Users directory followed by a backslash 7 Usually administrators backup operators replicator and the system account are exempt from policies You can verify this fact by clicking the Exempt Users and Groups tab To change this setting select the appropriate entry and click Remove To add an account click the Add button browse
79. te T File Close Start of Period wWednesday February 15 20 gt Tl File Move End of Period Wednesday February 15 207 I Directory Create Tl Directory Rename Tl Directory Delete Tl Directory Move I Mewnun pecakon Count ho I Dwner Change I Permission Change I Minimum File Size fi jas gt oa C ours M User Trigent1 Specific Hours of the Day I Client Machine Name or IP TRGT3 W2K8 Start of Period 12 007 AM Tl Path End of Period 12 00 v fam x I File or Directory Name I File Extension Add new task E Copyright 2012 by NTP Software All rights reserved 42 To define a new BOT or edit an existing one please perform the following steps 1 On the Start menu navigate to Programs gt NTP Software File Auditor gt NTP Software File Auditor BOT configuration Click the Add New Task button or File gt New BOT or select an existing BOT to edit from the list on the left panel Add new task NTP Software File Auditor File Configure Help Exit File Configure Help ek After Hours Access eh HIPAA Auditing UA Ownership Change Audit UA Permission Change Audit Les Large File Audit g Financial Otr Apts Les Wikileaks Ne Disgruntled employee UA Serial Edits Add new task Copyright 2012 by NTP Software All rights reserved 3 On the Definition tab specify the BOT name 4 Use the Time Period Options to set the
80. ted The report s input is the file name and or the host name and or the date range and or the file type The report displays the file name the directory path in which the file was located the user name the date the file was last accessed the policy name the client name and the share name within the specified criteria ShmedIG na731 rashad Start Date 10 14 2009 5 09 14 AM Be End Date 5 3 2011 8 47 04 AM g File Type bmp cpp doc h rtf tmp txt 7 Amna ft bp dije O AIS Ea tae 100 Files Deleted From 10 14 2009 5 09 14 AM To 5 3 2011 6 47 04 AM Number of records 26 Find Next Directory 3S User Name Delete lt Policy Client 2 Share Path Date Name Name Name SHOME Business na 31 rashad Galactic com Platt 1044 2009 MKT POL Shares Marketing 7 59 04 AM Marketing WserD00610ld Stuff instructions doct HOME Business na731 rashad ead Shares Develop ment Wser0005 Projects in ProgressiGIS Readme txt aasayed xp IG Machine 4502 1044 2009 MKT POL Dey 7 47 01 AM Galactic com Topper aasayed xp IG Machine 4502 Project HOME Business na731 rashad Galactic comiNorman Shares Support dy User001 240ld Tickets HOME Business na 31 rashad Shares Sales Us 10 14 2009 MKT POL aasayed xp IG Machine 7 38 56 AM Support 4502 Galactic comantara 10 14 2009 MKT POL Sales aasayed xp IG Machine 7 33 29 AM 4502 e Files R
81. the file and directory operations performed within a specified number of days The report input is the user account and or the number of day s in which the file directory was accessed and or the file name and or the access type performed on the file directory The report displays the user s name the object name the directory path the operation performed the date the operation was performed the policy name the client name and the share name within the specified criteria Accessed in the last days 79947 Maximum number 93852 Object Name readme txt Access Type Directory Create Directory De AR 1 41 f3 A e OF G Bw 100 X Find Next Access History Number of records 92 User Name 2 Directory Path 2 Access 3 Access 3 Policy Client 2 Type Date Name Name Galactic com Platt Readme txt HOME BusinessShares File Delete 104 4 2009 MKT POL aasayed xp 4502 IG Machine MarketingUser000610ld 7 59 04 AM Marketing Galactic comPlatt Readme txt HOME BusinessShares File Close 10 4 2009 MKT POL aasayed xp 4502 Machine Marketing User000610ld 7 56 48 AM Marketing Galactic com Platt Readme tot HOME BusinessShares File Open For 1044 2009 MKT POL aasayed xp 4502 IG Machine MarketingJser000610ld Write 7 56 47 AM Marketing Galactic com Platt Readme txt HOME BusinessShares File Close 10 4 2009 MKT POL aasayed xp 4502 Machine MarketingUser000610ld 7 56 46 AM Marketing f Galactic co
82. tinel QFS installed on the same machine If your QFS installation is older than version 7 1 you cannot manage the same EMC Celerra that QFS manages with File Auditor If your QFS installation is on a different machine consult the section Prepare EMC Celerra to be managed by File Auditor and QFS each installed on a separate machine Configuring EMC Celerra Event Enabler CEE Follow these steps to prepare the Windows machine to host NTP Software File Auditor 1 Before installing NTP Software File Auditor you have to make sure that Celerra Event Enabler CEE version 4 2 2 or later is appropriately installed and configured in your environment Contact EMC for further information on this configuration 2 NTP Software File Auditor requires the EMC Celerra to run DART version 5 6 36 2 or later If your Celerra is not running version 5 6 36 2 or later you must upgrade your operating system before you proceed Refer to your EMC documentation for instructions 3 After installing the Celerra Event Enabler on the NTP Software File Auditor machine you need to specify the software with which the CEE will register To do this set ntp for the following key HKEY_LOCAL_MACHINE SOFTWARE EMC CelerraEventEnabler CEPP CQM Configur ation EndPoint Copyright 2012 by NTP Software All rights reserved 77 Preparing the EMC Celerra for NTP Software File Auditor Management For any Celerra that will be managed by NTP Software File Audi
83. tion c For the EVS click the plus sign next to EVS Shares to view the shared folders located on that EVS NOTE You can view that feature if you have an EVS attached to NTP Software File Auditor application Copyright 2012 by NTP Software All rights reserved 22 NTP Software File Auditor Reports The NTP Software File Auditor reporting tool allows you to view the file and directory operations that took place at your environment in an easy and efficient display Reports are categorized by user file policy and folder To view NTP Software File Auditor Reports please follow the following steps 1 Run NTP Software File Auditor Administrator by clicking Start gt All Programs gt NTP Software File Auditor for NAS gt NTP Software File Auditor Reports SE E Listed as follows are the different types of reports provided by NTP Software File Auditor 1 The User Reports category has four different views the User Summary the User In the left pane click the report type you want to display In the upper pane specify the search criteria then click View Report In the lower pane check the report output NTP Software File Auditor also allows you to export the report to different formats Those include XML CSV TIFF PDF Web Archive or Excel Audit the Access History and the Most Active Users a User Summary This report allows you to search by user name Clicking on a specific user name you can review th
84. tion in each of the text boxes as appropriate for your database and click OK NOTE My Organization is the main application container so the database configuration specified here is inherited by any other server created within the tree This saves the administrators from having to enter the database configuration manually NTP Software File Auditor Configuration Database Configuration Email Configuration Misc Options Security A A Database Connection SOL ServerName MSSQLSERVER Database Name MyDB Authentication Type C SQL Authentication Username Password Windows Authentication Test Connection Maintenance a Cancel Apply Help 4 If you want to specify different database configurations right click File Auditor under the NetApp Filer EMC Celerra BlueArc Titan Hitachi NAS that has been added D SO SS 0 Copyright 2012 by NTP Software All rights reserved 7 5 If you want to back up delete old files to maintain the size of your database click the Maintenance button NOTE The DB Maintenance option works on two levels the server level and the policy level Database Maintenance Settings Ea Age Limit C Export asrawdata ODDM Archiving Export as XML C Export to SOL Server Export Path a Database fest Specify the number of records to be retained in the database in thousands of records When the record limit is reached th
85. to send notification emails BOTs support the following SMTP authentication methods 1 Anonymous 2 Integrated Windows Authentication NTLM Select My Server requires authentication to enable Integrated Windows authentication as shown below Anonymous authentication is the default option amp BOT Editor File Configure Define the parameters for the Business Overy Database SSS T EENES Definition Schedule Notifications History 4 f SMTPConfigurations lel Ea gt HIPPA Auditing les eee SE Mgmt Admin Watch SMTP Server Name Mails Ever Le Quotas Share ee Le Financial Gtr Apts sender Mail botimyorganization com M My Server requires authentication Authentication Info SMTP Auth Domain NTP SMTP User Name Me SCS SMTP Password ww Confirm Password essees ts F Cient System Name oP TO File or Directory Name p m File Extension pe Copyright 2012 by NTP Software All rights reserved File Auditor BOTs Demo Mode Initially your File Auditor database is empty and does not contain any suspicious user operations about which File Auditor BOTs should notify you For Demo purposes you can enable Demo mode which will make BOT editor use a demo database installed with File Auditor this database contains pre configured BOTs and actions that will send demo emails to your inbox In order to use the Demo mode please perform the following 1 Enable Demo Mode go to
86. tor once the server is started and has mounted its root filesystem go to the etc directory and create the cepp conf file if it does not exist You have to edit this file to include your CEPP pool description NOTE The cepp conf file must contain at least one line defining the pool of CEPP servers If the line is too long you can add at the end of each line pool name lt poolname gt servers lt IP addri gt lt IP addr2 gt preevents lt event1 gt lt event2 gt postevents lt event3 gt lt event4 gt posterrevents lt event5 gt lt event6 gt option ignore or denied reqtimeout lt time out in ms gt retrytimeout lt time out in ms gt Copyright 2012 by NTP Software All rights reserved 78 NOTES Each event can include one or more or all of the following events OpenFileNoAccess OpenFileRead OpenFileWrite CreateFile CreateDir DeleteFile DeleteDir CloseModified CloseUnmodified RenameFile RenameDir SetAclFile SetAclIDir Postevents and posterrevents are not supported in NTP Software File Auditor We recommend turning them off to improve performance Dropping those two fields from the CEPP will stop the Celerra from generating events of those types At least one event one pool and one server per pool must be defined Recommended timeout values e The recommended value for regtimeout is 5000 e The recommended value for retrytimeout is 750 Copyright 2012 by NT
87. vice e g http BackupHost ODDMAdmin ODDMService asmx Copyright 2012 by NTP Software All rights reserved Please refer to the Retrieving Records Archived via ODDM section for more details on how to use File Auditor Reports to retrieve your old records archived via ODDM in order to run reports on them Setting the NTP Software File Auditor Email The NTP Software File Auditor Properties tab enables you to set up several application properties including the application emails To adjust your NTP Software File Auditor application email feature please follow these steps 1 Right click NTP Software File Auditor under the main application container 2 Click Properties on the pop up menu 3 Click the Email Configuration tab Clear the Inherit Email Configuration box Check the Enable Email Notifications option Enter the correct information in each of the text boxes as appropriate for your email settings and click OK Tip Click the Test Mail Settings button to test your connection to the specified SMTP Sever Specify the email ID to which the test email should be sent If the email is sent successfully the status field will display Test mail sent Otherwise it will display Test mail not sent NTF Software File Auditor Configuration Database Configuration Email Configuration Misc Options Security T Inherit Email Configuration Enable Email Notifications SMTP Server SMTP SERVER NAM
88. want to view the readme file Click Finish INTP Software Smart Policy Manager Setup Wizard E t HTP Software Installation Wizard for Smart Policy Manager Complete The Installation Wizard has successtully installed Smart Policy Manager Click Finish to exit the wizard Installing the NTP Software File Auditor Admin Component 1 The NTP Software File Auditor welcome dialog box pops up automatically Click Next to continue NTP Software File Auditor for NAS Setup Welcome to the NTP Software Installation Wizard for File Auditor for HAS The Installation Wizard wall install File Auditor for WAS on your computer Click nest to continue 2 In the License Agreement dialog box select accept the terms of the license agreement and then click Next NTP Software File Auditor for NAS Setup f X License Agreement Please read the following license agreement carefully T i i BE ave NTF Software File Auditor tmn for Was End User License By using or copying the accompanying oftware you are indicating your acceptance of the terms of this license IF you do not agree to the terms of this license please return the product UNOPENED to your place of purchase for a full refund GRANT OF LICENSE NTF Software grants you the right to use NTP Software File Auditor for MAS the PRODUCT to manage the number of WAS systems for which vou have paid a license fee provided the use is solely for your personal or
89. wsatencdvoieonncinctuasseasneacenansdaciwodionednsooiensawaeseto esesenceeqasmncbacdacadacvonss 89 NTP Software Professional Services ssseesssssssssssssssssssererrererrrereesssssssssesessssseeeessssssss 89 D S E Copyright 2012 by NTP Software All rights reserved 3 Executive Summary Thank you for your interest in NTP Software File Auditor NTP Software File Auditor extends our best of breed technology allowing you to manage NAS hosted storage as a seamless whole NTP Software File Auditor lets you monitor your users file and directory operations It lets you create and enforce file audit policies that enable you to monitor certain events taking place in your environment Such events include directories created renamed and or deleted and files opened for read write create rename delete and or close in your environment NTP Software File Auditor has two main components 1 NTP Software File Auditor Administrator 2 NTP Software File Auditor Reports Each of the above components will be explained in further details in the next sections Please refer to the Network Attached Storage NAS Preparations section before you start working with NTP Software File Auditor Given the architecture of your NetApp Filer EMC Celerra BlueArc Titan or Hitachi NAS NTP Software File Auditor does its job remotely NTP Software File Auditor uses a connector service to create a bridge and include Filers Celerras Tit
90. y day by default at 8 am and analyzes the data of the previous 14 hours to see if someone performed any operations For best results this BOT should be set to run every day at the start of the working day 2 HIPAA Auditing This BOT discovers any suspicious behavior done to the folder that contains health information This ensures compliance with the Health Insurance Portability and Accountability Act HIPAA This BOT runs every 30 minutes and notifies you if someone read edited these private documents in the past hour 3 Ownership Change Audit This BOT notifies you when a user takes ownership of a file or changes the owner of a file Make sure to specify the path to monitor 4 Permission Change Audit This BOT notifies you when a user changes the security of a file or a directory 5 Large File Audit This BOT notifies you when a user creates any file larger than 500MB in a specific directory 6 Financial Qtr Rpts This BOT is used for financial quarterly reports to discover all modifications done to the financial reports directory by any user in the last quarter 7 Wikileaks This BOT discovers problems similar to the Wikileaks problem It will discover whether any user has performed a large number of file copies downloads in the last 30 minutes 8 Disgruntled Employee This BOT discovers whether any user has deleted a large number of files in the last hour 9 Serial Edits This BOT discovers whether any user has edited many
91. your companys own intemal use HTF Software grants you the rights to run the Windows connector components of WTP Software File Auditor for NAS on one or more Windows systems up do not accept the terms of the license agreement InstallShield Back Cancel D S E Copyright 2012 by NTP Software All rights reserved 61 3 Inthe Choose Destination Location dialog box browse to the desired destination or click Next if the default destination location is appropriate NTP Software File Auditor for NAS Setup p X Choose Destination Location T Select folder where setup will install files i i P SE ave Setup will install File Auditor for MAS in the following folder To install to this folder click Mest To install to a different folder click Browse and select another folder Destination Folder C Program Files 7 PSoftware File Auditor for NAS Browse InstallShield Cancel D S E Copyright 2012 by NTP Software All rights reserved 62 4 In the Select Features dialog box make sure that only the Admin component is selected and then click Next NTP Software File Auditor for NAS Setup X Select Features Select the features setup will install T amp SORtw ANE Select the features you want to install and deselect the features you do not want to install Description been 0 service Selecting this option will install all of the components required to run the N
Download Pdf Manuals
Related Search