Panzura Best Practices: Varonis

This article describes best practices for deploying and configuring Panzura with Varonis.

Starting in CloudFS 8.0.2.0, Panzura filers support the following versions of Varonis software:

  • 8.5.20: This version introduces support for Panzura file servers for Varonis DatAdvantage, DatAlert/DatAlert Analytics, Data Classification Engine, and Automation Engine.
  • 8.6.10: This version introduces support for Panzura file servers for Varonis DatAdvantage, DatAlert/DatAlert Analytics, Data Classification Engine, DatAnswers, Automation Engine, and Data Transport Engine.

Deployment and Architecture

Varonis’ Data Classification Engine (DCE) requires scanning data as well as metadata. Therefore the best solution for cost and cache health on active machines is to co-locate the Varonis Collector (which runs the DCE) and a Panzura filer in the Cloud where the primary object store exists for your data.

As long as this Panzura filer is a part of the same CloudFS, the Collector will be able to identify new nodes in the CloudFS filesystem via the available API and see all meta-data and data in the file system.

As it is not possible to have two Varonis Collectors for the same dataset, the File Walk and DCE have to take place on the same machine. This restriction requires that Event data is also collected by the same Collector in the cloud. Therefore, all Event data will need to be sent to that Collector.

If you have an existing Panzura filer in the cloud, it may be used to satisfy this requirement. However, doing so may impact the cache on that filer.

As a result, if the performance and resources of that filer are critical, it may not be appropriate to use it as the target for the Varonis Collector.

Configuring Panzura with Varonis

Panzura's Access Audit feature allows you to monitor file system events from NFS or SMB clients. For integrating with Varonis this information can be streamed via RabbitMQ in Varonis’ Google Protobuf format. Currently, Panzura only supports file system events from SMB clients when used with Varonis.

Each filer that makes up the global file system only captures events that occur on that filer. Capturing all user activity requires enabling audit on all filers within the cluster.

License Configuration

More general configuration for this feature is done via the License Manager page in the "Configuration" section of the Panzura web interface. The information covered in this document is available in 8.0.2.0 and later unless otherwise noted.

Both the AS-Varonis and AS-Audit license should be active on the License Manager page to enable event collection and RabbitMQ configuration. The 'AS-Audit' license controls the general aspects of the Audit feature, and includes 4 fields; sysloghost, include files, exclude files, access:

  • ‘sysloghost’: Set to '-' to write the log locally, or enter a hostname for an external syslog server. If you are only configuring Audit to be used with Varonis, configure this field as ‘-’.

    When configuring Panzura filers for use with Varonis, enter “-” in the sysloghost field.
  • ‘include files’: Requires a comma separated list of glob-patterns that can be used to specify files to be included for tracking of audit activity. Multiple options are comma separated.

    Entering "*" (quotes omitted) would include all files, and entering "-" would include none (no files). The default option is to include all files.

    This can filter on path, but isn't specific to a volume or share as the system uses the file path for filtering (it has no information of which share is connected). For example, to filter under a Share “Projects” that is mounted at /cloudfs/example1/Projects, you would need to add “/cloudfs/example1/Projects/*” to the “include files” filter.

    When configuring Panzura filers for use with Varonis, enter “*” in the ‘include files’ field.
  • ‘exclude files’: Requires a comma separated list of glob-patterns that can be used to specify files to be excluded from tracking of audit activity. Multiple options are comma separated.

    Entering "*" (quotes omitted) would exclude all files, and entering "-" would exclude none (no files). The default option is to exclude no files.

    For example, you may choose not to include backup or temporary files, entering "*.tmp,*.bak" (quotes omitted) into the ‘Exclude files’ field. The default option is to not to exclude any files.

    When configuring Panzura filers for use with Varonis, enter “-” in the ‘exclude files’ field.
  • ‘access’: Used to control which events are collected. Multiple events should be comma separated. To capture all events, “*” (quotes omitted) can be used.

    Events supported: create, open, mkdir, read, readdir, remove, rename, rmdir, write, close, connect, disconnect, setxattr, delxattr.

    When configuring Panzura filers for use with Varonis, it is recommended you enter only the following event types in the ‘access’ field: “create, open, mkdir, read, write, remove, rmdir, rename, close, setxattr, delxattr”.

    Additional details can be found in the “Event Types” section.

Event Types

The following are all events Panzura filers support: create, open, mkdir, read, readdir, remove, rename, rmdir, write, close, connect, disconnect, setxattr, delxattr. These event names are added to the ‘access field’, comma separated. To capture all events, “*” can be used.

The last of those, setxattr and delxattr, will capture the permissions the client is setting or removing.

Varonis Configuration Recommendations

When configuring Audit to be used with Varonis, configure the Audit license with the following:

  • sysloghost: "-"
  • include files: "*"
  • exclude files: "-"
  • access: “create, open, mkdir, read, write, remove, rmdir, rename, close, setxattr, delxattr”