Panzura Data Services Audit

This guide explains how to use audit and its filters.

Data Services takes your machine-generated system logs and provides a user-friendly and exceptionally fast way of identifying user actions that have taken place for all files and directories in your Panzura CloudFS.

Output includes all identifying information, including the files affected, the actions taken, the user involved and the timestamp.

How File Audit Works

Data Services ingests the streams of audit logs of files and directories from Panzura nodes in near real time, and, after processing them in its data pipeline, indexes them into a searchable database.

Users have the ability to stop and start their Audit Logs streams at the individual node level, through the Manage Plugins service of the Data Services, accessible from the left pane of the Data Services. In order to stop or start the Audit Log streams, users need to select nodes in the Manage Plugins page, then navigate to the Configure page through the Actions drop-down menu, and toggle the Audit Logs switch on or off.

Configuration

Applying File Audit Licenses

Audit licenses are required to enable File Audit and are supplied by Panzura support on purchase of Data Services.

The tokens provided must be entered on each Panzura node, through the Panzura node's dashboard License Manager, as shown below.

Specifying Audit Actions

After entering the license tokens, you must then edit the license to specify the audit actions that File Audit should capture, by entering them in the ACCESS field as shown below, separated by commas.

Available audit actions are:

  • create: creating file
  • remove: deleting files
  • read: reading files
  • write: writing files
  • mkdir: creating directories
  • rmdir: deleting directories
  • rename: renaming files or directories
  • rlclaim: global file lock
  • setattr: changing attributes
  • setxattr: changing permissions
  • dellxattr: deleting permissions

Users can also specify the list of files that they want to be included or excluded from auditing. For the inclusion of all files, * (asterisk,) and for no file exclusion, - (dash) must be entered.

Excluded actions and files will not be visible to Audit service, and Data Services cannot be held responsible for the loss of data and insights that are dependent on such eliminated items.

The following picture shows the audit parameters configurations in the CloudFS Nodes’ License Manager.

Move and Copy Actions

Copy and Move actions do not cause explicit audit events in the file systems’ Audit Logs, but are included in the audit actions for detection by the File Audit service. File Audit's detection of Move and Copy actions is based on inference from the other explicit audit actions. Therefore, their detection may not be as precise as the other audit actions, which are explicit events.

Open and Close Actions

These actions are not shown, as they are enveloped by all other audit actions.

Minimum CloudFS Version Required

Change Permission, Delete Permission, Copy, Move, Read, and Write are only available for Panzura nodes running CloudFS 8.0.0.0 and higher.

Audit Search 

Using the Search Bar

The Search Bar accepts alphanumeric characters and requires a query length of at least three, including spaces. A warning message will advise when your search query is too short. Searches are not case sensitive.

Saving Search Queries

Users can save their search queries for future use, by clicking the Save Search link, below the Search Bar on the left side. The saved search queries are available for use through the ribbon sign button, at the rightmost corner inside the Search Bar. Through the same button, the saved search queries can be deleted.

Listing All Files

The empty Search Bar can be used to list all the files, directories and snapshots of all connected file systems for which metadata has been indexed. To activate this list, users can place their cursor within the Search Bar and press RETURN, or click the search icon.

Improving Search Precision

Audit is a flexible search that operates based on the similarities between the search queries and the indexed data. The more similar the indexed records are to the search query, the higher the item placed on the search results list.

The following search tips (see the Search Tips link at right of the Search Bar) help to achieve closer matches:

PATH
      • path = “/<full path>/” through which users can limit the search for files and folders in exact paths.
      • path ~= “/<full path or partial path>/*” through which users can limit their search to files and folders within inexact paths. Asterisks “*” can be used as wildcard masks at the beginning, middle, and end of paths. Asterisks can only be used, with “~=”
      • path != “/<full path>/” through which users can negates the path directive and exclude the path results from the search results
FILE
  • file = “full name” through which users can specify the exact name of the file or directory they are looking for
  • file ~= “full or partial name*” through which  users can look for  files with similar names to the filename specified. 
  • file != “full name” through which users can negates the file directive and exclude the name results from the search results
  • Asterisks “*” can be used as wildcard masks at the beginning, middle, and end of paths. Asterisks can only be used, with “~=”
AND
  • AND is the operator through which users can combine other directives with each other. It is a logical & operation, where its result resolves to True only when both of its input operands are True

Search Results

The results of your File Audit service are presented in table format, and the display can be customized by selecting the Columns dropdown option at the top of the table.

To view the audit events for any file, select it, then chose Audit from the Actions menu that appears at top right, as shown below. 

data-services-audit

Audit Search Filters

Audit service search provides several filters through which users can narrow down their search results based on additional filtering information. These filters are accessible through the left side panel of the Audit page, as follows:

  • Search In: through which users can select only their desired Target nodes. The target nodes are the nodes on which the audit actions have taken place
  • Actions: through which users can filter the search results by the audit actions they are looking for. The options for audit actions filters are:
    • Change Permissions: changing the rwx permissions of files or folder
    • Copy: duplicating files or directories 
    • Create File: creating new files
    • Delete Permissions: removing rwx permissions for files or folder
    • File Lock: owing the global lock in the global file system
    • Create Directory: creating new folder
    • Move: changing the paths for files or folder in the file system
    • Read: reading from open files
    • Remove: deleting files from the file system
    • Remove Directory: deleting folders from the file system
  • Age: through which users can filter the search results based on the age of the search targets, meaning the timestamps for their last modifications.The File Age Range has the following three options, none of which are selected by default.
      • Hot: less than seven days
      • Warm: less than thirty days, but more than seven days
      • Cold: more than thirty days
  • Date: through which users can filter the search results for a specific data range. The dates are based on the timestamps for the targets’ last modifications. The Date Range is unspecified by default
  • User: through which users can filter for audit actions by specific users
  • Advanced Filter: through which users have access to some of the above mentioned filters all at one place in editable test format. Additionally, in the Advanced Filter, users can specify the Page Size and Wildcard for the search results

File Audit: Audit Search Results

For any search conducted in File Audit, the resulting information is as follows:

  • Number: the number of the found items for the search, including files and directories
  • Name: the names of the found items, i.e. files or directories names
  • File Path: the paths of the found files or directories inside the file system
  • DFS Path: the paths inside the Distributed File System, i.e. Target + File Path
  • Target: the nodes on which the audit actions have taken place
  • User: the users who have caused the audit actions
  • Action: the audit actions that has transpired on the found files and directories
  • Details: the details of the audit actions. These are as follows:
    • For Delete Permission, Change Permission
      • Permission
      • Original Original Permission
      • Changed By
      • Time
    • For Move
      • File Name
      • Original Path
      • Current Path
      • Changed By
      • Time
    • For Rename
      • File Name
      • Original Name
      • Changed By
      • Time
    • For Read and Write
      • The volume of the read or written data
  • Size: the sizes of the found items or the size of the data relevant to the audit action
  • Timestamp: the timestamps on which the audit actions have taken place
  • Status: whether the audit actions completed successfully or not
  • Source: the network protocol through which the actions have been performed

The search results table could be flexibly configured to display or hide columns through the Columns button on top of the results table. That includes all of its columns, except for the Name.


For any item in the search results, users can access the Actions dropdown menu for Clone file and Audit, as follows

  • Audit: shows the complete audit history that Data Services has for that item
  • Clone file: initiates a cloning process which copies the file to the requested path in the file system
  • The search results may be Exported into downloadable files in CSV or Excel file formats for external use. The exports are scheduled tasks and exported files could be downloaded in the Data Service Tasks page
  • By default, 100 files per page are displayed, with a "load more" button below the search results. The default number of 100 can be changed using the Advanced filter and "pagesize=" directive.