Panzura Data Services File Audit

This guide explains how to use file audit features and filters.

Data Services takes your machine-generated system logs and provides a user-friendly and exceptionally fast way of identifying user actions that have taken place for all files and directories in your Panzura file system.

Output includes all identifying information, including the files affected, the actions taken, the user involved and the timestamp.

How File Audit Works

Data Services ingests the streams of audit logs of files and directories from Panzura filers in near real time, and, after processing them in its data pipeline, indexes them into a searchable database.

Users have the ability to stop and start their Audit Logs streams at the individual filer level, through the Manage Plugins service of the Data Services, accessible from the left pane of the Data Services. In order to stop or start the Audit Log streams, users need to select filers in the Manage Plugins page, then navigate to the Configure page through the Actions drop-down menu, and toggle the Audit Logs switch on or off.

Configuration

Applying File Audit Licenses

Audit licenses are required to enable File Audit and are supplied by Panzura support on purchase of Data Services.

The tokens provided must be entered on each Panzura filer, through the Panzura filer's dashboard License Manager, as shown below.

Specifying Audit Actions

After entering the license tokens, you must then edit the license to specify the audit actions that File Audit should capture, by entering them in the ACCESS field as shown below, separated by commas.

Available audit actions are:

  • close: closing files
  • create: creating file
  • delxattr: deleting permissions
  • mkdir: creating directories
  • read: reading files
  • remove: deleting files
  • rmdir: deleting directories
  • rename: renaming files or directories
  • rlclaim: global file lock
  • setattr: changing attributes
  • setxattr: changing permissions

Users could also specify the list of files that they want to be included or excluded from auditing. For the inclusion of all files, * (asterisk,) and for no file exclusion, - (dash) must be entered.

The following picture shows the audit parameters configurations in the Freedom Filers’ License Manager.

Move and Copy Actions

Copy and Move actions do not cause explicit audit events in the file systems’ Audit Logs, but are included in the audit actions for detection by the File Audit service. File Audit's detection of Move and Copy actions is based on inference from the other explicit audit actions. Therefore, their detection may not be as precise as the other audit actions, which are explicit events.

Minimum CloudFS Version Required

Change Permission, Delete Permission, Copy, Move, Read, and Write are only available for Panzura filers running CloudFS 8.0.0.0 and higher.

File Audit: Audit Search 

Using the Search Bar

The Search Bar accepts alphanumeric characters and requires a query length of at least three, including spaces. A warning message will advise when your search query is too short.

File Audit is not case sensitive.

Saving Search Queries

Users can save their search queries for future use, by clicking the Save Search link, below the Search Bar on the left side. The saved search queries are available for use through the ribbon sign button, at the rightmost corner inside the Search Bar. Through the same button, the saved search queries can be deleted.

Listing All Files

The empty Search Bar can be used to list all the files, directories and snapshots of all connected file systems for which metadata has been indexed. To activate this list, users can place their cursor within the Search Bar and press RETURN, or click the search icon.

 

In general, the search functionality of the File Audit service is a flexible search that operates based on the similarities between the search queries and the indexed data. The more similar the indexed records are with the search query, the higher that item placed on the search results list. Such a similarity based search makes it an ideal tool for both precise and imprecise searches.

Improving Search Precision

File Audit is a flexible search that operates based on the similarities between the search queries and the indexed data. The more similar the indexed records are to the search query, the higher the item placed on the search results list.

Such a similarity based search makes it an ideal tool for both precise and imprecise searches.

However, in order to help users to have more precise and targeted searches, File Audit provides two directives, through which users could guide the search process by providing the extra information, to achieve closer matches.

These search directives are explained in the Guidance for Search popup link, at the right side of the Search Bar.

Guidance For Search

The Global Search service’s search directives are based on the targets’ names and targets’ paths, as follow:

PATH
      • path = “/<full path>/” through which users can limit the search for files and folders in exact paths.
      • path ~= “/<full path or partial path>/*” through which users can limit their search to files and folders within inexact paths. Asterisks “*” can be used as wildcard masks at the beginning, middle, and end of paths. Asterisks can only be used, with “~=”
      • path != “/<full path>/” through which users can negates the path directive and exclude the path results from the search results
FILE
  • file = “full name” through which users can specify the exact name of the file or directory they are looking for
  • file ~= “full or partial name*” through which  users can look for  files with similar names to the filename specified. Asterisks “*” can be used as wildcard masks at the beginning, middle, and end of paths. Asterisks can only be used, with “~=”
  • file != “full name” through which users can negates the file directive and exclude the name results from the search results
AND
  • AND is the operator through which users can combine other directives with each other. It is a logical & operation, where its result resolves to True only when both of its input operands are True

Search Results

The results of your File Audit service are presented in table format, and the display can be customized by selecting the Columns dropdown option at the top of the table.

To view the audit events for any file, select it, then chose Audit from the Actions menu that appears at top right, as shown below. 

File Audit: Audit Search Filters

In addition to the File Audit service’s search directives to improve the users searches, the File Audit service’s search provides several filters through which users can narrow down their search results based on additional filtering information. These filters are accessible through the left side panel of the File Audit page, as follows:

  • Search In: through which users can select only their desired Target Filers. The target filers are the filers on which the audit actions have taken place
  • User Actions: through which users can filter the search results by the audit actions they are looking for. The options for audit actions filters are:
      • Change Permission: changing the rwx permissions of files or directories
      • Close: closing open files
      • Copy: duplicating files or directories 
      • Create: creating new files
      • Delete Permission: removing rwx permission for files or directories
      • Global File Lock: owing the global lock in the global file system
      • Make Directory: creating new directories
      • Move: changing the paths for files or directories in the file system
      • Open: opening files
      • Read: reading from open files
      • Remove: deleting files from the file system
      • Remove Directory: deleting directories from the file system
  • Tokenized Search: through which users can accelerate search speed. This setting trades search speed against precision, and will deliver more search results, with the best matches ranking highest in the resulting list. By default, Tokenized Search is set to ON. 
  • File Age Range: through which users can filter the search results based on the age of the search targets, meaning the timestamps for their last modifications.The File Age Range has the following three options, none of which are selected by default.
      • Hot: less than seven days
      • Warm: less than thirty days, but more than seven days
      • Cold: more than thirty days
  • Date Range: through which users can filter the search results for a specific data range. The dates are based on the timestamps for the targets’ last modifications. The Date Range is unspecified by default
  • User: through which users can filter for audit actions by specific users
  • Advanced Filter: through which users have access to some of the above mentioned filters all at one place in editable test format. Additionally, in the Advanced Filter, users can specify the Page Size and Wildcard for the search results

 

File Audit: Audit Search Results

For any search conducted in File Audit, the resulting information is as follows:

  • Number: the number of the found items for the search, including files and directories
  • Name: the names of the found items, i.e. files or directories names
  • File Path: the paths of the found files or directories inside the file system
  • DFS Path: the paths inside the Distributed File System, i.e. Target + File Path
  • Target: the filers on which the audit actions have taken place
  • User: the users who have caused the audit actions
  • Action: the audit actions that has transpired on the found files and directories
  • Details: the details of the audit actions. These are as follows:
    • For Delete Permission, Change Permission
      • Permission
      • Original Original Permission
      • Changed By
      • Time
    • For Move
      • File Name
      • Original Path
      • Current Path
      • Changed By
      • Time
    • For Rename
      • File Name
      • Original Name
      • Changed By
      • Time
    • For Read and Write
      • The volume of the read or written data
  • Size: the sizes of the found items or the size of the data relevant to the audit action
  • Timestamp: the timestamps on which the audit actions have taken place
  • Status: whether the audit actions completed successfully or not
  • Source: the network protocol through which the actions have been performed

 

    • The search results table could be flexibly configured to display or hide columns through the Columns button on top of the results table. That includes all of its columns, except for the Name
    • For any item in the search results, users can access the Actions dropdown menu for Recover & Clone file and Audit, as follows
    • Audit: selecting the Audit options, shows the complete audit history that Data Services has for that item
    • Recover & Clone file: selecting the Recover & Clone file option for a target initiates a recovery process based on the most recent snapshot of the target, and in case of unavailability of snapshot for the target, it initiates cloning process for it
    • The search results can be exported into downloadable files in CSV or Excel file formats . The exports are scheduled tasks and exported files can be downloaded in the Data Service Scheduled Tasks page
    • When there are more items in the search results than could fit into the search results page, users can request for more results by pressing Load More button below the search results table