Print Email PDF

Qumulo Core Audit Logging with Splunk

IN THIS ARTICLE

Outlines how to use Splunk with Qumulo Core audit logging

REQUIREMENTS

  • Admin privileges required
  • Cluster running Qumulo Core 2.12.0 and above
  • Qumulo Core Audit Logging configured on your cluster

DETAILS

Audit logging in Qumulo Core provides a mechanism for tracking filesystem and cluster configuration operations. 

Once configured, audit logging generates an audit log entry based upon any cluster configuration change or filesystem operation. This log message body consists of multiple fields in a CSV (comma separated) format as shown below:

10.220.200.26,groot-1,"AD\alice",smb2,fs_read_data,ok,123,"/alice/personal/resume.doc",""

If you have a cluster that is moderately busy, it is possible for audit logging to generate over 2GB of data within 1 to 2 days. With this amount of data, it becomes exceedingly difficult to parse through the logs to find the one event that you are looking for. And while Qumulo Core generates the audit logs, it does not parse, analyze, index or visualize the data contained in the logs. This is where a third party search analytics engine like Splunk can assist you.

Splunk captures, indexes, and correlates real-time data in a searchable repository to generate graphs, reports, alerts, dashboards, and visualizations. It then takes this real-time data so that you can search, monitor and examine the results via a web-style interface.  

Set Up the Qumulo Source Type

  1. Log in to the Splunk Web UI as an Administrator.
  2. Select Settings -> Data -> Source Types.
  3. Click the New Source Type button.
  4. Set the name to Qumulo Audit Log.

    create_source_type.png

  5. Click Save.

Set up the Data Input for Syslog over TCP

  1. Select Settings -> Data -> Data inputs.
  2. In the Local inputs, TCP section, click Add new.
  3. Set the TCP port. We chose 514 in our example which is the default syslog port. You could choose a different port as well.

    Splunk_tcp.png

  4. Click Next.
  5. Select Qumulo Audit Log as the source type.
  6. Select Search and reporting (or the App context of your choosing).

    Splunk_search_reporting.png

  7. Click Review.

    Splunk_review.png

  8. Click Submit.

Set up the Field Extraction for Qumulo's Logs

  1. Click Settings -> Fields.
  2. Click Add new in the Field extractions section.
  3. Select Destination app Search.
  4. Name the extraction. We named it “Qumulo Field Extraction”.
  5. Apply to sourcetype named “Qumulo Audit Log”.
  6. Set Type to Inline.
  7. Paste this regular expression into the Extraction/Transform field (this should all be one line in the Splunk text box.
    <[0-9]+>[0-9] (?<timestamp>[^ ]+) (?<hostname>.*)?[-](?<node_id>[0-9]+) (?<app_name>[^ ]+) [-] [-] [-] (?<client_ip>[^,]+)[,]"(?<user>.*)?",(?<protocol>[^,]+),(?<op>[^,]+),(?<status>[^,]+),(?<id>[^,]+),"(?<object1>.*)?","(?<object2>.*)"
  8. Click Save.

    Splunk_save.png

Point the Qumulo Audit Log at the Splunk server

  1. Set up Audit to point at the Splunk server and port (514 in our case).

    QC_Audit_syslog.png

Review the Splunk Results

  1. Click Search & Reporting.
  2. Click Source types > Qumulo Audit Log.

    Splunk_sourcetypes.png

  3. Take a look at all that data about who is doing what, when, and where on your Qumulo cluster via Splunk.

    Splunk_cluster_data.png

RESOLUTION

You should now be able to successfully use Splunk with Qumulo Core audit logging

ADDITIONAL RESOURCES

Qumulo Core Audit Logging

Splunk

QQ CLI: Comprehensive List of Commands

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.