Configuring the Audit Log Function

Precautions

An audit log namespace shares the storage pool space with other namespaces.
Only one audit log namespace can be created for an account.
Quotas and dtrees cannot be created for an audit log namespace.
Remote replication pairs cannot be created for an audit log namespace.
The recycle bin function cannot be configured an audit log namespace.
The WORM function cannot be configured for an audit log namespace.
No tiered deletion policy can be configured for an audit log namespace.
Snapshot rollback is not supported for an audit log namespace.
The antivirus scanning function cannot be configured for an audit log namespace.
DPC access cannot be configured for an audit log namespace.
DPC access operations cannot be recorded for an audit log namespace.
HDFS SmartTakeover cannot be configured for an audit log namespace.

Prerequisites

The file, object, or HDFS service has been enabled.

Procedure

Choose Settings > Data Security > Audit Log.
Select a desired account from the Account drop-down list in the upper left corner.
Enable Audit Log.

Set audit log parameters. Table 1 describes the parameters.

**Table 1** Audit log parameters
Parameter	Description
Audit CIFS Login and Logout	After this function is enabled, the system logs CIFS login and logout events.
Audit FTP Login and Logout	After this function is enabled, the system logs FTP login and logout events.
Audit File Access	After this function is enabled, the system logs file access events.
Output Format	Format in which an audit log file is generated. The value can be XML, EVTX, or TXT.
Single Log File (MB)	Size of a log file saved in the system.
Audit Log Namespace	Namespace for storing audit log files. Click Create. On the displayed create namespace page, create a namespace for storing audit logs. For details, see 5. NOTE: An account can create only one audit log namespace.
Retention Policy	Retention policy of audit log files. Possible options are: Retention Period (Days): retention period of audit log files. The value ranges from 1 to 1200 days. The default value is 90 days. When the retention period of log files in the audit log namespace reaches the threshold, the system will automatically delete expired log files. Max. Retention Capacity (GB): namespace capacity occupied by audit log files. The value ranges from 5 GB to 10,240 GB. The default value is 500 GB. When the occupied capacity of log files in the audit log namespace exceeds the specified value, the system automatically deletes the earliest log files until the capacity does not exceed 90% of the specified value. Retained Log Files (K): number of retained audit log files in the audit log file system. The value ranges from 1 K to 1000 K. The default value is 50 K. When the number of log files in the audit log namespace exceeds the specified value, the system automatically deletes the earliest log files until the number does not exceed 90% of the specified value.

Create an audit log namespace.

In the Audit Log Namespace area, click Create.
The Create Namespace dialog box is displayed.

Set basic information related to the audit log namespace, as shown in Table 2.

**Table 2** Namespace parameters
Parameter	Description
Name	Name of the new namespace. NOTE: The naming rules of a namespace are as follows: The name must be unique. The name can only consist of letters, digits, underscores (_), hyphens (-), and periods (.), and must contain letters or digits. The name can contain 1 to 255 characters. To enable the object service for a namespace, the namespace name must meet the following rules. Otherwise, the bucket cannot be accessed in virtual hosting mode, and the domain name resolution will fail. In this case, the bucket can be accessed only in path mode. The name can contain only lowercase letters, digits, periods (.), and hyphens (-), and must start and end with a letter or digit. In addition, the name cannot contain the combination of a period and a hyphen (.- or -.), and cannot contain consecutive periods (..). The name can contain 3 to 63 characters. The name cannot be an IP address.
Storage Pool	Storage pool to which the new namespace belongs.
Redundancy Ratio	Redundancy ratio of the new namespace. It must be the same as that of the owning storage pool. NOTE: This parameter is available only for storage pools that use the EC redundancy policy.
Security Style	Select a security style based on service requirements. Possible options are: Mixed: applies to the scenario where users of CIFS clients (using SMB) and UNIX clients (using NFS/HDFS/DPC) can access and control namespaces. In this style, the permissions are subject to the last permissions set for CIFS clients or UNIX clients. CIFS permissions (NT ACL) and UNIX permissions (UNIX Mode/POSIX ACL/NFSv4 ACL) do not coexist. UNIX: applies to the scenario where UNIX mode bits, POSIX ACLs, or NFSv4 ACLs control user permissions. NOTE: In Mixed style (which supports NT ACLs), if you configure an NT ACL for a file or directory on a Windows client and switch Mixed to UNIX, the NT ACL in Mixed style will become invalid.
Application Type	The following preset application types are provided for typical applications: GENERAL and PACS. NOTE: The picture archiving and communication system (PACS) is applicable to medical imaging scenarios in hospital imaging departments. For details about the PACS, see the Product Description of the corresponding version. GENERAL is the default value and applies to scenarios except those of PACS. For a namespace with the PACS application type, the semantic-layer distribution algorithm is Simplified mode. In this mode, the number of directory fragments is 1. For a namespace with the GENERAL application type, the semantic-layer distribution algorithm is Balanced mode. In this mode, the number of directory fragments is 8. Directory fragmentation is used to divide a directory metadata object into multiple logical metadata objects. The number of directory fragments refers to the number of copies of metadata objects divided from a single directory. Before a directory is fragmented, subfile data and metadata objects in the directory can belong to only one storage node, leading to concentrated pressure on this node. After the directory is fragmented, subfile data and metadata objects in the directory can evenly belong to multiple storage nodes, improving the namespace concurrency capability. Multiple directory fragments are suitable for large directories or directories that contain multiple large files. You can also run the create namespace general command on the CLI to create a namespace with other directory fragments. For details, see the Command Reference of the corresponding version.

Configure an NFS share.
- The NFS share function is disabled by default. It is recommended that an NFS share is configured not in this operation but in follow-up operations.
- After the NFS share function is enabled, the object service cannot set the maximum and minimum WORM retention periods at the prefix level in the converged interworking scenario.
- This step can be performed only when the file service is enabled for the storage pool.
1. Enable NFS and click Configure.
  The Configure NFS Share page is displayed.
2. Configure access permissions for the NFS share.
  Click Add to add a client. For details, see Adding an NFS Share Client.
  You can click More on the right of a client and select Modify to modify its information.
  
  You can select one or more clients and click Remove, or click More on the right of a client and select Remove, to remove clients.
3. Click OK.
Configure a CIFS share.
- The CIFS share function is disabled by default. It is recommended that a CIFS share is configured not in this operation but in follow-up operations.
- After the CIFS share function is enabled, the object service cannot set the maximum and minimum WORM retention periods at the prefix level in the converged interworking scenario.
- This step can be performed only when the file service is enabled for the storage pool.
1. Enable CIFS and click Configure.
  The Configure CIFS Share page is displayed.
2. Set the name of the CIFS share.
  - The name must be unique.
  - The share name cannot contain characters " / \ [ ] : | < > + ; , ? * =, start or end with a space, or be reserved name ipc$, autohome, ~, or print$.
  - The name contains 1 to 80 characters.
3. Configure access permissions for the CIFS share.
  Click Add to add a user or user group. For details, see Adding a User or User Group.
  Click More on the right of a user or user group and select Modify to modify the user or user group.
  
  Select one or more users or user groups and click Remove, or click More on the right of a user or user group and select Remove to remove added users or user groups.
4. Click OK.
Configure an FTP share.
- The FTP share function is disabled by default. It is recommended that an FTP share should be configured not in this operation but in follow-up operations.
- This operation is available only when the file, object, or HDFS service is enabled for the storage pool.
- Before configuring an FTP share, enable the FTP service and set the FTP share authentication type. For details, see Managing the FTP Service and Setting an Authentication Type.
1. Enable FTP and click Configure.
  The Configure FTP Share page is displayed.
2. Set the name of the FTP share.
  - The name must be unique.
  - The share name cannot contain characters "/\[]:|<>+;,?*=#, start or end with a space, or be reserved name ipc$, autohome, ~, or print$.
  - The name contains 1 to 80 characters.
3. Configure access permissions for the FTP share.
  Click Add to add a user. For details, see Adding a User.
  Click More on the right of a user and select Modify to modify the user's permissions.
  
  Select a user and click Remove, or click More on the right of the user and select Remove to remove the user.
4. Click OK.
Configure the HDFS service.
- This step can be performed only when the HDFS service is enabled for the storage pool.
- When Service Type is set to Intelligent video and image or Backup and archiving, the HDFS service is not supported.
1. In Protocol, enable HDFS.
2. Select the zone associated with the namespace.
  1. In Associate with Zone, click Select.
    The Associate with Zone (HDFS) page is displayed on the right.
  2. Select the subnet to which the access zone to be associated with belongs.
  3. Select the access zone to be associated.
    If no subnet is configured, you can click Create to create one. For details, see Creating a Subnet.
    
    If a subnet has been configured, you can click Modify in Subnet to modify the subnet parameters. For details, see Modifying a Subnet.
    
    After creating a subnet, you can click Create to create an Access zone. For details, see Creating an Access Zone.
  4. Click OK.
Configure the object service.
- The object protocol can be enabled only when the object service is enabled for the storage pool and POE authentication is used. If IAM authentication is used, the object protocol cannot be enabled.
- The object service is supported only when Service Type is set to Intelligent video and image and a license that supports SmartInterworking is imported. The object service is not supported in IVS scenarios.
1. In Protocol, enable Object.
2. Configure bucket permissions for the namespace. The audit log namespace supports only private bucket permissions.
  Private: The owner of the bucket (the account that creates the bucket) has full control of the bucket. Other users cannot access the bucket without authorization.

Click Advanced and set advanced information about the namespace.

Select whether to enable Automatic Update of Atime. Atime indicates the time when the namespace is accessed. After this function is enabled, the system updates the Atime based on the value of Update Frequency. After enabling Automatic Update of Atime, you need to set the update frequency of Atime. The value can be Hourly or Daily.

Enabling Automatic Update of Atime compromises system performance.

Set the display mode of the space occupied by directories or files when the ls -l command is executed. For details, see Table 3.

**Table 3** Directory and file space display
Directory Space Display Mode	Current Directory	File in Current Directory	Subdirectory in Current Directory	Subdirectory File
Space occupied by a directory	√	X	X	X
Space occupied by all files in the current directory	X	√	X	X
Space occupied by all files in the current directory and its subdirectories	X	√	X	√
√: The space size is displayed. X: The space size is not displayed.

Set the data security and protection functions of the namespace.

Table 4 describes related parameters.

**Table 4** Data security and protection parameters
Parameter	Description
Snapshot Directory Visibility	Whether the directory of namespace snapshots is visible. If this parameter is set to Visible, the system displays the .snapshot directory in the namespace.
Data Encryption	Whether to enable the data encryption function. After this function is enabled, the system generates a key to encrypt the data written to the namespace. NOTE: Data encryption is supported only after an advanced license is imported. Data encryption for a namespace can be configured only when the namespace is created, and cannot be disabled once enabled. Before enabling data encryption for a namespace, enable data encryption for the account. After data encryption is enabled, the I/O performance of non-encrypted services will be affected. Confirm that this function needs to be enabled. When the object protocol is enabled for the namespace, data encryption and SSE-C server-side encryption cannot be used at the same time. Double encryption severely affects performance. If the data encryption function is enabled, the object protocol no longer supports SSE-C server-side encryption for individual objects.
Encryption Algorithm	After Data Encryption is enabled, you need to select an encryption algorithm. The value can be XTS-AES-128, XTS-AES-256, or XTS-SM4. NOTE: The encryption algorithm can be configured only during namespace creation and cannot be modified after that. XTS-SM4 can be selected only after a license supporting the SM algorithm is imported. XTS-SM4 is supported only in the Chinese mainland.

Click OK.

Click Save.