Configuring the Audit Log Function

Precautions

• An audit log namespace shares the storage pool space with other namespaces.
• Only one audit log namespace can be created for an account.
• Quotas and dtrees cannot be created for an audit log namespace.
• Remote replication pairs cannot be created for an audit log namespace.
• The recycle bin function cannot be configured an audit log namespace.
• The WORM function cannot be configured for an audit log namespace.
• No tiered deletion policy can be configured for an audit log namespace.
• Snapshot rollback is not supported for an audit log namespace.
• The antivirus scanning function cannot be configured for an audit log namespace.
• DPC access cannot be configured for an audit log namespace.
• DPC access operations cannot be recorded for an audit log namespace.
• HDFS SmartTakeover cannot be configured for an audit log namespace.

Prerequisites

The file, object, or HDFS service has been enabled.

Procedure

1. Choose Settings > Data Security > Audit Log.
2. Select a desired account from the Account drop-down list in the upper left corner.
3. Enable Audit Log.
4. Set audit log parameters. Table 1 describes the parameters.

   Table 1 Audit log parameters

   Parameter	Description
   Audit CIFS Login and Logout	After this function is enabled, the system logs CIFS login and logout events.
   Audit FTP Login and Logout	After this function is enabled, the system logs FTP login and logout events.
   Audit File Access	After this function is enabled, the system logs file access events.
   Output Format	Format in which an audit log file is generated. The value can be XML, EVTX, or TXT. NOTE: If a third-party log system is connected, you are advised to select the XML format. To reduce the CPU usage for format conversion and the space usage, select the TXT format. If you want to use the Window event viewer to analyze logs, select the EVTX format.
   Single Log File (MB)	Size of a log file saved in the system. NOTE: Size of a single audit log file. The value ranges from 10 MB to 100 MB. If the size of a single log file is large, opening the log file using a browser or third-party tool may be slow or an exception may occur. You are advised to set the size of a single log file to 10 MB. However, this will increase the number of log files. If log file retrieval is not restricted by the file size, you are advised to set the size of a single log file to 100 MB. In this way, the number of log files can be effectively reduced.
   Audit Log Namespace	Namespace for storing audit log files. Click Create. On the displayed create namespace page, create a namespace for storing audit logs. For details, see 5. NOTE: An account can create only one audit log namespace.
   Retention Policy	Retention policy of audit log files. Possible options are: Retention Period (Days): retention period of audit log files. The value ranges from 1 to 1200 days. The default value is 90 days. When the retention period of log files in the audit log namespace reaches the threshold, the system will automatically delete expired log files. Max. Retention Capacity (GB): namespace capacity occupied by audit log files. The value ranges from 5 GB to 10,240 GB. The default value is 500 GB. When the occupied capacity of log files in the audit log namespace exceeds the specified value, the system automatically deletes the earliest log files until the capacity does not exceed 90% of the specified value. Retained Log Files (K): number of retained audit log files in the audit log file system. The value ranges from 1 K to 1000 K. The default value is 50 K. When the number of log files in the audit log namespace exceeds the specified value, the system automatically deletes the earliest log files until the number does not exceed 90% of the specified value. NOTE: If you have requirements on the retention period of audit logs, you are advised to select Retention Period (Days) and set the retention period as required. If you have requirements on the space occupied by audit logs, you are advised to select Max. Retention Capacity (GB). For logs recorded for the same operation object, the space occupied by the three formats is TXT < XML < EVTX. When the retention policy of audit log files is set to Max. Retention Capacity (GB) or Retained Log Files (K), the namespace quota may exceed the expected threshold under heavy service loads due to delayed deletion in the system. Assume that n is the number of nodes. The maximum capacity occupied by log files may exceed the preset value by 7n (GB) or the maximum number of log files may exceed the preset value by 0.7n (K), which will fall below the set value under the retention policy after the service loads decrease.

5. Create an audit log namespace.
   1. In the Audit Log Namespace area, click Create.

      The Create Namespace dialog box is displayed.

   2. Set basic information related to the audit log namespace, as shown in Table 2.

      Table 2 Namespace parameters

      Parameter	Description
      Name	Name of the new namespace. NOTE: The naming rules of a namespace are as follows: The name must be unique. The name can only consist of letters, digits, underscores (_), hyphens (-), and periods (.), and must contain letters or digits. The name can contain 1 to 255 characters. To enable the object service for a namespace, the namespace name must meet the following rules. Otherwise, the bucket cannot be accessed in virtual hosting mode, and the domain name resolution will fail. In this case, the bucket can be accessed only in path mode. The name can contain only lowercase letters, digits, periods (.), and hyphens (-), and must start and end with a letter or digit. In addition, the name cannot contain the combination of a period and a hyphen (.- or -.), nor contain consecutive periods (..). The name can contain 3 to 63 characters. The name cannot be an IP address.
      Storage Pool	Storage pool to which the new namespace belongs.
      Redundancy Ratio	Redundancy ratio of the new namespace. It must be the same as that of the owning storage pool. NOTE: This parameter is available only for storage pools that use the EC redundancy policy.
      Security Style	Security style to be selected based on service requirements. The options are: Mixed: applies to scenarios where users of CIFS clients (using the SMB protocol) and UNIX clients (using the NFS, HDFS, or DPC protocol) can access and control namespaces. In this style, CIFS permissions (NT ACLs) and UNIX permissions (UNIX mode bits, POSIX ACLs, or NFSv4 ACLs) cannot co-exist. Only the latest configured permissions on either CIFS or UNIX clients take effect. Native: applies to the same scenarios as the Mixed style. The difference between the Native style and the Mixed style is that CIFS permissions (NT ACLs) and UNIX permissions (UNIX mode bits, POSIX ACLs, or NFSv4 ACLs) can co-exist and will neither affect nor synchronize with each other in Native style. NTFS: applies to scenarios where Windows NT ACLs control users' permissions. UNIX: applies to scenarios where UNIX mode bits, POSIX ACLs, or NFSv4 ACLs control users' permissions. NOTE: In Mixed style (which supports NT ACLs), if you configure an NT ACL for a file or directory on a Windows client and switch Mixed to UNIX, the NT ACL in Mixed style will become invalid.
      Application Type	Preset application type provided for typical applications. The value can be GENERAL or PACS. NOTE: The picture archiving and communication system (PACS) is applicable to medical imaging scenarios in hospital imaging departments. For details about the PACS, see the Product Description of the corresponding version. GENERAL is the default value and applies to scenarios except those of PACS. For a namespace with the PACS application type, the semantic-layer distribution algorithm is Simplified mode. In this mode, the number of directory fragments is 1. For a namespace with the GENERAL application type, the semantic-layer distribution algorithm is Balanced mode. In this mode, the number of directory fragments is 8. Directory fragmentation is used to divide a directory metadata object into multiple logical metadata objects. The number of directory fragments refers to the number of copies of metadata objects divided from a single directory. Before a directory is fragmented, subfile data and metadata objects in the directory can be stored on only one storage node, leading to concentrated pressure on this node. After the directory is fragmented, subfile data and metadata objects in the directory can be evenly stored on multiple storage nodes, improving the namespace concurrency capability. Dividing a directory into multiple fragments is suitable for large directories or directories that contain multiple large files. You can also run the create namespace general command on the CLI to create a namespace with other directory fragments. For details, see the Command Reference of the corresponding version.

   3. Configure an NFS share.
      

      • The NFS share function is disabled by default. It is recommended that an NFS share be configured not in this operation but in follow-up operations.
      • After the NFS share function is enabled, the maximum and minimum WORM retention periods cannot be set for the object service at the prefix level in the converged interworking scenario.
      • This step can be performed only when the file service is enabled for the storage pool.
      1. Enable NFS and click Configure.

         The Configure NFS Share page is displayed.

      2. Configure access permissions for the NFS share.
         Click Add to add a client. For details, see Adding a Client.

         

         • You can click More on the right of a client and select Modify to modify its information.
         • You can select one or more clients and click Remove, or click More on the right of a client and select Remove, to remove clients.
      3. Click OK.
   4. Configure a CIFS share.
      

      • The CIFS share function is disabled by default. It is recommended that a CIFS share be configured not in this operation but in follow-up operations.
      • After the CIFS share function is enabled, the maximum and minimum WORM retention periods cannot be set for the object service at the prefix level in the converged interworking scenario.
      • This step can be performed only when the file service is enabled for the storage pool.
      1. Enable CIFS and click Configure.

         The Configure CIFS Share page is displayed.

      2. Set the name of the CIFS share.
         

         • The name must be unique.
         • The share name cannot contain characters " / \ [ ] : | < > + ; , ? * =, start or end with a space, or be reserved name ipc$, autohome, ~, or print$.
         • The name contains 1 to 80 characters.
      3. Configure access permissions for the CIFS share.
         Click Add to add a user or user group. For details, see Adding a User or User Group.

         

         • Click More on the right of a user or user group and select Modify to modify the user or user group.
         • Select one or more users or user groups and click Remove, or click More on the right of a user or user group and select Remove to remove added users or user groups.
      4. Click OK.
   5. Configure an FTP share.
      

      • The FTP share function is disabled by default. It is recommended that an FTP share be configured not in this operation but in follow-up operations.
      • This operation is available only when the file, object, or HDFS service is enabled for the storage pool.
      • Before configuring an FTP share, enable the FTP service and set the FTP share authentication type. For details, see Managing FTP Shares and Setting an Authentication Type.
      1. Enable FTP and click Configure.

         The Configure FTP Share page is displayed.

      2. Set the name of the FTP share.
         

         • The name must be unique.
         • The share name cannot contain characters "/\[]:|<>+;,?*=#, start or end with a space, or be reserved name ipc$, autohome, ~, or print$.
         • The name contains 1 to 80 characters.
      3. Configure access permissions for the FTP share.
         Click Add to add a user. For details, see Adding a User.

         

         • Click More on the right of a user and select Modify to modify the user's permissions.
         • Select a user and click Remove, or click More on the right of the user and select Remove to remove the user.
      4. Click OK.
   6. Configure the HDFS service.
      

      • This step can be performed only when the HDFS service is enabled for the storage pool.
      • When Service Type is set to Intelligent video and image or Backup and archiving, the HDFS service is not supported.
      1. In Protocol, enable HDFS.
      2. Select the zone associated with the namespace.
         1. In Associate with Zone, click Select.

            The Associate with Zone (HDFS) page is displayed.

         2. Select the subnet to which the access zone to be associated with belongs.
         3. Select the access zone to be associated.
            

            • If no subnet is configured, you can click Create to create one. For details, see Creating a Subnet.
            • If a subnet has been configured, you can click Modify in Subnet to modify the subnet parameters. For details, see Modifying a Subnet.
            • After creating a subnet, you can click Create to create an access zone. For details, see Creating an Access Zone.
         4. Click OK.
   7. Configure the object service.
      

      • The object protocol can be enabled only when the object service is enabled for the storage pool and POE authentication is used. If IAM authentication is used, the object protocol cannot be enabled.
      • The object service is supported only when Service Type is set to Intelligent video and image and a license that supports SmartInterworking is imported.
      1. In Protocol, enable Object.
      2. Configure bucket permissions for the namespace. The audit log namespace supports only private bucket permissions.

         Private: The owner of the bucket (the account that creates the bucket) has full control of the bucket. Other users cannot access the bucket without authorization.

   8. Click Advanced and set advanced information about the namespace.
      1. Select whether to enable Automatic Update of Atime. Atime indicates the time when the namespace is accessed. After this function is enabled, the system updates the atime based on the value of Update Frequency. After enabling Automatic Update of Atime, you need to set the update frequency of atime. The value can be Hourly or Daily.
         

         Enabling Automatic Update of Atime compromises system performance.

      2. Set the display mode of the space occupied by directories or files when the ls -l command is executed. For details, see Table 3.

         Table 3 Directory and file space display

         Directory Space Display Mode	Current Directory	File in Current Directory	Subdirectory in Current Directory	Subdirectory File
         Space occupied by a directory	√	X	X	X
         Space occupied by all files in the current directory	X	√	X	X
         Space occupied by all files in the current directory and its subdirectories	X	√	X	√
         √: The space size is displayed. X: The space size is not displayed.

      3. Set the data security and protection functions of the namespace.

         Table 4 describes related parameters.

         Table 4 Data security and protection parameters

         Parameter	Description
         Snapshot Directory Visibility	Whether the directory of namespace snapshots is visible. If this parameter is set to Visible, the system displays the .snapshot directory in the namespace.
         Data Encryption	Whether to enable the data encryption function. After this function is enabled, the system generates a key to encrypt the data written to the namespace. NOTE: Data encryption is supported only after an advanced license is imported. Data encryption for a namespace can be configured only when the namespace is created, and cannot be disabled once enabled. Before enabling data encryption for a namespace, enable data encryption for the account. After data encryption is enabled, the I/O performance of non-encrypted services will be affected. Confirm that this function needs to be enabled. When the object protocol is enabled for the namespace, data encryption and SSE-C server-side encryption cannot be used at the same time. Double encryption severely affects performance. If data encryption is enabled, the object protocol no longer supports SSE-C server-side encryption for individual objects.
         Encryption Algorithm	After Data Encryption is enabled, you need to select an encryption algorithm. The value can be XTS-AES-128, XTS-AES-256, or XTS-SM4. NOTE: The encryption algorithm can be configured only during namespace creation and cannot be modified after that. XTS-SM4 can be selected only after a license supporting the SM algorithm is imported. XTS-SM4 is supported only in the Chinese mainland.

      4. Click OK.

6. Click Save.