Veritas Data Insight Administrator's Guide
- Section I. Getting started
- Introduction to Veritas Data Insight administration
- Configuring Data Insight global settings
- Overview of Data Insight licensing
- About scanning and event monitoring
- About filtering certain accounts, IP addresses, and paths
- About archiving data
- About Data Insight integration with Symantec Data Loss Prevention (DLP)
- Configuring advanced analytics
- About open shares
- About bulk assignment of custodians
- Section II. Configuring Data Insight
- Configuring Data Insight product users
- Configuring Data Insight product servers
- About node templates
- About automated alerts for patches and upgrades
- Configuring saved credentials
- Configuring directory service domains
- Configuring containers
- Section III. Configuring native file systems in Data Insight
- Configuring NetApp file server monitoring
- Configuring clustered NetApp file server monitoring
- About configuring secure communication between Data Insight and cluster-mode NetApp devices
- Configuring EMC Celerra or VNX monitoring
- Configuring EMC Isilon monitoring
- Configuring EMC Unity VSA file servers
- Configuring Hitachi NAS file server monitoring
- Configuring Windows File Server monitoring
- Configuring Veritas File System (VxFS) file server monitoring
- Configuring monitoring of a generic device
- Managing file servers
- Adding filers
- Adding shares
- Renaming storage devices
- Configuring NetApp file server monitoring
- Section IV. Configuring SharePoint data sources
- Configuring monitoring of SharePoint web applications
- About the Data Insight web service for SharePoint
- Adding web applications
- Adding site collections
- Configuring monitoring of SharePoint Online accounts
- About SharePoint Online account monitoring
- Adding SharePoint Online accounts
- Adding site collections to SharePoint Online accounts
- Configuring monitoring of SharePoint web applications
- Section V. Configuring cloud data sources
- Section VI. Configuring ECM data sources
- Section VII. Health and monitoring
- Section VIII. Alerts and policies
- Section IX. Remediation
- Section X. Reference
- Appendix A. Backing up and restoring data
- Appendix B. Data Insight health checks
- Appendix C. Command File Reference
- Appendix D. Data Insight jobs
- Appendix E. Troubleshooting
- Troubleshooting FPolicy issues on NetApp devices
Enabling Windows event logging
Veritas Data Insight can publish events to the Windows Event log. Events are published on the same machine where they originate. Event logging is enabled by default.
To configure Windows event logging
- In the Management Console, click Settings > Global Settings > Event Notifications.
- Select the Enable Windows logging check box.
- Select the severity of events for which you want to enable Windows logging.
- Click Save.
The events published in DataInsightAlerts
log adhere to LEEF v 1.0 (Log Event Extended Format. LEEF is a customized event format for IBM QRadar. Here is a brief description of the event format.
Format:
{date} {hostname} LEEF:1.0|Veritas|DataInsight|{product_version}|{eventId}| attr1=val1\tattr2=val2…
Where,
date : Alert time formatted as MMM dd HH:mm:ss
eventID : <event ID>
The following attributes are populated for each event:
cat | Data Insight policy type (PT_USERCENTRIC / PT_DATACENTRIC / PT_DATACENTRICWL / PT_DATACENTRICBL / PT_RT_DATACENTRIC) |
policy | Data Insight policy name |
devTime | Format of devTime (MMM dd yyyy HH:mm:ss) |
sev | A number based on Data Insight policy severity (10: HIGH, 5: MEDIUM, 1: LOW). |
usrName | User who violated the policy (FirstName LastName / user@domain / SID) |
domain | Domain to which the violating user belongs. |
The following attributes are specific to the type of Data Insight policy for which the event is generated:
User Activity Deviation Policy
access_count_day | Today's access count |
access_count_week | This week's access count |
access_count_avg_week | Avg. weekly access count |
allowed_stddev | Allowed (standard) deviation |
allowed_count_day | Allowed daily access count |
Data Centric Policies (Data Activity, Real-time White List, Real-time Black List)
access_count | Today's access count. |
access_count_details | Detailed access count. |
allowed_count_day | Allowed daily access count. |
Real Time Sensitive Data Policy
dlp_policies | Data Loss Prevention (DLP) policies violated by the path that was accessed. |
access_types | Type of access made. |
access_count | Access count |
resource | Access path |
src | IP addresses |
If you do not want certain attributes to be reported into the Event log for privacy or security reasons, the following global attribute can be defined with comma separated list of attributes to be excluded:
leef.exclude.attrs=comma separated attr names Global attribute can be set using following command on MS: configdb.exe -O -J leef.exclude.attrs -j <attr1,attt2…>