How Does Data Insight Handle FPolicy Audit Events When Disconnected from the NetApp Cluster

book

Article ID: 100048277

calendar_today

Updated On:

Description

How is FPolicy audit information handled if there was an outage between the NetApp Cluster Mode filer and the FPolicy server (DI Collector)

Background

Data Insight utilizes NetApp's FPolicy framework to capture file system audit events from the NetApp Cluster Mode filer
FPolicy can be configured in one of two modes, synchronous or asynchronous
Data Insight supports asynchronous mode only

Asynchronous notifications:

With asynchronous notifications, the node does not wait for a response from the FPolicy server, which enhances overall throughput of the system. This type of notification is suitable for applications where the FPolicy server does not require that any action be taken as a result of notification evaluation. For example, asynchronous notifications are used when the storage virtual machine (SVM) administrator wants to monitor and audit file access activity

If an FPolicy server operating in asynchronous mode experiences a network outage, FPolicy notifications generated during the outage are stored on the storage node. When the FPolicy server comes back online, it is alerted of the stored notifications and can fetch them from the storage node. The length of time the notifications can be stored during an outage is configurable up to 10 minutes

Summary

In the event of a disconnect between the FPolicy server and the NetApp Cluster Mode filer, up to a maximum of 10 minutes of audits can be held on the storage node of the filer (if configured)

Data Insight will be able to retrieve any events that are stored during the outage. If the outage is less than 10 minutes, there will be no event loss. If the outage is longer than 10 minutes, Data Insight will be able to capture only the available audit events held on the filer and event loss would be assumed