Isilon Custom Event Handler
42 views
Skip to first unread message
sc...@tacomadata.com
Jan 17, 2025, 4:34:49 PMJan 17
to Isilon Technical User Group
Hello Isilon People - I hope you'll enjoy this Friday afternoon question.
Our infosec people started a new way of poking at our Isilons to see if we've left any shares/exports unprotected. This is making a fair amount of noise & notifications for me that I'd like to ignore.
These are some example events.
isiloncluster2-1# isi event events list|grep Mount|head
41.649190 12/10 11:06 I 40 747809 Mount request from 11.22.33.44 for /ifs/isiloncluster2/sysadmin/iiq_datastore_new failed with error: STATUS_ACCESS_DENIED
41.649189 12/10 11:06 I 40 747810 Mount request from 11.22.33.44 for /ifs/isiloncluster2 failed with error: STATUS_ACCESS_DENIED
41.649187 12/10 11:06 I 40 747811 Mount request from 11.22.33.44 for /ifs/isiloncluster2/imaging/pacs/mckesson/mbvpacsapp012_backup failed with error: STATUS_ACCESS_DENIED
41.649200 12/10 11:06 I 40 747812 Mount request from 11.22.33.44 for /ifs/isiloncluster2/sysadmin/qdcnim_mksysbdir failed with error: STATUS_ACCESS_DENIED
Thanks - I appreciate any help.
Our infosec people started a new way of poking at our Isilons to see if we've left any shares/exports unprotected. This is making a fair amount of noise & notifications for me that I'd like to ignore.
Is there a way I can create a custom event handler to ignore failures from a specific IP range?
These are some example events.
isiloncluster2-1# isi event events list|grep Mount|head
41.649190 12/10 11:06 I 40 747809 Mount request from 11.22.33.44 for /ifs/isiloncluster2/sysadmin/iiq_datastore_new failed with error: STATUS_ACCESS_DENIED
41.649189 12/10 11:06 I 40 747810 Mount request from 11.22.33.44 for /ifs/isiloncluster2 failed with error: STATUS_ACCESS_DENIED
41.649187 12/10 11:06 I 40 747811 Mount request from 11.22.33.44 for /ifs/isiloncluster2/imaging/pacs/mckesson/mbvpacsapp012_backup failed with error: STATUS_ACCESS_DENIED
41.649200 12/10 11:06 I 40 747812 Mount request from 11.22.33.44 for /ifs/isiloncluster2/sysadmin/qdcnim_mksysbdir failed with error: STATUS_ACCESS_DENIED
Thanks - I appreciate any help.
-Scott
sc...@tacomadata.com
Jan 17, 2025, 6:34:20 PMJan 17
to Isilon Technical User Group
I'm going to answer my own question here:
After digging into the event/eventgroup/channel/alert system for the past hour, it seems a bit over-engineered. There might be a better way, but my easy answer for now is:
a) Locate the event type number associated with the troublesome events
# isi event events list -v |less
ID: 35.673107
Eventgroup ID: 751469
Event Type: 400130001
Message: Mount request from 11.22.33.44 for /blah_blah_blah failed with error: STATUS_NOT_FOUND
Devid: 35
Lnn: 34
Time: 2025-01-16T17:32:44
Severity: information
Value: 0.0
ID: 35.673107
Eventgroup ID: 751469
Event Type: 400130001
Message: Mount request from 11.22.33.44 for /blah_blah_blah failed with error: STATUS_NOT_FOUND
Devid: 35
Lnn: 34
Time: 2025-01-16T17:32:44
Severity: information
Value: 0.0
b) Suppress it
isi event suppress modify 400130001 --suppress true
c) Check your work:
isi event suppress list
ID Name
---------------------------------------
400050004 SW_CELOG_HEARTBEAT
400130001 SW_MOUNTD_CLIENT_MOUNT_FAILED
---------------------------------------
ID Name
---------------------------------------
400050004 SW_CELOG_HEARTBEAT
400130001 SW_MOUNTD_CLIENT_MOUNT_FAILED
---------------------------------------
d) Undo the suppression if necessary
isi event suppress modify 400130001 --suppress false
e) ... Profit!
Reply all
Reply to author
Forward
0 new messages