Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All

Storage and Backups-Nutanix

Epoch Documentation

21-Nov-2018

Epoch Documentation

For Epoch documentation, see https://docs.epoch.nutanix.com/


Stay Ahead in Today’s Competitive Market!
Unlock your company’s full potential with a Virtual Delivery Center (VDC). Gain specialized expertise, drive seamless operations, and scale effortlessly for long-term success.

Book A Meeting To Setup A VDCovertime

File Analytics Guide

Files 3.0

Last updated: 2022-06-14

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.

Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations, see Dashboard.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity, see Audit Trails.
  • Anomalies tab : Create anomaly policies and view anomaly trends, see Anomalies.
  • Ransomware tab : Configure ransomware protection and self-service restore (SSR) snapshots, see Ransomware Protection.
    Warning: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.
  • Reports tab : Create custom reports or use pre-canned report templates, see Reports.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings, see Administration and File Analytics Options.
  • Health icon : Check the health of File Analytics, see Health.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin can deploy File Analytics.
  • File Analytics analyzes data from daily up to 1 year based on the configuration. File Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the audit event threshold, as specified in File Analytics Release Notes , Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission File Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.
  • File Analytics does not support the following operations for graceful shutdown:
    • AHV: power cycle, power off
    • ESXi: power off, reset

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box next to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which can take several hours to finish.

Changing an FAVM Password

Steps for updating the password of a File Analytics VM (FAVM).

About this task

Context for the current task

Procedure

  1. Log on to an FAVM with SSH.
  2. Change the nutanix password.
    nutanix@fsvm$ sudo passwd nutanix
  3. Respond to the prompts, providing the current and new nutanix user password.
    Changing password for user nutanix.
    Old Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Note:

    The password must meet the following complexity requirements:

    • At least 8 characters long
    • At least 1 lowercase letter
    • At least 1 uppercase letter
    • At least 1 number
    • At least 1 special character
    • At least 4 characters difference from the old password
    • Should not be among the last 10 passwords

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you upgrade File Analytics, ensure that you are running a compatible version of AOS and Files. Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates. LCM cannot upgrade File Analytics when the protection domain (PD) for the File Analytics VM (FAVM) includes any other entities.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics from Prism. The dashboard displays widgets that present data on file trends, distribution, and operations.

Figure. File Analytics Dashboard Click to enlarge File Analytics data panes in the Dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

7 days, the last 30 days, or the last 1 year.
Data age Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. Default intervals are as follows:
  • Hot data – accessed within the last week.
  • Warm data – accessed within 2 to 4 weeks.
  • Cold data – accessed 4 weeks ago or later.
Anomaly alerts Displays alerts for configured anomalies and ransomware detection based on blocked file types, see Configuring Anomaly Detection. [alert]
Permission denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File distribution by size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File distribution by type Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. MB or GB
File distribution by type details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of files, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

24 hours, 7 days, 1 month, or 1 year.
Files operations Displays the distribution of operation types for the specified period, including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
24 hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net capacity change The total difference between capacity at the beginning and the end of the specified period.
Share name (for folders only) The name of the share or export that the folder belongs to.
Capacity added Total added capacity for the specified period.
Capacity removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File type Name of file type
Current space used Space capacity occupied by the file type
Current number of files Number of files for the file type
Change (in last 30 days) The increase in capacity over a 30-day period for the specified file type
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD images .img, .iso, .nrg
Desktop publishing .qxd
Email archives .pst
Hard drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System files .bin, .dll, .exe
Text files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Health

The Health dashboard displays dynamically updated health information about each File File Analytics component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Data Age

The Data Age widget in the Dashboard provides details on data heat.

Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat.

  • Hot – frequently accessed data (last accessed within the last week).
  • Warm – infrequently accessed data (last accessed within the last 2 to 4 weeks).
  • Cold – rarely accessed data (last accessed longer than 4 weeks ago).

You can configure the definitions for each level of data heat rather than using the default values.

Configuring Data Heat Levels

Update the values that constitute different data heat levels.

Procedure

  1. In the Data Age widget, click Explore .
  2. Click Edit Data Age Configuration .
  3. Do the following in the Hot Data section:
    1. In the entry field next to Older Than , enter an integer.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  4. Do the following in the Warm Data section to configure two ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  5. Do the following in the Cold Data section to configure four ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    5. In the 3rd entry field, enter an integer to configure the 3rd range.
    6. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    7. (optional) In the 4th entry field, enter an integer to configure the 4th range.
    8. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  6. Click Apply .
    Note: The new values do not affect the already calculated heat statistics. File Analytics uses the updated values for future heat calculations..

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.
Note: Configure an SMTP server to send anomaly alerts, see Configuring an SMTP Server

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server. To create an anomaly rule, do the following.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note: File Analytics does not support regular-expression (RegEx) based search.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Ransomware Protection

Ransomware protection for your file server.

Caution: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.

File Analytics scans files for ransomware in real time, and notifies you through email in the event of a ransomware attack. By using the Nutanix Files file blocking mechanism, File Analytics prevents files with signatures of potential ransomware from carrying out malicious operations. Ransomware protection automatically scans for ransomware based on a curated list of signatures that frequently appear in ransomware files. You can modify the list by manually adding other signatures.

Note: Nutanix does not recommend manipulating the blocked signatures through Nutanix Files.

File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard by selecting shares identified by File Analytics.

Ransomware Protection Features

The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).

Ransomware Dashboard

The ransomware dashboard includes two main sections:

  • The SSR Status pane for viewing, enabling, and managing SSR, see Enabling SSR.
  • The Vulnerabilities (Infection Attempts) pane for viewing total vulnerabilities, vulnerable shares, malicious clients, and top recent ransomware attempts.
    • Clicking on the number of total vulnerabilities provides a detailed view of recent vulnerabilities.
    • Clicking on the number of vulnerable shares provides a detailed view of vulnerable shares.
    • Clicking on the number of malicious clients provides a detailed view of malicious clients.
  • Click Settings , to enable and configure ransomware protection, see Enabling Ransomware Protection and Configuring Ransomware Protection.
  • Click Download (.csv) to download a list of blocked ransomware signatures.
Figure. Ransomware Dashboard Click to enlarge

Blocked Ransomware Extensions

File Analytics blocks the following ransomware signatures.

Table 1. Table
Extension Known Ransomware
*.micro eslaCrypt 3.0
*.zepto Locky
*.cerber3 Cerber 3
*.locky Locky
*.cerber Cerber
*.loli LOLI
*.mole CryptoMix (variant)
*.cryp1 CryptXXX
*.axx AxCrypt
*.onion Dharma
*.crypt Scatter
*.osiris Locky (variant)
*.crypz CryptXXX
*.ccc TeslaCrypt or Cryptowall
*.locked Various ransomware
*.odin Locky
*.cerber2 Cerber 2
*.sage Sage
*.globe Globe
*.good Scatter
*.exx Alpha Crypt
*.encrypt Alpha
*.encrypted Various ransomware
*.1txt Enigma
*.ezz Alpha Crypt
*.r5a 7ev3n
*.wallet Globe 3 (variant)
*.decrypt2017 Globe 3
*.zzzzz Locky
*.MERRY Merry X-Mas
*.enigma Coverton
*.ecc Cryptolocker or TeslaCrypt
*.cryptowall Cryptowall
*.aesir Locky
*.cryptolocker CryptoLocker
*.coded Anubis
*.sexy PayDay
*.pubg PUBG
*.ha3 El-Polocker
*.breaking_bad Files1147@gmail(.)com
*.dharma CrySiS
*.wcry WannaCry
*.lol! GPCode
*.damage Damage
*.MRCR1 Merry X-Mas
*.fantom Fantom
*.legion Legion
*.kratos KratosCrypt
*.crjoker CryptoJoker
*.LeChiffre LeChiffre
*.maya HiddenTear (variant)
*.kraken Rakhni
*.keybtc@inbox_com KeyBTC
*.rrk Radamant v2
*.zcrypt ZCRYPT
*.crinf DecryptorMax or CryptInfinite
*.enc TorrentLocker / Cryptorium
*.surprise Surprise
*.windows10 Shade
*.serp Serpent (variant)
*.file0locked Evil
*.ytbl Troldesh (variant)
*.pdcr PadCrypt
*.venusf Venus Locker
*.dale Chip
*.potato Potato
*.lesli CryptoMix
*.angelamerkel Angela Merkel
*.PEGS1 Merry X-Mas
*.R16m01d05 Evil-JS (variant)
*.zzz TeslaCrypt
*.wflx WildFire
*.serpent Serpent
*.Dexter Troldesh (variant)
*.rnsmwr Gremit
*.thor Locky
*.nuclear55 Nuke
*.xyz TeslaCrypt
*.encr FileLocker
*.kernel_time KeRanger OS X
*.darkness Rakhni
*.evillock Evil-JS (variant)
*.locklock LockLock
*.rekt HiddenTear (variant) / RektLocker
*.coverton Coverton
*.VforVendetta Samsam (variant)
*.remk STOP
*.1cbu1 Princess Locker
*.purge Globe
*.cry CryLocker
*.zyklon ZYKLON
*.dCrypt DummyLocker
*.raid10 Globe [variant]
*.derp Derp
*.zorro Zorro
*.AngleWare HiddenTear/MafiaWare (variant)
*.shit Locky
*.btc Jigsaw
*.atlas Atlas
*.EnCiPhErEd Xorist
*.xxx TeslaCrypt 3.0
*.realfs0ciety@sigaint.org.fs0ciety Fsociety
*.vbransom VBRansom 7
*.exotic Exotic
*.crypted Nemucod
*.fucked Manifestus
*.vvv TeslaCrypt 3.0
*.padcrypt PadCrypt
*.cryeye DoubleLocker
*.hush Jigsaw
*.RMCM1 Merry X-Mas
*.unavailable Al-Namrood
*.paym Jigsaw
*.stn Satan
*.braincrypt Braincrypt
*.ttt TeslaCrypt 3.0
*._AiraCropEncrypted AiraCrop
*.spora Spora
*.alcatraz Alcatraz Locker
*.reco STOP/DJVU
*.crypte Jigsaw (variant)
*.aaa TeslaCrypt
*.pzdc Scatter
*.RARE1 Merry X-Mas
*.ruby Ruby
*.fun Jigsaw
*.73i87A Xorist
*.abc TeslaCrypt
*.odcodc ODCODC
*.crptrgr CryptoRoger
*.herbst Herbst
*.comrade Comrade
*.szf SZFLocker
*.pays Jigsaw
*.antihacker2017 Xorist (variant)
*.rip KillLocker
*.rdm Radamant
*.CCCRRRPPP Unlock92
*.bript BadEncriptor
*.hnumkhotep Globe 3
*.helpmeencedfiles Samas/SamSam
*.BarRax BarRax (HiddenTear variant)
*.magic Magic
*.noproblemwedecfiles​ Samas/SamSam
*.bitstak Bitstak
*.kkk Jigsaw
*.kyra Globe
*.a5zfn Alma Locker
*.powerfulldecrypt Samas/SamSam
*.vindows Vindows Locker
*.payms Jigsaw
*.lovewindows Globe (variant)
*.p5tkjw Xorist
*.madebyadam Roga
*.conficker Conficker
*.SecureCrypted Apocalypse
*.perl Bart
*.paymts Jigsaw
*.kernel_complete KeRanger OS X
*.payrms Jigsaw
*.paymst Jigsaw
*.lcked Jigsaw (variant)
*.covid19 Phishing
*.ifuckedyou SerbRansom
*.d4nk PyL33T
*.grt Karmen HiddenTear (variant)
*.kostya Kostya
*.gefickt Jigsaw (variant)
*.covid-19 Phishing
*.kernel_pid KeRanger OS X
*.wncry Wana Decrypt0r 2.0
*.PoAr2w Xorist
*.Whereisyourfiles Samas/SamSam
*.edgel EdgeLocker
*.adk Angry Duck
*.oops Marlboro
*.theworldisyours Samas/SamSam
*.czvxce Coverton
*.crab GandCrab
*.paymrss Jigsaw
*.kimcilware KimcilWare
*.rmd Zeta
*.dxxd DXXD
*.razy Razy
*.vxlock vxLock
*.krab GandCrab v4
*.rokku Rokku
*.lock93 Lock93
*.pec PEC 2017
*.mijnal Minjal
*.kobos Kobos
*.bbawasted Bbawasted
*.rlhwasted RLHWasted
*.52pojie 52Pojie
*.FastWind Fastwind
*.spare Spare
*.eduransom Eduransom
*.RE78P RE78P
*.pstKll pstKll
*.erif
*.kook
*.xienvkdoc
*.deadfiles
*.mnbzr
*.silvertor
*.MH24
*.nile
*.ZaCaPa
*.tcwwasted
*.Spade
*.pandemic
*.covid
*.xati
*.Zyr
*.spybuster
*.ehre
*.wannacry WannaCry
*.jigsaaw
*.boop
*.Back
*.CYRAT
*.bmd
*.Fappy
*.Valley
*.copa
*.horse
*.CryForMe
*.easyransom
*.nginxhole
*.lockedv1 Lockedv1
*.ziggy Ziggy
*.booa Booa
*.nobu Nobu
*.howareyou Howareyou
*.FLAMINGO Flamingo
*.FUSION Fusion
*.pay2key Pay2Key
*.zimba Zimba, Dharma
*.luckyday Luckyday
*.bondy Bondy
*.cring Cring
*.boom Boom
*.judge Judge
*.LIZARD LIZARD
*.bonsoir Bonsoir
*.moloch Moloch
*.14x 14x
*.cnh CNH
*.DeroHE DeroHE

Enabling Ransomware Protection

Enable ransomware protection on your file server.

About this task

Procedure

  1. Go to dropdown menu > Ransomware .
  2. In the message banner, click Enable Ransomware Protection .
  3. (optional) Click Configure SMTP to add recipients .
    Note: This option appears only if you have not configured a simple mail transfer protocol (SMTP) server, see Configuring an SMTP Server.
  4. Under Ransomware Email Recipients , add at least one email address. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
    Figure. Enable Ransomware Click to enlarge

  5. Click Enable .

Configuring Ransomware Protection

Configure ransomware protection on file servers.

About this task

Do the following to add signature to the blocked extension list.

Procedure

  1. Go to dropdown menu > Ransomware > > Settings .
  2. (optional) Under Search for blocked File Signatures , enter ransomware signatures in the *. (signature) format.
    1. To check that the signature has been blocked, click Search .
    2. If the signature has not been blocked, click Add to Block List .
    Figure. Click to enlarge

  3. (optional) click Download (.csv) to download a list of blocked ransomware signatures.
  4. (optional) under Ransomware Email Recipients , add a comma separated list of email addresses. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
  5. (optional) click Disable Ransomware Protection , to disable the ransomware protection feature.

Enabling SSR

Enable self-service restore on shares identified by File Analytics.

About this task

File Analytics scans shares for SSR policies.

Procedure

  1. Go to dropdown menu > Ransomware .
  2. Click Enable SSR on Prism .
  3. Check the box next to the shares for which to enable SSR.
    Figure. Click to enlarge

  4. Click Enable SSR .

Reports

Generate a report for entities on the file server.

Create a report with custom attribute values or use one of the File Analytics pre-configured report templates. To create a custom report, you must specify the entity, attributes, operators for some attributes, attribute values, column headings, and the number of columns.

The reports page displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, download it as a JSON or CSV file.

Reports Dashboard

The reports dashboard includes options to create, view, and download reports.

The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.

The reports table includes columns for the report name, status, last run, and actions.

Figure. Reports Dashboard Click to enlarge

Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.

Both tabs include the following elements:

  • The Define Report Type section includes an Entity drop-down menu to select an entity.
  • The Define Filters section includes an Attribute drop-down menu and an option to add more attributes by clicking + Add filter .
  • The Add/remove columns in this report in your report section displays default columns. Clicking the columns field lets you add addition columns to the report. Clicking the x next to the column name removes it from the report.
  • The Define number of maximum rows in this report section includes a Count section to specify the number of rows in the report.
Table 1. Report Builder – Filter Options
Entity Attributes (filters) Operator Value Column
Events event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Event_operation N/A
  • file_write
  • file_read
  • file_create
  • file_delete
  • rename
  • directory_create
  • directory_delete
  • SecurityChange (permission change)
  • set_attr
  • sym_link
Files Category
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Extensions N/A (type in value)
Deleted N/A Last (number of days from 1 to 30) days
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
access_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Size
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(number) (file size)

File size options:

  • B
  • KB
  • MB
  • GB
  • TB
Folders Deleted N/A Last (number of days from 1 to 30) days
  • object_name (Dir name)
  • object_owner_name (owner name)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • object_last_operation_name (last operation)
  • audit_username (last operation user)
  • File server protocol
  • object_ID (file id)
  • file_path (Dir path)
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Users last_event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path
Table 2. Pre-Canned Reports – Filters
Entity Pre-canned report template Columns
Events
  • PermissionDenied events
  • Permission Denied (file blocking) events
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Files
  • Largest Files
  • Oldest Files
  • Files not accessed for last 1 year
  • Files accessed in last 30 days
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Users
  • Top owners with space consumed
  • Top active users
  • All users
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path

Creating a Custom Report

Create a custom report by defining the entity, attribute, filters, and columns.

About this task

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Report Builder tab, do the following.
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. Under Value , specify the values for the attribute (some attributes also require to specify an operator in the Operator field).
    4. (optional) click + Add filter to add more attributes.
    5. In the Add/Remove column in this report section, click x for the columns you want to remove.
    6. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

Create a Pre-Canned Report

Use one of the pre-canned File Analytics templates for your report.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Pre-Canned Reports Templates tab, do the following.
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. In the Add/Remove column in this report section, click x for the columns you want to remove.
    4. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task:

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
    Figure. Scan File System Option Click to enlarge

  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Blacklisting

Blacklist users, file extensions, and client IPs.

About this task

Use the blacklisting feature to block audit events from being performed on specified file extensions or by specified users and clients.

Procedure

  1. Click the gear icon > Define Blacklisting Rules .
  2. Click the pencil icon in the user, file extension, or client IP row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click save in the updated row.

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click save .

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site (AHV)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount the volume group.
      nutnix@avm$ sudo umount /mnt
    6. Detach the volume group File_Analytics_VG from the FAVM.
      See the "Managing a VM (AHV)" topic in the Prism Web Console Guide .
    7. Attach the cloned volume group prefix -File_Analytics_VG to the FAVM.
      See "Managing a VM (AHV)" in the Prism Web Console Guide .
    8. Restart the AVM to discover the attached volume group.
      nutanix@avm$ sudo reboot

    9. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    10. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
    11. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    13. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    14. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    15. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    16. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."

Deploying File Analytics on a Remote Site (ESXi)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article

File Analytics Guide

Files 2.2

Last updated: 2022-06-14

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Files adds an File Analytics VM to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. Data on the File Analytics VM is protected, and is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. You can access File Analytics through this link for any file server where it is enabled.

Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity.
  • Anomalies tab : Create anomaly policies and view anomaly trends.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings.
  • Health icon : Check the health of File Analytics.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For Guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin users can deploy Analytics. Active Directory (AD) users and AD users mapped to Prism admin roles cannot deploy File Analytics.
  • Analytics analyzes data from 1 month up to 1 year based on the configuration. Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the 750 million audit event threshold, Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • If File Analytics is running on a one-node file server, you cannot upgrade using the Life Cycle Manager (LCM)
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the privileges to perform administrative tasks for File Analytics. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user. A new Manage File Analytics link appears in the Prism Element File Server view.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update an File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears adjacent to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box adjacent to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which may take several hours to finish.

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you upgrade File Analytics, ensure that you are running a compatible version of AOS and Files. Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates. LCM cannot upgrade File Analytics when the protection domain (PD) for the File Analytics VM (FAVM) includes any other entities.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics from Prism. The dashboard displays widgets that present data on file trends, distribution, and operations.

Figure. File Analytics Dashboard Click to enlarge File Analytics data panes in the Dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity Trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

Seven days, the last 30 days, or the last 1 year.
Data Age Displays the percentage of data by age. Less than 3 months, 3–6 months, 6–12 months, and > 12 months.
Anomaly Alerts Displays alerts for configured anomalies, see Configuring Anomaly Detection.
Permission Denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File Distribution by Size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File Distribution by Type Displays the space taken up by various applications and file types. The file type is determined by the file extension. See the File Types table for more details. MB or GB
File Distribution by Type Details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of file, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see File Type table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

Twenty-four hours, 7 days, 1 month, or 1 year.
Files Operations Displays the distribution of operation types for the specified period including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
Twenty-four hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net Capacity Change, Capacity Added, and Capacity Removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net Capacity Change The total difference between capacity at the beginning and the end of the specified period.
Share Name (for folders only) The name of the share or export that the folder belongs to.
Capacity Added Total added capacity for the specified period.
Capacity Removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table below for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File Type Name of file type
Current Space Used Space capacity occupied by the file type
Current Number of Files Number of files for the file type
Change (In Last 30 Days) The increase in capacity over a 30 day period of time for the specified file type .
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD Images .img, .iso, .nrg
Desktop Publishing .qxd
Email Archives .pst
Hard Drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus Notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office Documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System Files .bin, .dll, .exe
Text Files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk Image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation Type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a new category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click save .

Health

The Health dashboard displays dynamically updated health information about each File File Analytics component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.
Note: Configure an SMTP server to send anomaly alerts, see Configuring an SMTP Server

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server. To create an anomaly rule, do the following.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note: File Analytics does not support regular-expression (RegEx) based search.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task:

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
    Figure. Scan File System Option Click to enlarge

  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Blacklisting

Blacklist users, file extensions, and client IPs.

About this task

Use the blacklisting feature to block audit events from being performed on specified file extensions or by specified users and clients.

Procedure

  1. Click the gear icon > Define Blacklisting Rules .
  2. Click the pencil icon in the user, file extension, or client IP row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click save in the updated row.

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes it in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in the Prism Web Console Guide . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/
      nutnix@avm$ sudo cp cvm.config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ cd /mnt/containers/config/common_config/
      nutanix@favm$ mv cvm.config cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ cd /tmp
      nutanix@favm$ mv cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article

File Analytics Guide

Files 3.1

Product Release Date: 2022-04-05

Last updated: 2022-11-04

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.
Note: File Analytics supports dual NIC configuration for segmented networks. Contact Nutanix Support for assistance.
Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations, see Dashboard.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity, see Audit Trails.
  • Anomalies tab : Create anomaly policies and view anomaly trends, see Anomalies.
  • Ransomware tab : Configure ransomware protection and self-service restore (SSR) snapshots, see Ransomware Protection.
    Warning: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.
  • Reports tab : Create custom reports or use pre-canned report templates, see Reports.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings, see Administration and File Analytics Options.
  • Health icon : Check the health of File Analytics, see Health.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin can deploy File Analytics.
  • File Analytics analyzes data from daily up to 1 year based on the configuration. File Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the audit event threshold, as specified in File Analytics Release Notes , Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission File Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.
  • File Analytics does not support the following operations for graceful shutdown:
    • AHV: power cycle, power off
    • ESXi: power off, reset
  • File Analytics log collection from CVM fails with dual NIC setup.
  • File Analytics does not collect metadata information on shares, offline shares, and encrypted shares.
  • Teardown of File Analytics fails in case of dual NIC setup.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Role-based Access Control for File Analytics

Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.

Note: Log in to File Analytics with local user created on Prism Central is not supported.

From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:

Note: Only administrators (Super Admin or a Prism Admin in Prism Element) can create roles for File Analytics.
    • Viewer : Allows users with view-only access to the information and cannot perform any administrative (create or modify) tasks.
    • Cluster and User Admin : Allows users to view information, perform administrative tasks, and to create and modify operations.
    For more information on Role Based Access Control, refer to the Controlling User Access (RBAC) , Built-in Role Management , Configuring Role Mapping , and Managing Local User Accounts sections in the Security Guide .

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down displays the storage containers.
      Note: From AOS 5.15.3 version onward, the drop-down displays all storage containers. For earlier AOS versions, the drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
      Note: For ESXi, do not use the Controller VM (CVM) backplane network. The CVM backplane network is not supported and any later upgrade operations might fail.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box next to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which can take several hours to finish.

Changing an FAVM Password

Steps for updating the password of a File Analytics VM (FAVM).

About this task

Context for the current task

Procedure

  1. Log on to an FAVM with SSH.
  2. Change the nutanix password.
    nutanix@fsvm$ sudo passwd nutanix
  3. Respond to the prompts, providing the current and new nutanix user password.
    Changing password for user nutanix.
    Old Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Note:

    The password must meet the following complexity requirements:

    • At least 8 characters long
    • At least 1 lowercase letter
    • At least 1 uppercase letter
    • At least 1 number
    • At least 1 special character
    • At least 4 characters difference from the old password
    • Should not be among the last 10 passwords

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you proceed with the FA upgrade, ensure you meet the following:

  • Have a compatible version of AOS and Files.

    Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

  • Check the health page of File Analytics to confirm if the overall health is green. See Health.
  • The protection domain (PD) for the File Analytics VM (FAVM) should not include any other entities.

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.

Note: Widgets refresh hourly.
Figure. Analytics Dashboard Click to enlarge Widgets in the dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

7 days, the last 30 days, or the last 1 year.
Data age Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. Default intervals are as follows:
  • Hot data – accessed within the last week.
  • Warm data – accessed within 2 to 4 weeks.
  • Cold data – accessed 4 weeks ago or later.
Permission denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File distribution by size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File distribution by type Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. MB or GB
File distribution by type details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of files, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

24 hours, 7 days, 1 month, or 1 year.
Files operations Displays the distribution of operation types for the specified period, including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
24 hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net capacity change The total difference between capacity at the beginning and the end of the specified period.
Share name (for folders only) The name of the share or export that the folder belongs to.
Capacity added Total added capacity for the specified period.
Capacity removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File type Name of file type
Current space used Space capacity occupied by the file type
Current number of files Number of files for the file type
Change (in last 30 days) The increase in capacity over a 30-day period for the specified file type
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD images .img, .iso, .nrg
Desktop publishing .qxd
Email archives .pst
Hard drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System files .bin, .dll, .exe
Text files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Health

The Health dashboard displays dynamically updated health information about each file server component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Data Age

The Data Age widget in the dashboard provides details on data heat.

Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:

  • Hot – frequently accessed data (last accessed within the last week).
  • Warm – infrequently accessed data (last accessed within the last 2 to 4 weeks).
  • Cold – rarely accessed data (last accessed longer than 4 weeks ago).

You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.

Configuring Data Heat Levels

Update the values that constitute different data heat levels.

Procedure

  1. In the Data Age widget, click Explore .
  2. Click Edit Data Age Configuration .
  3. Do the following in the Hot Data section:
    1. In the entry field next to Older Than , enter an integer.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  4. Do the following in the Warm Data section to configure two ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  5. Do the following in the Cold Data section to configure four ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    5. In the 3rd entry field, enter an integer to configure the 3rd range.
    6. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    7. (optional) In the 4th entry field, enter an integer to configure the 4th range.
    8. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  6. Click Apply .
    Note: The new values do not affect the already calculated heat statistics. File Analytics uses the updated values for future heat calculations.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

To create an anomaly rule, do the following.

Note: Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Follow the steps as indicated.

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note:
  • File Analytics does not support regular expression (RegEx) based search.
  • Up to 500 million files with latest 3 months of audit data is supported for a file server.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Ransomware Protection

Ransomware protection for your file server.

Caution: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.

File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.

Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures.

Note: Removing curated blocked signatures can prevent File Analytics from blocking some ransomware files.

File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.

Ransomware Protection Features

The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).

Ransomware Dashboard

The ransomware dashboard includes two main sections:

  • The SSR Status pane for viewing, enabling, and managing SSR, see Enabling SSR.
  • The Vulnerabilities (Infection Attempts) pane for viewing total vulnerabilities, vulnerable shares, malicious clients, and top recent ransomware attempts.
    • Clicking on the number of total vulnerabilities provides a detailed view of recent vulnerabilities.
    • Clicking on the number of vulnerable shares provides a detailed view of vulnerable shares.
    • Clicking on the number of malicious clients provides a detailed view of malicious clients.
  • Click Settings , to enable and configure ransomware protection, see Enabling Ransomware Protection and Configuring Ransomware Protection.
  • Click Download (.csv) to download a list of blocked ransomware signatures.
Figure. Ransomware Dashboard Click to enlarge

Enabling Ransomware Protection

Enable ransomware protection on your file server.

About this task

Procedure

  1. Go to dropdown menu > Ransomware .
  2. In the message banner, click Enable Ransomware Protection .
  3. (optional) Click Configure SMTP to Add Recipients.
    Note: This option appears only if you have not configured a simple mail transfer protocol (SMTP) server, see Configuring an SMTP Server.
  4. Under Ransomware Email Recipients , add at least one email address. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
    Figure. Enable Ransomware Click to enlarge

  5. Click Enable .
    See Configuring Ransomware Protection for configuration steps.

Configuring Ransomware Protection

Configure ransomware protection on file servers.

About this task

Do the following to add signature to the blocked extension list.

Procedure

  1. Go to dropdown menu > Ransomware > > Settings .
  2. (optional) Under Search for blocked File Signatures , enter ransomware signatures in the *. (signature) format.
    1. Note: You can also remove ransomware signatures.
      To check that the signature has been blocked, click Search .
    2. If the signature has not been blocked, click Add to Block List .
    Figure. Click to enlarge

  3. (optional) To download a list of blocked ransomware signatures, click Download (.csv) .
  4. (optional) Under Ransomware Email Recipients , add a comma separated list of email addresses. If there is a ransomware attack, File Analytics sends a notification to the specified email addresses.
  5. (optional) To disable the ransomware protection feature, click Disable Ransomware Protection .

Enabling SSR

Enable self-service restore on shares identified by File Analytics.

About this task

File Analytics scans shares for SSR policies.

Procedure

  1. Go to dropdown menu > Ransomware .
  2. Click Enable SSR on Prism .
  3. Check the box next to the shares for which to enable SSR.
    Figure. Enable SSR on Shares Click to enlarge

  4. Click Enable SSR .

Reports

Generate a report for entities on the file server.

Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.

The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.

Reports Dashboard

The reports dashboard includes options to create, view, and download reports.

The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.

The reports table includes columns for the report name, status, last run, and actions.

Figure. Reports Dashboard Click to enlarge

Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.

Both tabs include the following elements:

  • The Define Report Type section includes an Entity drop-down menu to select an entity.
  • The Define Filters section includes an Attribute drop-down menu and an option to add more attributes by clicking + Add filter .
  • The Add/remove columns in this report in your report section displays default columns. Clicking the columns field lets you add addition columns to the report. Clicking the x next to the column name removes it from the report.
  • The Define number of maximum rows in this report section includes a Count section to specify the number of rows in the report.
Table 1. Report Builder – Filter Options
Entity Attributes (filters) Operator Value Column
Events event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Event_operation N/A
  • file_write
  • file_read
  • file_create
  • file_delete
  • rename
  • directory_create
  • directory_delete
  • SecurityChange (permission change)
  • set_attr
  • sym_link
Files Category
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Extensions N/A (type in value)
Deleted N/A Last (number of days from 1 to 30) days
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
access_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Size
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(number) (file size)

File size options:

  • B
  • KB
  • MB
  • GB
  • TB
Folders Deleted N/A Last (number of days from 1 to 30) days
  • object_name (Dir name)
  • object_owner_name (owner name)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • object_last_operation_name (last operation)
  • audit_username (last operation user)
  • File server protocol
  • object_ID (file id)
  • file_path (Dir path)
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Users last_event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path
Table 2. Pre-Canned Reports – Filters
Entity Pre-canned report template Columns
Events
  • PermissionDenied events
  • Permission Denied (file blocking) events
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Files
  • Largest Files
  • Oldest Files
  • Files not accessed for last 1 year
  • Files accessed in last 30 days
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Users
  • Top owners with space consumed
  • Top active users
  • All users
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path

Creating a Custom Report

Create a custom report by defining the entity, attribute, filters, and columns.

About this task

Follow the steps as indicated.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Report Builder tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. Under Value , specify the values for the attribute (some attributes also require to specify an operator in the Operator field).
    4. (optional) click + Add filter to add more attributes.
    5. In the Add/Remove column in this report section, click x for the columns you want to remove.
    6. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

Create a Pre-Canned Report

Use one of the pre-canned File Analytics templates for your report.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Pre-Canned Reports Templates tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. In the Add/Remove column in this report section, click x for the columns you want to remove.
    4. In the Define maximum number of rows in this report section, type in, or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task.

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Deny List

Deny users, file extensions, and client IP addresses.

About this task

Use the Deny feature to block audit events from being performed on specified file extensions or by specified users and clients.
Note: Files with no extension cannot be denied.

Procedure

  1. Click the gear icon > Define Rules for Deny List .
  2. Click the pencil icon in the Client IPs , File Extensions , Users row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click the done icon in the updated row, and then click Close .

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click Save .

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site (AHV)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount the volume group.
      nutnix@avm$ sudo umount /mnt
    6. Detach the volume group File_Analytics_VG from the FAVM.
      See the "Managing a VM (AHV)" topic in the Prism Web Console Guide .
    7. Attach the cloned volume group prefix -File_Analytics_VG to the FAVM.
      See "Managing a VM (AHV)" in the Prism Web Console Guide .
    8. Restart the AVM to discover the attached volume group.
      nutanix@avm$ sudo reboot

    9. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    10. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
    11. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    13. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    14. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    15. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    16. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."

Deploying File Analytics on a Remote Site (ESXi)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article

File Analytics Guide

Files 3.2

Product Release Date: 2022-09-07

Last updated: 2022-11-04

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.
Note: File Analytics supports dual NIC configuration for segmented networks. Contact Nutanix Support for assistance.
Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations, see Dashboard.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity, see Audit Trails.
  • Anomalies tab : Create anomaly policies and view anomaly trends, see Anomalies.
  • Ransomware tab : Configure ransomware protection and self-service restore (SSR) snapshots, see Ransomware Protection.
    Warning: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.
  • Reports tab : Create custom reports or use pre-canned report templates, see Reports.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings, see Administration and File Analytics Options.
  • Health icon : Check the health of File Analytics, see Health.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin can deploy File Analytics.
  • File Analytics analyzes data from daily up to 1 year based on the configuration. File Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the audit event threshold, as specified in File Analytics Release Notes , Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission File Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.
  • File Analytics does not support the following operations for graceful shutdown:
    • AHV: power cycle, power off
    • ESXi: power off, reset
  • File Analytics log collection from CVM fails with dual NIC setup.
  • File Analytics does not collect metadata information on shares, offline shares, and encrypted shares.
  • Teardown of File Analytics fails in case of dual NIC setup.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Role-based Access Control for File Analytics

Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.

Note: Log in to File Analytics with local user created on Prism Central is not supported.

From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:

Note: Only administrators (Super Admin or a Prism Admin in Prism Element) can create roles for File Analytics.
    • Viewer : Allows users with view-only access to the information and cannot perform any administrative (create or modify) tasks.
    • Cluster and User Admin : Allows users to view information, perform administrative tasks, and to create and modify operations.
    For more information on Role Based Access Control, refer to the Controlling User Access (RBAC) , Built-in Role Management , Configuring Role Mapping , and Managing Local User Accounts sections in the Security Guide .

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down displays the storage containers.
      Note: From AOS 5.15.3 version onward, the drop-down displays all storage containers. For earlier AOS versions, the drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
      Note: For ESXi, do not use the Controller VM (CVM) backplane network. The CVM backplane network is not supported and any later upgrade operations might fail.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box next to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which can take several hours to finish.

Changing an FAVM Password

Steps for updating the password of a File Analytics VM (FAVM).

About this task

Context for the current task

Procedure

  1. Log on to an FAVM with SSH.
  2. Change the nutanix password.
    nutanix@fsvm$ sudo passwd nutanix
  3. Respond to the prompts, providing the current and new nutanix user password.
    Changing password for user nutanix.
    Old Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Note:

    The password must meet the following complexity requirements:

    • At least 8 characters long
    • At least 1 lowercase letter
    • At least 1 uppercase letter
    • At least 1 number
    • At least 1 special character
    • At least 4 characters difference from the old password
    • Should not be among the last 10 passwords

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you proceed with the FA upgrade, ensure you meet the following:

  • Have a compatible version of AOS and Files.

    Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

  • Check the health page of File Analytics to confirm if the overall health is green. See Health.
  • The protection domain (PD) for the File Analytics VM (FAVM) should not include any other entities.

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.

Note: Widgets refresh hourly.
Figure. Analytics Dashboard Click to enlarge Widgets in the dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

7 days, the last 30 days, or the last 1 year.
Data age Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. Default intervals are as follows:
  • Hot data – accessed within the last week.
  • Warm data – accessed within 2 to 4 weeks.
  • Cold data – accessed 4 weeks ago or later.
Permission denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File distribution by size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File distribution by type Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. MB or GB
File distribution by type details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of files, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

24 hours, 7 days, 1 month, or 1 year.
Files operations Displays the distribution of operation types for the specified period, including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
24 hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net capacity change The total difference between capacity at the beginning and the end of the specified period.
Share name (for folders only) The name of the share or export that the folder belongs to.
Capacity added Total added capacity for the specified period.
Capacity removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File type Name of file type
Current space used Space capacity occupied by the file type
Current number of files Number of files for the file type
Change (in last 30 days) The increase in capacity over a 30-day period for the specified file type
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD images .img, .iso, .nrg
Desktop publishing .qxd
Email archives .pst
Hard drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System files .bin, .dll, .exe
Text files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Health

The Health dashboard displays dynamically updated health information about each file server component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Data Age

The Data Age widget in the dashboard provides details on data heat.

Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:

  • Hot – frequently accessed data (last accessed within the last week).
  • Warm – infrequently accessed data (last accessed within the last 2 to 4 weeks).
  • Cold – rarely accessed data (last accessed longer than 4 weeks ago).

You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.

Configuring Data Heat Levels

Update the values that constitute different data heat levels.

Procedure

  1. In the Data Age widget, click Explore .
  2. Click Edit Data Age Configuration .
  3. Do the following in the Hot Data section:
    1. In the entry field next to Older Than , enter an integer.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  4. Do the following in the Warm Data section to configure two ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  5. Do the following in the Cold Data section to configure four ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    5. In the 3rd entry field, enter an integer to configure the 3rd range.
    6. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    7. (optional) In the 4th entry field, enter an integer to configure the 4th range.
    8. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  6. Click Apply .
    Note: The new values do not affect the already calculated heat statistics. File Analytics uses the updated values for future heat calculations.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

To create an anomaly rule, do the following.

Note: Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Follow the steps as indicated.

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note:
  • File Analytics does not support regular expression (RegEx) based search.
  • Up to 500 million files with latest 3 months of audit data is supported for a file server.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Ransomware Protection

Ransomware protection for your file server.

Caution: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.

File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.

Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures from in Nutanix Files, see "File Blocking" in the Nutanix Files User Guide .

Caution: Removing curated blocked signatures may prevent File Analytics from blocking some ransomware files.

File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.

Ransomware Protection Features

The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).

Ransomware Dashboard

The ransomware dashboard includes two main sections:

  • The SSR Status pane for viewing, enabling, and managing SSR, see Enabling SSR.
  • The Vulnerabilities (Infection Attempts) pane for viewing total vulnerabilities, vulnerable shares, malicious clients, and top recent ransomware attempts.
    • Clicking on the number of total vulnerabilities provides a detailed view of recent vulnerabilities.
    • Clicking on the number of vulnerable shares provides a detailed view of vulnerable shares.
    • Clicking on the number of malicious clients provides a detailed view of malicious clients.
  • Click Settings , to enable and configure ransomware protection, see Enabling Ransomware Protection and Configuring Ransomware Protection.
  • Click Download (.csv) to download a list of blocked ransomware signatures.
Figure. Ransomware Dashboard Click to enlarge

Enabling Ransomware Protection

Enable ransomware protection on your file server.

About this task

Procedure

  1. Go to dropdown menu > Ransomware .
  2. In the message banner, click Enable Ransomware Protection .
  3. (optional) Click Configure SMTP to Add Recipients.
    Note: This option appears only if you have not configured a simple mail transfer protocol (SMTP) server, see Configuring an SMTP Server.
  4. Under Ransomware Email Recipients , add at least one email address. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
    Figure. Enable Ransomware Click to enlarge

  5. Click Enable .
    See Configuring Ransomware Protection for configuration steps.

Configuring Ransomware Protection

Configure ransomware protection on file servers.

About this task

Do the following to add signature to the blocked extension list.

Procedure

  1. Go to dropdown menu > Ransomware > > Settings .
  2. (optional) Under Search for blocked File Signatures , enter ransomware signatures in the *. (signature) format.
    1. Note: You can also remove ransomware signatures.
      To check that the signature has been blocked, click Search .
    2. If the signature has not been blocked, click Add to Block List .
    Figure. Click to enlarge

  3. (optional) To download a list of blocked ransomware signatures, click Download (.csv) .
  4. (optional) Under Ransomware Email Recipients , add a comma separated list of email addresses. If there is a ransomware attack, File Analytics sends a notification to the specified email addresses.
  5. (optional) To disable the ransomware protection feature, click Disable Ransomware Protection .

Enabling SSR

Enable self-service restore on shares identified by File Analytics.

About this task

File Analytics scans shares for SSR policies.

Procedure

  1. Go to dropdown menu > Ransomware .
  2. Click Enable SSR on Prism .
  3. Check the box next to the shares for which to enable SSR.
    Figure. Enable SSR on Shares Click to enlarge

  4. Click Enable SSR .

Reports

Generate a report for entities on the file server.

Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.

The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.

Reports Dashboard

The reports dashboard includes options to create, view, and download reports.

The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.

The reports table includes columns for the report name, status, last run, and actions.

Figure. Reports Dashboard Click to enlarge

Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.

Both tabs include the following elements:

  • The Define Report Type section includes an Entity drop-down menu to select an entity.
  • The Define Filters section includes an Attribute drop-down menu and an option to add more attributes by clicking + Add filter .
  • The Add/remove columns in this report in your report section displays default columns. Clicking the columns field lets you add addition columns to the report. Clicking the x next to the column name removes it from the report.
  • The Define number of maximum rows in this report section includes a Count section to specify the number of rows in the report.
Table 1. Report Builder – Filter Options
Entity Attributes (filters) Operator Value Column
Events event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Event_operation N/A
  • file_write
  • file_read
  • file_create
  • file_delete
  • rename
  • directory_create
  • directory_delete
  • SecurityChange (permission change)
  • set_attr
  • sym_link
Files Category
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Extensions N/A (type in value)
Deleted N/A Last (number of days from 1 to 30) days
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
access_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Size
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(number) (file size)

File size options:

  • B
  • KB
  • MB
  • GB
  • TB
Folders Deleted N/A Last (number of days from 1 to 30) days
  • object_name (Dir name)
  • object_owner_name (owner name)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • object_last_operation_name (last operation)
  • audit_username (last operation user)
  • File server protocol
  • object_ID (file id)
  • file_path (Dir path)
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Users last_event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path
Table 2. Pre-Canned Reports – Filters
Entity Pre-canned report template Columns
Events
  • PermissionDenied events
  • Permission Denied (file blocking) events
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Files
  • Largest Files
  • Oldest Files
  • Files not accessed for last 1 year
  • Files accessed in last 30 days
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Users
  • Top owners with space consumed
  • Top active users
  • All users
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path

Creating a Custom Report

Create a custom report by defining the entity, attribute, filters, and columns.

About this task

Follow the steps as indicated.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Report Builder tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. Under Value , specify the values for the attribute (some attributes also require to specify an operator in the Operator field).
    4. (optional) click + Add filter to add more attributes.
    5. In the Add/Remove column in this report section, click x for the columns you want to remove.
    6. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

Create a Pre-Canned Report

Use one of the pre-canned File Analytics templates for your report.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Pre-Canned Reports Templates tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. In the Add/Remove column in this report section, click x for the columns you want to remove.
    4. In the Define maximum number of rows in this report section, type in, or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task.

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Deny List

Deny users, file extensions, and client IP addresses.

About this task

Use the Deny feature to block audit events from being performed on specified file extensions or by specified users and clients.
Note: Files with no extension cannot be denied.

Procedure

  1. Click the gear icon > Define Rules for Deny List .
  2. Click the pencil icon in the Client IPs , File Extensions , Users row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click the done icon in the updated row, and then click Close .

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click Save .

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site (AHV)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount the volume group.
      nutnix@avm$ sudo umount /mnt
    6. Detach the volume group File_Analytics_VG from the FAVM.
      See the "Managing a VM (AHV)" topic in the Prism Web Console Guide .
    7. Attach the cloned volume group prefix -File_Analytics_VG to the FAVM.
      See "Managing a VM (AHV)" in the Prism Web Console Guide .
    8. Restart the AVM to discover the attached volume group.
      nutanix@avm$ sudo reboot

    9. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    10. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
    11. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    13. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    14. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    15. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    16. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."

Deploying File Analytics on a Remote Site (ESXi)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article

Flow Microsegmentation Guide

Flow Microsegmentation 5.20

Product Release Date: 2021-05-17

Last updated: 2022-12-13

Security Policies

Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external threats. However, they offer no protection against threats that originate from within the data center and spread laterally, from one compromised machine to another.

The problem is compounded by virtualized workloads changing their network configurations and hosts as they start, stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.

Network-centric security policies also require the involvement of network security teams that have intimate knowledge of network configuration in terms of VLANs, subnets, and other network entities.

Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework works as follows:

  • Security policies inspect traffic that originates and terminates within a data center and help eliminate the need for additional firewalls within the data center.
  • The framework uses a workload-centric approach instead of a network-centric approach. Therefore, it can scrutinize traffic to and from VMs no matter how their network configurations change and where they reside in the data center. The workload-centric, network-agnostic approach also enables the virtualization team to implement these security policies without having to rely on network security teams.
  • Security policies are applied to categories (a logical grouping of VMs) and not to the VMs themselves. Therefore, it does not matter how many VMs are started up in a given category. Traffic associated with the VMs in a category is secured without administrative intervention, at any scale.
  • Prism Central offers a visualization-based approach to configuring policies and monitoring the traffic to which a given policy applies.
  • Using Prism Central, you can configure syslog monitoring by forwarding Flow logs to an external syslog server. See Configuring Syslog Monitoring in the Prism Central Guide for details.
Note: Nutanix Flow supports only AHV hypervisor; security policies can not be applied to VMs running on other hypervisors.

Types of Policies

The types of policies in Prism Central and their use cases are described here.

Table 1. Types of Policies
Policy Type Use Case
Application Security Policy Use an application security policy when you want to secure an application by specifying allowed traffic sources and destinations. This method of securing an application is typically called application ring fencing .

For example, use an application security policy when you want to allow only those VMs in the categories department: engineering and department: customersupport (the allowed sources) to communicate with an issue tracking tool in the category AppType: IssueTracker (the secured application), and you want the issue tracking tool to be able to send traffic only to an integrated customer relationship management application in the category AppType: CRM .

The secured application itself can be divided into tiers by the use of categories (the built-in AppTier category). For example, you can divide the issue tracking tool into web, application, and database tiers and configure tier-to-tier rules.

For more information, see Application Security Policy Configuration.

Isolation Environment Policy Use an isolation environment policy when you want to block all traffic, regardless of direction, between two groups of VMs identified by their category. VMs within a group can communicate with each other.

For example, use an isolation environment policy when you want to block all traffic between VMs in the category Environment: sandbox and VMs in the category Environment: production , and you want to allow all the VMs within each of those categories to communicate with each other.

For more information, see Isolation Environment Policy Configuration.

Quarantine Policy Use a quarantine policy when you want to isolate a compromised or infected VM and optionally want to subject it to forensics.

For more information, see Quarantine Policy Configuration.

VDI Policy Use a VDI policy when you want to secure your VDI environment.

For more information, see VDI Policy Configuration

Security Policy Model

Application-centricity

The security policy model uses an application-centric policy language instead of the more complex, traditional network-centric policy language. Configuring an application security policy involves specifying which VMs belong to the application you want to protect and then identifying the entities or networks, in the inbound and outbound directions, with which you want to allow communication.

All the entities in an application security policy are identified by the categories to which they belong and not by their IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its IP address.

The default options for allowing traffic on the inbound and outbound directions are also inherently application centric. For application security policies, the default option for inbound traffic is Allowed List , which means that Allowed List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic. The default option in the outbound direction allows the application to send traffic to all destinations, but you can configure a destination Allowed List if desired.

For forensic quarantine policies, the default option in both directions is Allowed List , but you can Allow All traffic in both directions. For strict quarantine policies, no traffic is allowed in either direction.

All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.

Whitelist-Based Policy Expression

An application security policy is expressed in terms of the categories and subnets with which you want the application to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be achieved by specifying which protocols and ports can be used for communication.

Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you want to block because the number of such entities are typically much larger and grow at a much higher rate than the categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more easily.

Enforcement Modes

All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be run in the following modes:

Monitor Mode
Allows all traffic, including traffic that is not allowed by the policy. This mode enables you to visualize both allowed and disallowed traffic and fine-tune the policy before applying it.
Enforce Mode
Blocks all traffic that is not allowed by the policy.

You can switch a policy between these two modes as many times as you want.

Automated Enforcement

A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and a registered AHV cluster is required only when creating and modifying policies, or when changing the mode of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and changes are applied to the cluster when connectivity is restored.

Priorities Between Policies

Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that you can add to a security policy, allowing you to define all of an application's security requirements in a single policy. This makes priorities between policies unnecessary.

However, priorities exist between the different policy types. Quarantine policies have the highest priority followed by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the VDI policy.

Isolation environment rules take precedence over application security rules, so make sure that isolation environment policies and application security policies are not in conflict. An isolation environment rule and an application security rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the categories in the isolation environment send traffic to an application in the other category, and some or all of that traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment policy has on a conflicting application security policy depends on the mode in which the isolation environment policy is deployed, and is as follows:

  • If the isolation environment policy is in the applied mode, it blocks all traffic to the application, including the traffic that is allowed by the application security policy.
  • If the isolation environment policy is in the monitoring mode, it allows all traffic to the application, including any traffic that is disallowed by the application security policy.

Requirements

The Security Policies feature has the following requirements:

  • The feature is supported only on AHV clusters running AOS 5.6 or later and AHV version 20170830.115 or later.
  • The Prism Central instance must be hosted on one of the AHV clusters registered with it. The AHV cluster that hosts the Prism Central instance must be running AOS 5.6 or later.
  • The host must have at least 1 GB of additional memory for each Prism Central VM hosted on it.
  • If you are running a Prism Central scale-out instance, all the VMs in the Prism Central cluster must be powered on.
  • The AHV hosts must be allowed to communicate with the Prism Central VMs over TCP port 9446. Keeping the port open enables the hosts to send the Prism Central VMs connection tracking data. Prism Central uses that data to show network flows.
  • Flow supports only TCP, UDP, or ICMP traffic.
Caution:
  • When Flow is enabled, a Kafka container is automatically created on the cluster where Prism Central is hosted. The container is used to store data that is required for flow visualization to work and must not be deleted.
  • Cross cluster live migration of guest VMs that are part of Flow security policy is not supported.
  • Security Policies are not supported for VMs that are on the advanced networking stack. An alert is raised for VMs that are part of both VPC and Flow policy, and Flow policies are not enforced for VMs on VPCs.
  • Overlapping or conflicting policy configuration is not supported and might cause unintended interruption of network services.

Enabling Microsegmentation

Microsegmentation is disabled by default. Before you can configure and use application security policies, isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After this period expires, you will be required to install the license to continue using the feature.

About this task

To enable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central Settings to display the Settings page.
  3. Click Microsegmentation from the Settings menu (on the left).
    The Enable Microsegmentation dialog box is displayed.
  4. To determine whether the registered clusters are capable of supporting microsegmentation, do the following:
    1. Click View Cluster Capability , and then review the results of the capability checks that Prism Central performed on the registered clusters.
    2. Click Back .
  5. Select the Enable Microsegmentation check box.
  6. Click OK .

Disabling Microsegmentation

Prism Central web console provides you the ability to disable the microsegmentation feature.

About this task

To disable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the gear icon in the main menu and then select Microsegmentation in the Settings page.
    Figure. Settings Page - Disabling Microsegmentation Click to enlarge Microsegmentation page
  3. Click Disable Microsegmentation .
    A confirmation message appears.
    Figure. Microsegmentation - Confirmation message Click to enlarge Disabling Microsegmentation
  4. Click Disable to confirm disabling the microsegmentation feature.

Built-In Categories for Security Policies

Prism Central includes built-in categories that you can use in application security policies and isolation policies. It also includes a built-in category for quarantining VMs.

Table 1. Built-In Categories
Category Description
AppTier Add values for the tiers in your application (such as web, application_logic, and database) to this category and use the values to divide the application into tiers when configuring a security policy.
AppType Associate the VMs in your application with the appropriate built-in application type such as Exchange and Apache_Spark. You can also update the category to add values for applications not listed in this category.
Environment Add values for environments that you want to isolate from each other and then associate VMs with the values.
Quarantine Add a VM to this category when you want to quarantine the VM. You cannot modify this category. The category has the following values:
Strict
Use this value when you want to block all inbound and outbound traffic.
Forensic
Use this value when you want to block all inbound and outbound traffic except the traffic to and from categories that contain forensic tools.
ADGroup This category is managed by ID Based Security (ID Firewall). Each ADGroup value represents an imported group from Active Directory. To add or remove values to use in Flow policies use the ID Based Security configuration page ( Prism Central Settings > Flow > ID Based Security ). The category values may be used in VDI policies, see VDI Policy Configuration for details.
ADGroup:Default This category is applied to the VDI VMs of the AD group when the VM inclusion criteria is set and allows you to apply a default set of rules for the VDI VMs (without the requirement of user logons).

Service

Service is a group of protocol-port combination. You can use any of the default services or create a custom service. The ability to use the service entities in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.

  • To create or update a custom service, see Creating a Service.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Services .

Creating a Service

About this task

To create a custom service, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Services .
  3. Click Create Service .
    Figure. Create Service Tab Click to enlarge create a service page

  4. Enter a name and description for the service.
  5. Select the Protocol from the drop-down menu and enter the port number or port range in the Port field.
    You can add multiple protocol-port combinations in a single service. To add more protocol-port combination, click Add Row and specify the required values.
  6. Click Save to save the service.

Address

Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address entity while creating policies. The ability to use the addresses in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.

  • To create or update an Address, see Creating an Address.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Address .

Creating an Address

About this task

To create an Address, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Addresses .
  3. Click Create Address .
    Figure. Create Address Tab Click to enlarge create a service page

  4. Enter a name and description for the address.
  5. Enter the IP address or a IP range in the Subnet field.
    You can add multiple subnets in a single address entity. To add more subnets, click Add Row and specify the required values.
  6. Click Save to save the service.

Application Security Policy Configuration

Creating an Application Security Policy

Before you begin

  • Create the categories you need and associate the VMs that you want to protect with those categories. You might be required to create categories for the following purposes. Some categories or category values are required while others are optional:
    • Every security policy must be associated with a value in the AppType category, so make sure that you update the AppType category with appropriate values if the built-in values do not work for you. For information about this category and its values, see Category Management in the Prism Central Guide .
    • If you need to apply the policy to an application in a specific environment (for example, development, test, or production) or an application at a specific location, create the category you need and apply it to the application. Prism Central includes a built-in Environment category that you can use or update with values of your own. You can also create your own categories.
    • If you want to specify categories for traffic sources and destinations instead of allowing all inbound and outbound traffic, create those categories and apply them to the traffic sources and destinations.
    • If you want to divide the application into tiers in a security policy, add tiers to the AppTier category. The AppTier category has a built-in default value, but you can update the category to add values of your choice.

    For information about categories and their values, see Category Management in the Prism Central Guide .

  • Security policy configuration might require more time than the default session timeout allows you. You might want to increase the session timeout so that you do not lose a configuration that is left unattended while you perform associated tasks such as referring to this documentation. For more information, see Modifying UI Settings in the Prism Web Console Guide .

About this task

To secure an application, do the following:

Procedure

  1. In the Security Policies dashboard, click Create Security Policy , and then click Secure an Application .
    The Create App Security Policy page is displayed.
  2. On the Define Policy tab, do the following in the indicated fields, and then click Next :
    Figure. Define Policy Tab Click to enlarge The Create App Security Policy page comprises tabs for defining a policy, securing an application, and then reviewing the policy. This image shows the Define Policy tab, with fields for entering a name and purpose and a drop-down list from which you can select the application that you want to secure. The Define policy tab also has Advanced Configuration section to allow or block IPV6 traffic and enabling policy hit log.
    1. Name : Enter a name for the security policy.
    2. Purpose : Describe the purpose of the security policy.
    3. Secure This App : Select the type of application that you want to secure.
      The Secure This App list displays available values in the AppType category. It uses the format AppType : value , where value represents a type of application. Every application that you want Prism Central to secure must be associated with a value from the built-in AppType category. The AppType category includes values for frequently encountered applications, such as Exchange and Hadoop. The AppType category also includes a built-in default value that you can use if your application cannot be associated with one of the other built-in values. You can also update the AppType category to add a value of your choice. For information about categories and their values, see Category Management .
    4. If you want to filter the VMs by an additional category, select Filter the app type by category , and then enter the name of the category in the text box that is displayed.
      This option enables you to apply the policy to an additional category. For example, if you are configuring a policy for an application in the category AppType: Exchange , this option enables you to further restrict the policy to specific locations (such as Location: US and Location: EU ) or environments (such as Environment: Production , Environment: Development , and Environment: Test ).
    5. Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
      Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.
    6. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. In the Securing an App dialog box, review the schematic that illustrates the flow of traffic through a secured app, and then click OK, Got it!
    The Secure Application tab is displayed. The schematic on this tab can be divided into three areas of configuration: the Inbound side, (for adding traffic source allowlist), the application at the center (for configuring inbound, outbound, and tier-to-tier rules), and the Outbound side (for adding traffic destination allowlist).
    Figure. Secure Application Tab Click to enlarge
  4. On the Secure Application tab, do the following, and then click Next :
    1. On the application at the center of the tab, do the following in the indicated fields:
      • If you want to divide the application into tiers (such as a web tier, an application tier, and a database tier) and configure tier-to-tier rules, first configure the application as described in this step, and then configure inbound and outbound rules. This approach ensures that the individual tiers are available when you want to configure inbound and outbound rules at the tier level. Skip this step if you want to treat the application as a single entity in the security policy.

        To divide your application into tiers and create tier-to-tier rules, do the following:

        1. On the application, click Set Rules on App Tiers, Instead .
          Note: After you click Set Rules on App Tiers, Instead , the link text, Set rules on the whole app, instead , is displayed in its place. Click Set rules on the whole app, instead if you want to discard the tiered configuration and return to configuring rules on the application as a whole.
        2. Click Add Tier , and then select a tier.

          Repeat this step to add as many tiers as you require. The following figure shows an application with a web tier, an application tier, and a database tier:

          Figure. Tiered Application Click to enlarge
        3. To delete a tier, pause over the tier you want to delete and click the delete button that is displayed.
        4. Click Set Rules Within App .
          Note: When configuring tier-to-tier rules, two modes are made available to you through the buttons Set Rules to & from App and Set Rules Within App . The Set Rules to & from App option enables you to add application tiers and to specify allowed inbound and outbound traffic. The Set Rules Within App option enables you to specify tier-to-tier rules within the application. These buttons enable you to switch between the two modes.
        5. Click each tier in the application and click Yes or No to specify whether or not you want to allow the VMs in the tier to communicate with each other.
        6. Configure a tier-to-tier rule as follows:
          1. Click the source tier (for example, if the tiers are WebTier and AppTier and you want to configure a tier-to-tier rule from WebTier to AppTier, click the source tier, WebTier).
          2. Click the plus sign that is displayed on the destination tier (in this example, click the destination tier, AppTier). The Create Tier to Tier Rule dialog box
          3. Enter a description for the rule.
            Note: The policy rule description is captured in the policy hitlog data.
            • Policy hitlog must be enabled
            • Rule description is added to the hitlog only for allowed traffic
          4. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
          5. Click Save .

          Configure tier-to-tier rules for as many source and destination tiers as you want.

    2. To add traffic sources, on the Inbound side of the Secure Application tab, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic from all sources.
        • Whitelist Only : Allows traffic only if the traffic originates from entities on the security policy's source allowlist. This option is the default option. If this option is selected, you must also configure the source allowlist by clicking Add Source .
      • Click Add Source , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic only if that traffic originates from entities that are in the selected category.
          • Subnet/IP : Allows traffic only if that traffic originates from entities that are in the selected subnet.
          • Addresses : Allows t