> Expert > CommCell Management > Operating and Monitoring the Backup Environment > Log Monitoring > Log Monitoring Configuration > Monitoring Policies for Log Monitoring > Monitoring Policies for Ransomware Monitoring

Creating a Monitoring Policy for Ransomware Detection

The logs for ransomware detection are logged in the /var/log/audit/audit.log file. To monitor the log file for denials noticed on the protected disk libraries and to receive email alert notifications, create a monitoring policy.

Note

If you use a disk library associated with the MediaAgent as a subclient content for backup, you might notice denials in the audit.log file because the disk library is already protected.

Before You Begin

  • Collect the details that you require to create the policy. For more information, see Planning for Your Monitoring Policy.

  • To view the data that you collect in the log monitoring application, you must set up the Web Console and configure the Index Server. For more information, see Setting Up the Log Monitoring Application.

  • Determine if you want to save the policy configuration in a script that you can run later from the command line interface. If you accidentally delete the policy, the script is useful to save the monitoring policy configuration.

Procedure

  1. From the CommCell Browser, go to Policies.

  2. Right-click Monitoring Policies, and then click New Monitoring Policy.

    The New Monitoring Policy wizard appears.

  3. Follow the instructions in the wizard.

    • On the Please select the type of monitoring policy you would like to create page, select Text Log Files.

      From the Please select the template list, select Simple Text Template.

    • On the Select associations page, select the MediaAgents that you have configured the ransomware protection for.

    • On the Please select content page, add the /var/log/audit/audit.log file.

    • On the Please specify criteria page, add a criteria with criteria option Regular Expression, filtering attribute Contains, and description denied.*cvstorage.*tclass=file.|denied.*cvbackup.*tclass=file.|denied.*cvstorage.*tclass=dir.|denied.*cvbackup.*tclass=dir.

    • On the Specify the data capturing options page, from the list of Select data capturing type, select Event Raiser.

    For information about the options in the wizard, see Monitoring Policy Online Help.

  4. On the Summary page, choose whether to save the configuration as a script for future use:

    • To create the policy immediately, click Finish.

    • To save the policy, click Save as Script.

      For instructions about saving your policy as a script, see Save as Script Overview.

      To create the policy using the script, run the script from the command line interface.

What to Do Next

  • The software automatically creates an alert with the name Event Raiser Alert for Monitoring Policy [MonitoringPolicyName]. To receive email alert notifications, you must enable the alert. For instructions, see Enabling or Disabling Alerts.

  • To avoid repeat alert notifications, clear the /var/log/audit/audit.log file.

Loading...