Welcome to the third blog in my three-part series reviewing the analytics features of Nutanix Files version 3.5. What’s another 10 minutes of your life to put a nice bow on everything? 🎺Queue the sad music 🎺
In Part II, we caught a glimpse of Files’ audit functionality and got a pretty decent idea of what it does. What may not have been immediately apparent is that the Audit Trails feature is available not only for users, but for individual files, too.
Selecting the “Files” radio button lets an administrator search for audit details on individual files. Initial results show some basic file information while clicking “View Audit” gives more visibility into the history of the file, including users that read, modified or otherwise touched it.
Administrators have some powerful built-in features at their fingertips with file-based auditing:
- If the file in question has a lot of events against it, an admin can filter out specific events to drill down for more information regarding who, what, when and from where;
- An admin has the ability to perform wildcard searches (i.e.: *.iso);
- Importantly, an admin can search deleted files to figure out who deleted the file and where it was deleted from; and
- An admin can see duplicate file names that appear in different folder locations.
This brings us back to user-based auditing, which we touched on in Part II when our admin was assessing the activity of a top user. Clicking the “Users” radio button to search lets an administrator see all files a particular user has touched. Functionality-wise, there’s really no difference between the file-based and user-based auditing search types.
One nice feature I’d like to see implemented in the future is the ability to click on a file that may have been modified by a user (or vice versa, the ability to click on the user who modified a file) and be taken straight to the Audit Trail for that file (or user).
As a society, we’re very reactive to security situations. But at the same time, we tend to react too late.
With that in mind, Anomalies is a nice in-depth feature offered as part of this Tech Preview release of Files. While it’s a bit restrictive in its current form, I expect Nutanix will put some significant engineering effort behind this feature as it can be quite powerful if done properly.
The main Anomalies dashboard succinctly alerts you to what it considers to be an anomaly.
Unfortunately, while it looks like you should be able to click on each of the events to drill down for more information, that’s not the case. To get additional details or to configure an anomaly, you must click on “Anomalies” in the top navigation bar.
While the main Anomalies dashboard above contains some decent high-level info, it doesn’t really present users with any useful correlated or clickable links. Telling us there were six anomalies on a certain day doesn’t help us figure out any more about what exactly they were, who they were caused by, or when or where they occurred.
Even if this is just a Tech Preview version of Files (as shown in the upper left corner of the dashboard screenshot), I still want useful data.
Digging deeper into the “Top Folders” box on the main dashboard shows that the Lab-1 folder had 14 anomalies in the last 30 days. A mouse-over shows the location of that folder, but that’s it. As a user, I would expect that clicking on the folder would allow me to see what the anomalies were, when they occurred, by whom, etc. This is absolutely needed if customers are to adopt and find value in Files.
Crawl, walk, run? I hope so! Offering an Anomalies feature is itself a step in the right direction. Again, the data is there. It’s just a matter of correlating and presenting it in an easily consumable format.
So, what kind of granularity does an end user have to configure anomalies? Well, not too much right now. Users have three options at the moment:
- Permission Changed
Users can configure different triggers for each option. In the screenshot above, you’ll notice a blue link in the top right reading “+ Define Anomaly Rules.”
Clicking through brings up a screen where anomalies can be defined.
I’d love to see Nutanix add a mouse-over “quick tip” that defines what each column in this view actually means. The “Events” column is self-explanatory, but the “Minimum Operation %” column means nothing to me. Hence why a quick tip section would be great. Even referring to Nutanix’s definition from the Files guide doesn’t help:
Minimum Operations %: Enter a percentage value for the minimum threshold. When this value is surpassed, Analytics will trigger an anomaly alert.
Operations percentage of what based on what with what? Hopefully we get more clarity as this moves to GA.
A few other columns in the Define Anomaly Rules view are worth quickly mentioning:
- Minimum Operations Count: Want to know when files are either deleted or created in a number greater than ##? Easy peasy.
- User: Contains “All Users” and “Individual Users” drop-down options. Unless I’m misunderstanding something, only the “All Users” option is useful. Selecting “Individual Users” (maybe to monitor someone or a service account that keeps getting locked out) doesn’t actually give you the option to specify the user. However, it does tell you if a specific user does something that meets a defined anomaly threshold.
In its current form, the only way to alert someone of an anomaly is via email.
My prediction is that Nutanix will eventually allow admins to run custom scripts for alerts. For example, something like “Disable user in AD if they delete more than XX number of files.” Reactive? Sure. But this would offer much faster response times in cases where users delete thousands or even millions of files. If something like this does come to fruition, please use caution and test your scripts!
I’d also love to see Anomaly definitions added for Read, Modify and Permission Denied. Nutanix already tracks this information as we can see through the files audit section.
On top of that, I’d welcome the ability to define anomalies on specific folders within the share.
There is certainly room for improvement with the Anomalies feature of Files. Keeping in mind that this is a Tech Preview, though, and wrapping everything we’ve talked about to this point, the path forward comes down to building correlation of the data to help users quickly identify abnormal activity.
In the end, Anomalies has the potential to be a powerful tool for end users.
The question always asked, especially after being enlightened by an epic product review blog trilogy, is “How much does this awesomeness full of rainbows and unicorns cost me?”
I debated including this section, mostly because these things constantly change, regardless of OEM, so keep that in mind as you’re reading this. Reaching out to your WWT account team is the best way to get today’s most accurate pricing information.
First, I won’t get into specific pricing for Nutanix Files. Why? Every opportunity is different, every customer is different, and, quite honestly, if I wrote something here it’d be inaccurate within an hour.
Second, the information below applies to certain hardware models. As of this writing, details have not been released for instances where a customer purchases an OEM-based solution (such as Dell XC or Lenovo HX).
Nutanix is currently licensing Files on a capacity-based model. It’s important to understand this means Nutanix is selling space the end user sees. So, if you need 10TiB of licensing but the data dedupes or compresses down to 1TiB, you still have to purchase a 10TiB license. Cost savings will come from needing less hardware.
There are essentially two slightly different purchasing models to consider: dedicated clusters and mixed deployments.
Dedicated clusters are exactly what they sound like — minimum compute resources and a lot of storage. The compute resources should be enough to run the CVMs, FSVMs and, of course, the Analytics VMs. No other VMs are allowed to run on the cluster. This is important to note if you’re looking to use this for ROBO sites where small VMs may also need to run.
In a dedicated cluster, you’ll be running Files Pro licensing edition, which includes Analytics at no additional cost. You still might need to consider additional add-on licensing options outside of capacity that can affect price, such as encryption (SW or HW) and multi-site DR (many to many).
Nutanix’s “mixed mode” deployment model also employs capacity-based licensing. The level of your AOS licensing will dictate some of your feature functionality (Starter, Pro, Ultimate). Analytics is currently an add-on license in this model.
Alas, we are at the end of the series. Thanks for sticking it out. Personally, I’m quite excited for Nutanix Files. I do believe it will be differentiator and I see a lot of upside for customer adoption, especially as the platform evolves.
I learned a lot writing this trilogy (see Part I, Part II) and hope you learned a lot reading it. I also hope I’ve captured enough of your imagination to dig further into this technology — not just the analytics portion, but the rest of the Files architecture.
If you’re a WWT customer, reach out to your account team to schedule a more in-depth view of Files.
If you’re not yet a customer, you can still access the latest hyper-converged labs, featuring many Nutanix solutions, by connecting with us online and exploring the Advanced Technology Center (ATC). Files is released and waiting for you as a capability. Dig in! And feel free to reach out to me directly if you have any questions.