When auditing is enabled, audit records are written to files that are stored in the auditing directory. The files are accessible on client hosts to authorized users who need to mount a view on the directory in order to access the files. Read on for more details.
To enable client users to access audit files, do both of the following:
-
Give users read access permission to the audit directory. This is done by specifying users and groups in the Read-access Users and Read-access Groups fields in the global auditing settings.
-
Make sure there is a view on the auditing directory or on the root directory. Users need to mount the view on their client operating system in order to access the files.
The auditing directory is located directly under the root directory of the Element Store. Audit records are written to files in different subdirectories for different CNodes. There are multiple active audit files for each CNode, identified by silo ID, which represent internal handlers. Each file may contain multiple audit records.
Each subdirectory is named audit_env_# where # is a data environment ID.
The maximum size of audit files is set by the Max audit file size field in the global auditing settings. Audit files are written to new files when needed to avoid exceeding the limit.
Files are named audit_log_<siloID>_<time and date stamp in UTC>. For example: audit_log_13_2022-07-25_10.06.22.971753164.
The audit files are structured in JSON format with a line per audit record. For example:
{"ClusterName": "vast5000", "CnodeName": "cnode-5-18", "Time": "2022-07-25 10:06:22.971", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Protocol": "NFSv3", "RPCType": "MKDIR", "Path": {"Path": "/view-x/b6ff462c", "EHandle": "0xc6577958b7f2b36", "CloneID": "0x0"}, "LoginName": "user1", "uid": 2000, "sid": "S-1-111-1406723212-3193829621-986136987-861556413-2", "S3AccessKeys": ["", "", "", ""], "Status": "NFS3_OK"}
{"ClusterName": "vast5000", "CnodeName": "cnode-5-18", "Time": "2022-07-25 10:06:22.972", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Protocol": "NFSv3", "RPCType": "GETACL", "Path": {"Path": "/view-x/", "EHandle": "0x164edaee83a1c70c", "CloneID": "0x0"}, "LoginName": "user1", "uid": 2000, "sid": "S-1-111-1406723212-3193829621-986136987-861556413-2", "S3AccessKeys": ["", "", "", ""], "Status": "NFS3_OK"}
{"ClusterName": "vast5000", "CnodeName": "cnode-5-18", "Time": "2022-07-25 10:06:22.973", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Protocol": "NFSv3", "RPCType": "MKDIR", "Path": {"Path": "/view-x/b/bffgg", "EHandle": "0x18342bd24edc44f1", "CloneID": "0x0"}, "LoginName": "user1", "uid": 2000, "sid": "S-1-111-1406723212-3193829621-986136987-861556413-2", "S3AccessKeys": ["", "", "", ""], "Status": "NFS3_OK"}
The following data are logged per audit record. Some additional data are recorded for some RPCs.
|
|
Name of the cluster |
|
|
Cnode name |
|
|
RPC time |
|
|
IP from which RPC was received |
|
|
Blank field reserved for the name of the host that sent the RPC. |
|
|
VIP on which RPC was received |
|
|
Client protocol that sent the RPC |
|
|
The type of operation |
|
|
The requested path. If Log full path is enabled, the full Element Store path is logged. If Log full path is disabled, the path relative to the view is recorded. |
|
|
Affected handles. Each file and directory has a handle. |
|
|
|
|
|
The user name. Appears only if Log username is enabled. |
|
|
The user's NFS UID. |
|
|
The user's SMB user SID. |
|
|
The user's S3 access keys, if applicable |
|
|
Status of the operation. Indicates if it was successful or not. |
Comments
0 comments
Article is closed for comments.