When protocol auditing is enabled, audit records are written to files that are stored in the audit directory. The files are accessible on client hosts to authorized users who need to mount a view on the directory in order to access the files.
To enable client users to access audit files, do both of the following:
-
Give users read access permission to the audit directory. This is done by specifying users and groups in the Read-access Users and Read-access Groups fields in the global auditing settings (Settings -> Auditing).
-
Make sure there is a view on the audit directory or on the root directory. Users need to mount the view on their client operating system in order to access the files.
The audit directory is located directly under the root directory of the Element Store. Audit records are written to files in different subdirectories for different CNodes. There are multiple active audit files for each CNode, identified by silo ID, which represent internal handlers. Each file may contain multiple audit records.
Each subdirectory is named audit_env_# where # is a data environment ID.
The maximum size of an audit file is set by the Max audit file size field in the global auditing settings (Settings -> Auditing). Audit records roll over to a new file when the file reaches this size.
Files are named audit_log_<silo ID>_<time and date stamp in UTC>. For example: audit_log_13_2022-07-25_10.06.22.971753164.
The audit files are structured in JSON format with a line per audit record. For example:
{"ClusterName": "vast5000", "CnodeName": "cnode-3-161", "Time": "2023-03-07T13:27:04.703Z", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Tenant": "default", "Protocol": "S3", "RPCType": "PUT_BUCKET", "Path": {"Path": "", "EHandle": "0x5234d00615d8752a", "CloneID": "0x0"}, "LoginName": "test", "uid": 123123213, "sid": "", "S3AccessKeys": ["Z7BA7NV7QP2946RAU7QM", "", "", ""], "UsedS3AccessKey": "Z7BA7NV7QP2946RAU7QM", "RequestId": "0x60d100005376", "ConnectionType": "HTTP", "BucketName": "testbucket", "Status": "Success"}
{"ClusterName": "vast5000", "CnodeName": "cnode-3-161", "Time": "2023-03-07T13:28:05.113Z", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Tenant": "default", "Protocol": "S3", "RPCType": "PUT_BUCKET_VERSIONING", "Path": {"Path": "/testbucket/", "EHandle": "0x5234d00615d8752a", "CloneID": "0x0"}, "LoginName": "user1", "uid": 123123213, "sid": "", "S3AccessKeys": ["**********************", "", "", ""], "UsedS3AccessKey": "Z7BA7NV7QP2946RAU7QM", "RequestId": "0x60d100005377", "ConnectionType": "HTTP", "BucketName": "testbucket", "Status": "Success"}
{"ClusterName": "vast5000", "CnodeName": "cnode-3-161", "Time": "2023-03-07T13:28:12.902Z", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Tenant": "default", "Protocol": "S3", "RPCType": "PUT_OBJECT", "Path": {"Path": "/testbucket/my-obj-vers", "EHandle": "0x4205b41ae75c758f", "CloneID": "0x0"}, "LoginName": "user1", "uid": 123123213, "sid": "", "S3AccessKeys": ["**********************", "", "", ""], "UsedS3AccessKey": "Z7BA7NV7QP2946RAU7QM", "RequestId": "0x60d100005378", "ConnectionType": "HTTP", "BucketName": "testbucket", "VersionId": "0xfffffffffffffffd", "VersionEHandle": "0xa5419ccec6d9f47", "VersionCloneID": "0x0", "Status": "Success"}
{"ClusterName": "vast5000", "CnodeName": "cnode-3-161", "Time": "2023-03-07T13:28:19.391Z", "ClientIP": "192.0.2.15", "ClientHostname": "", "ClusterVip": "172.23.28.16", "Tenant": "default", "Protocol": "S3", "RPCType": "PUT_OBJECT", "Path": {"Path": "/testbucket/my-obj-vers", "EHandle": "0x4205b41ae75c758f", "CloneID": "0x0"}, "LoginName": "user1", "uid": 123123213, "sid": "", "S3AccessKeys": ["**********************", "", "", ""], "UsedS3AccessKey": "Z7BA7NV7QP2946RAU7QM", "RequestId": "0x60d10000537a", "ConnectionType": "HTTP", "BucketName": "testbucket", "VersionId": "0xfffffffffffffffc", "VersionEHandle": "0x2c88c79f154710fb", "VersionCloneID": "0x0", "Status": "Success"}
The following data are typically logged per audit record.
|
|
The name of the cluster. |
|
|
The CNode name. |
|
|
The RPC time. |
|
|
The IP from which the RPC was received. |
|
|
A blank field reserved for the name of the host that sent the RPC. |
|
|
The virtual IP on which the RPC was received. |
|
|
The tenant to which access was requested. |
|
|
The client protocol that sent the RPC. |
|
|
The type of protocol operation. |
|
|
The requested path. If Log full path is enabled, the full Element Store path is logged. Otherwise, the path relative to the view is recorded. |
|
|
Affected handles. Each file and directory has a handle. |
|
|
The clone ID. |
|
|
The user name. Appears only if Log username is enabled. |
|
|
The user's NFS UID. |
|
|
The user's SMB user SID. |
|
|
The user's S3 access keys, if applicable. |
|
|
The S3 access key that was used in the request. |
|
|
Indicates if the operation was successful or not. |
Some additional data can be recorded for some RPCs. For example, for an object copy request, the SourceObject is logged as follows:
SourceObject: {'BucketName': 'bucket-for-put-object-copy-src-audit870305282', 'Name': {'ObjectName': 'src_obj', 'VersionId': '0xfffffffffffffffd', 'VersionEHandle': '0xac0894e96c5e8f40', 'VersionCloneID': '0x0', 'EHandle': '0x7056ca68968d0a65', 'CloneID': '0x0'}},
In some cases, only a subset of data is recorded; for example, when there is an issue with the request, such as InvalidAccessKeyId or InvalidBucketName.
Comments
0 comments
Article is closed for comments.