Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

TyfoidKid

1 Rookie

 • 

55 Posts

4680

March 16th, 2015 14:00

CEE Isilon Audit logging to Splunk - got it to work but what do the codes mean?

What do the codes and events in RED mean?

This is the CEE audit output in Splunk

<CheckEventRequest> <EventList count="1"> <Event event="0x80" path="\\test1\onefs$\ifs\home\user1-smb\test2\random-file.5259" flag="0x2" protocol="0" server="wbtest1" clientIP="xxx.xxx.xxx.xxx" serverIP="xxx.xxx.xxx.xxx" timeStamp="0x55073C93000F328F" userSid="S-1-5-21-1317685450-932939914-1801392649-121692" numberOfReads="0" bytesRead="0" bytesWritten="1928192" ntStatus="0x0"/> </EventList>< / CheckEventRequest>

This is the syslog audit output in Splunk

2015-03-16T16:06:41-05:00 x-xxx-xxx-xxx-xxx.our.domain.com audit_protocol[7235]: S-1-5-21-1317685450-932939914-1801392649-121692|1|160.94.205.35|OPEN|SUCCESS|128|000000080ce22038|FILE|OPENED|/ifs/home/smb/test2/random-file.731

The CEE audit output is MONUMENTAL, millions of events a day for the traffic created by 4 hosts.  We have thousands of CiFS users accessing our cluster at any one time, a production setup of this would require another Isilon cluster to hold the logs for the production cluster.  The syslog audit output is very manageable (hundreds of events a day per host.)  Unless those codes mean something to someone and we should be capturing that I don't see the reason to have the CEE audit logging going on.  I have all audit options on which is probably not reasonable but I know our security people, if we ask them 'what we should be auditing' they will ask 'can we audit everything?'  And this doesn't even get us into what NFS auditing will look like when User Space NFS comes along.

scott_owens

60 Posts

March 18th, 2015 09:00

For the Protocol:

0 = CIFS/SMB

1 = NFS

2 = FTP

The Event ID corresponds to the CEPP_EVENTTYPE, which are

OPEN_FILE_NOACCESS    0x00000001

OPEN_FILE_READ       0x00000002

OPEN_FILE_WRITE     0x00000004

CREATE_FILE              0x00000008

CREATE_DIRECTORY    0x00000010

DELETE_FILE              0x00000020

DELETE_DIRECTORY    0x00000040

CLOSE_MODIFIED      0x00000080

CLOSE_UNMODIFIED    0x00000100

RENAME_FILE              0x00000200

RENAME_DIRECTORY    0x00000400

SETACL_FILE         0x00000800

SETACL_DIRECTORY    0x00001000

OPEN_DIRECTORY      0x00002000

CLOSE_DIRECTORY     0x00004000

FILE_READ           0x00008000

FILE_WRITE          0x00010000

SETSEC_FILE         0x00020000

SETSEC_DIRECTORY    0x00040000

ALL                 0xFFFFFFFF

A NT Status of 0 = STATUS_SUCCESS

Let me see if I can locate the information for Flags.

TyfoidKid

1 Rookie

 • 

55 Posts

March 19th, 2015 09:00

Awesome!! That's exactly what I was looking for.  Yes the flags information would be good to have too. Is this on EMC's website because I couldn't find it anywhere?

fulldanad

2 Posts

November 24th, 2015 02:00

For me the lookup is the following :

event,eventDescription

0x1,ReadSec

0x2,ReadFile

0x4,WriteFileRequest

0x8,CreateFile

0x10,RenameFile

0x20,DeleteFile

0x200,NewFileName

0x400,WriteFile

0x10000,CreateDir

0x20000,RenameDir

0x40000,DeleteDir

0x100000,ReadDirSec

But this is only my best interpretation : I'd rather use an official EMC reference.

Anyone aware of where the official table might be hidden ?

Rgds

scott_owens

60 Posts

November 24th, 2015 08:00

What version of OneFS are you looking for? It varies slightly between 7.1.x and 7.2.x. The table will be published in the Isilon Audit CEE White Paper

fulldanad

2 Posts

January 20th, 2016 08:00

Hi,

we use 7.2.x

Could you tell me where you have published the white paper ?

Regards

TyfoidKid

1 Rookie

 • 

55 Posts

May 16th, 2016 08:00

Isilon OneFS v7.2.1.1 would be a good starting point for us.

Was this post helpful?

View All

No Events found!

Top