Unsolved
This post is more than 5 years old
17 Posts
1
2058
How to audit Isilon file creation
Hi
I need to log // audit the creation of files on the isilon.(oneFS 7.1.0.3)
I enabled the audit for protocol:
isilon1-1# isi audit settings view
Protocol Auditing Enabled: Yes
Audited Zones: System
CEE Server URIs: -
Hostname:
I enabled loggin of all succsessfull events:
isilon1-1# isi zone zones view --zone=system
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: -
Auth Providers: -
Local Provider: Yes
NetBIOS Name:
All SMB Shares: Yes
All Auth Providers: Yes
User Mapping Rules: -
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Audit Success: close, create, delete, get_security, logoff, logon, read, rename, set_security, tree_connect, write
Audit Failure: create, delete, rename, set_security
Zone ID: 1
Config Auditing Enabled: No
And the system logs a lot.
With #isi_audit_viewer -t protocol
the system shows a lot of information, but not the filename:
[...]
[25169: Fri Aug 29 11:51:32 2014] {"id":"0ea70907-2f62-11e4-929f-00074308ed3e","timestamp":1409305892708587,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":4,"ntStatus":0,"handle":""}}
[...]
How can I log the filename of a created file?
Chris
Peter_Sero
1.2K Posts
0
August 29th, 2014 04:00
That "close" event refers to an earlier "open" event which has the file name & path.
Seems you are not logging the "open" events, though
In general, file names are included for those events where
they are explicitly specified by the client,
like open(filename, ...), or create (filename, ...)
Happy logging
-- Peter
Peter_Sero
1.2K Posts
0
August 29th, 2014 05:00
So open and create are now showing, but also with an empty filename?
chwin
17 Posts
0
August 29th, 2014 05:00
Hi
thank you for the answer, but I think it's something else.
The close event which refers to an open was in the ols logging in /var/log/audit...
because i log all events for testing now I con't belive that I miss something
#isi zone zones modify --zone=system --audit-success=all
#isi zone zones modify --zone=system --audit-failure=all
Chris
chwin
17 Posts
0
August 29th, 2014 06:00
Hi,
sorry, there is an filename, now. It's in line 2328
But It's marked a rename, not create......
chwin
17 Posts
0
August 29th, 2014 06:00
Hi
logging of "all" is enabled, but no open is logged.
This is the output of creating one file in the share:
[2310: Fri Aug 29 15:17:08 2014] {"id":"c74cb6e7-2f7e-11e4-929f-00074308ed3e","timestamp":1409318228403589,"clusterNode":"000001","payloadType":"4b66b1eb-6e1a-416d-b80c-5a642a603a0b","payload":{"zoneID":1,"zoneName":"System","eventType":"tree-connect","clientIPAddr":"192.168.178.145","userSID":"S-1-22-1-0","ntStatus":0}}
[2311: Fri Aug 29 15:17:08 2014] {"id":"c74d2ea5-2f7e-11e4-929f-00074308ed3e","timestamp":1409318228406652,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2312: Fri Aug 29 15:17:09 2014] {"id":"c7f45f6a-2f7e-11e4-929f-00074308ed3e","timestamp":1409318229502352,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2313: Fri Aug 29 15:17:09 2014] {"id":"c7f7b5ca-2f7e-11e4-929f-00074308ed3e","timestamp":1409318229524223,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2314: Fri Aug 29 15:17:09 2014] {"id":"c7f8d63c-2f7e-11e4-929f-00074308ed3e","timestamp":1409318229531607,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2315: Fri Aug 29 15:17:11 2014] {"id":"c93cfa0d-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231655892,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2316: Fri Aug 29 15:17:11 2014] {"id":"c93d2425-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231656969,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2317: Fri Aug 29 15:17:11 2014] {"id":"c93d77c0-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231659108,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2318: Fri Aug 29 15:17:11 2014] {"id":"c93e5a25-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231664905,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2319: Fri Aug 29 15:17:11 2014] {"id":"c93f458e-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231670931,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2320: Fri Aug 29 15:17:11 2014] {"id":"c93f6350-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231671692,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2321: Fri Aug 29 15:17:11 2014] {"id":"c940dbc5-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231681329,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2322: Fri Aug 29 15:17:11 2014] {"id":"c94b2e49-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231748979,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2323: Fri Aug 29 15:17:11 2014] {"id":"c94b4ab8-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231749705,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2324: Fri Aug 29 15:17:11 2014] {"id":"c94c8809-2f7e-11e4-929f-00074308ed3e","timestamp":1409318231757830,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2325: Fri Aug 29 15:17:22 2014] {"id":"cf682bf6-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242005304,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2326: Fri Aug 29 15:17:22 2014] {"id":"cf68acaf-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242008598,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2327: Fri Aug 29 15:17:22 2014] {"id":"cf68d326-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242009582,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2328: Fri Aug 29 15:17:22 2014] {"id":"cf697bf7-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242013904,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"rename","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","newFileName":"\\home\\user\\test_xyz","userSID":"S-1-22-1-0","ntStatus":0,"handle":""}}
[2329: Fri Aug 29 15:17:22 2014] {"id":"cf69965e-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242014580,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2330: Fri Aug 29 15:17:22 2014] {"id":"cf69b02c-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242015241,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2331: Fri Aug 29 15:17:22 2014] {"id":"cf69f1e8-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242016924,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2332: Fri Aug 29 15:17:22 2014] {"id":"cf6a625a-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242019802,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2333: Fri Aug 29 15:17:22 2014] {"id":"cf6af15e-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242023462,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2334: Fri Aug 29 15:17:22 2014] {"id":"cf6b334d-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242025152,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2335: Fri Aug 29 15:17:22 2014] {"id":"cf6bf119-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242030010,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
[2336: Fri Aug 29 15:17:22 2014] {"id":"cf706136-2f7e-11e4-929f-00074308ed3e","timestamp":1409318242059095,"clusterNode":"000001","payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"zoneID":1,"zoneName":"System","eventType":"close","isDirectory":false,"clientIPAddr":"192.168.178.145","fileName":"","userSID":"S-1-22-1-0","numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"handle":""}}
I think that's an bug.
Chris
Peter_Sero
1.2K Posts
1
September 1st, 2014 03:00
That's all 'closes' and one 'rename'... still pretty useless I'd say.
There have been fixes for auditing in most 7.1.0.x releases, including the most recent 7.1.0.4(!)
Have you tried auditing with a dedicated, non-System zone?
Just being aware that 7.1.1. finally kicks SMB out of the System zone, after all.
Anyway, you might also be investigating with Support; let us know what you find.
Cheers
-- Peter
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
September 1st, 2014 05:00
what do you mean ?
Peter_Sero
1.2K Posts
0
September 1st, 2014 07:00
Well, trivially not if you only have just a single zone, the System zone. But with multiple access zones for SMB, which must have non-overlapping paths in 7.1.1, wouldn't a System zone (for NFS) rooted at /ifs break the "non-overlapping" rule for SMB access?
chwin
17 Posts
1
September 10th, 2014 01:00
Hi
I tested it again with 7.1.1 and a beta version and it's getting better. The newer the version the more information is in the logfile.
I think it't just a bug in the actual versions.
Chris