Isilon Event logs only for Create file | folder or rename file | folder

Hello Dhaneswar,

unfortunately the isi_audit_viewer command leaves something to be desired. It is in place as a means but really shouldn't be the end goal. If you are looking to simplify this I would highly recommend getting a Varonis end point server to help you parse the output to something more manageable as that is the intended functionality of protocol auditing. That being said the only way I am aware of to make this happen is sharpening up those grepfoo commands.

I can tell you based on your output that you are not checking the last few days, more like months from January to July so I would expect that output to be very large if you have daily users working for 6+ months in those directories.

Here are some examples of me grepping on my test cluster that did return output using the same dates as you, you should also be aware that each node has its own audit logs so you may have to run these on each node or use the -n flag to check a specific node

grepping for opened on a single node:

isi_audit_viewer -t protocol -s "2016-01-01 12:00:00" -e "2016-07-08 00:00:00" |grep "open"

grepping from node 3 to node 1 audit logs for open:

isi_audit_viewer -n 1 -t protocol -s "2016-01-01 12:00:00" -e "2016-07-08 00:00:00" |grep "open"

this is my command for both create and opened (it returned many more results so it may help to keep your focus narrow fyi)

isi_audit_viewer -n 1 -t protocol -s "2016-01-01 12:00:00" -e "2016-07-08 00:00:00" |grep "create" || "open"

I hope that helps you out a bit, and remember if you plan or foresee that you will be doing this often either sharpen those grep skills up or plan on getting a Varonis license to assist you in parsing this output.

Cheers,

D_Tracy