Start a Conversation

Unsolved

A

1 Rookie

 • 

24 Posts

25

November 23rd, 2023 10:40

isilon audit write events only in system zone but not in others

when checking audit with isi_audit_viewer

In system zone when creating or modifying a file i see a write event that indicates file was modified and create event that indicates a new file was created 

[859: Thu Nov 23 10:23:47 2023] {"id":"015cd019-89e2-11ee-900a-00505698cfdb","timestamp":1700731427353812,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":1,"zoneName":"System","eventType":"create","detailType":"create-file","createResult":"CREATED","isDirectory":false,"desiredAccess":1180054,"clientIPAddr":"10.99.0.10","createDispo":5,"userSID":"S-1-5-21-1426247521-2838669014-2602748498-1110","userID":1000000,"fileName":"\\ifs\\data\\qa_share\\qa\\agonzalez\\file1","ntStatus":0,"fsId":1,"partialPath":"qa\\agonzalez\\file1","rootInode":4295098717,"inode":4295036872}}

[860: Thu Nov 23 10:23:47 2023] {"id":"015ec91c-89e2-11ee-900a-00505698cfdb","timestamp":1700731427366741,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":1,"zoneName":"System","eventType":"write","detailType":"write-file","isDirectory":false,"clientIPAddr":"10.99.0.10","fileName":"\\ifs\\data\\qa_share\\qa\\agonzalez\\file1","userSID":"S-1-5-21-1426247521-2838669014-2602748498-1110","userID":1000000,"bytesWritten":8,"ntStatus":0,"fsId":1,"partialPath":"qa\\agonzalez\\file1","rootInode":4295098717,"inode":4295036872}}

but in other zones that are not system when creating a new file or modifying i see only a create - create-file audit event but no write event, when a file is just edited and modified it logs as created and not write event is triggered, why? how can i configure write events for other zones?

[935: Thu Nov 23 11:34:04 2023] {"id":"d30b32e8-89eb-11ee-900a-00505698cfdb","timestamp":1700735644611048,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":7,"zoneName":"test","eventType":"create","detailType":"create-file","createResult":"CREATED","isDirectory":false,"desiredAccess":1180054,"clientIPAddr":"10.0.0.49","createDispo":3,"userSID":"S-1-5-21-1426247521-2838669014-2602748498-1110","userID":1000001,"fileName":"\\ifs\\test\\qasharetest\\qa\\test\\test1.txt","ntStatus":0,"fsId":1,"partialPath":"test1.txt","rootInode":4295627557,"inode":4295232390}}

Moderator

 • 

8.4K Posts

November 27th, 2023 14:24

Hi,

Thanks for your question.

Check out this article, it should help you test why it isn’t working. You will need to log in. https://dell.to/46xhoBx

 

 

Let us know if you have any additional questions.

567 Posts

December 4th, 2023 02:24

@alx123,


What does "isi audit setting global view" say?

example
isilon3-2% isi audit settings global view
Protocol Auditing Enabled: Yes
            Audited Zones: System
          CEE Server URIs: -
                 Hostname:
  Config Auditing Enabled: No
    Config Syslog Enabled: Yes
    Config Syslog Servers: -
  Protocol Syslog Servers: 1.1.1.1
     Auto Purging Enabled: Yes
         Retention Period: 180

No Events found!

Top