Unsolved
This post is more than 5 years old
1 Rookie
•
4 Posts
0
4138
October 20th, 2015 04:00
Isilon SMB audit : SID to UserID conversion
I have a customer using Splunk as a SIEM to keep all the audit log. We proposed Isilon with CEE as log forwarder to Splunk. However, Isilon SMB audit log store the SID for each event, it does not contain the UserID in audit log.
Customer is looking for the way to convert SID like this:
S-1-5-21-3623811015-3361044348-30300820-1013
To Windows domain userID like this:
DOMAIN\useraccount
Is there any solution to convert the SID to UserID for Isilon audit log before we forward them to Splunk or Is there any solution to map the SID with the UserID.
Thanks,
No Events found!
johnsonka
130 Posts
0
October 20th, 2015 08:00
Hello sengjira,
I am not aware of a SID translation prior to moving to your audit server, but in investigating events, the customer can always run the following from a cluster node:
# isi auth users view --sid=
You can also look in to a translation from the audit vendor (i.e. can it connect to AD and make the translation for you.) Please let me know if there is anything else I can do for you.
scott_owens
60 Posts
1
October 20th, 2015 14:00
The only thing that I would add is that you also want to be sure to specify the access zone, with the command provided by Katie.
# isi auth users view --sid= --zone
Samedoo
1 Message
0
December 26th, 2019 02:00
Hello All,
if the zone is configured for audit, you could find who has changed ,deleted or created the files with command like below,
firstly it needs to be search the auditing time (changing,creating,deleting) maybe in custom time
# isi_audit_viewer -t protocol -s "2019-12-17 00:00:01" -e "2019-12-19 23:59:00" | grep "xxxxxx"
after finding the sid you could find out the person,
#isi auth users view --sid=..........
regards,,,,