Start a Conversation


Go to Solution


2 Posts


May 11th, 2023 02:00

SMB Log Formatting

We started ingesting Isilon SMB audit events in our SIEM and we're working on developing parsers for it, but need to understand what every piece in the event represents.


<30>1 2023-05-10T22:44:47.000000-04:00 USXX-ISI-C021-5(id2) audit_protocol 5185 - - S-1-5-21-3108209963-2641128813-111641110-799630|1000008|Zone-XXXXX|36||SMB|CLOSE|SUCCESS|FILE|0:0|0:0|5912317292|/ifs/XXX0161/FNP/FNP8_5/fs18/system/InboundLock_1683771138145

The ones I'm trying to understand are:

- 5185

- S-1-5-21-3108209963-2641128813-111641110-799630

- 1000008

- 36

- 0:0

- 5912317292

If anyone could help, it would be really appreciated.

117 Posts

May 11th, 2023 05:00

In your example, 5185 is the PID of the isi_audit_syslog process on the node that generated the audit event.  The audit payload starts with S-1-5-21-3108209963-2641128813-111641110-799630 which is the user SID.  Details of all fields is documented at this link:



2 Posts

May 15th, 2023 04:00

Thanks Yan.   That answers 95% of the questions.  I still don't see where the [0:0][0:0] mean in the logs, I see it's under the CLOSE options and falls on fields 10 and 11 which are bytes read and bytes write, but if one of the 0's is the bytes, what's the other 0 after the colon?

117 Posts

May 15th, 2023 06:00

bytesRead: Format is x:y where x = total_bytes y = number of reads
bytesWritten: Format is x:y where x = total_bytes y = number of writes

No Events found!