2 Posts
0
418
SMB Log Formatting
We started ingesting Isilon SMB audit events in our SIEM and we're working on developing parsers for it, but need to understand what every piece in the event represents.
Sample:
<30>1 2023-05-10T22:44:47.000000-04:00 USXX-ISI-C021-5(id2) audit_protocol 5185 - - S-1-5-21-3108209963-2641128813-111641110-799630|1000008|Zone-XXXXX|36|10.1.1.1|SMB|CLOSE|SUCCESS|FILE|0:0|0:0|5912317292|/ifs/XXX0161/FNP/FNP8_5/fs18/system/InboundLock_1683771138145
The ones I'm trying to understand are:
- 5185
- S-1-5-21-3108209963-2641128813-111641110-799630
- 1000008
- 36
- 0:0
- 5912317292
If anyone could help, it would be really appreciated.
Yan_Faubert
117 Posts
0
May 11th, 2023 05:00
In your example, 5185 is the PID of the isi_audit_syslog process on the node that generated the audit event. The audit payload starts with S-1-5-21-3108209963-2641128813-111641110-799630 which is the user SID. Details of all fields is documented at this link:
https://infohub.delltechnologies.com/p/understanding-the-protocol-syslog-format-in-powerscale-onefs/
MDRadmin
2 Posts
0
May 15th, 2023 04:00
Thanks Yan. That answers 95% of the questions. I still don't see where the [0:0][0:0] mean in the logs, I see it's under the CLOSE options and falls on fields 10 and 11 which are bytes read and bytes write, but if one of the 0's is the bytes, what's the other 0 after the colon?
Yan_Faubert
117 Posts
0
May 15th, 2023 06:00
bytesRead: Format is x:y where x = total_bytes y = number of reads
bytesWritten: Format is x:y where x = total_bytes y = number of writes