PowerScale: How to View Audit Logs for OneFS
Summary: This article is useful for customers who have auditing enabled on their cluster and want to view audit logs directly on OneFS instead of relying on a third-party auditing tool.
Instructions
OneFS can audit system configuration events, Server Message Block (SMB), Network File System (NFS), and Hadoop Distributed File System (HDFS) protocol access events on the PowerScale cluster.
All audit data is stored in files called audit topics, which collect log information that can be further processed by auditing tools. If protocol auditing is enabled, file access events through the SMB, NFS, and HDFS are recorded in the protocol audit topic. If configuration auditing is enabled, the application programming interface (API) tracks and records all configuration events in the configuration audit topic.
Auditing is not configured by default, to enable auditing on your system, refer to the product guide File System Auditing With Dell PowerScale
Once auditing is configured on OneFS, all audit logs are recorded on the cluster in a centralized location under /ifs/.ifsvar/audit/logs. Audit logs are recorded in a binary format but OneFS provides the isi_audit_viewer tool to view the binary audit logs stored on the cluster. The isi_audit_viewer tool can provide a view of either the protocol or configuration logs.
By default, the isi_audit_viewer tool only views the audit logs from the local node and only logs from the past 24 hours. There are several options with isi_audit_viewer tool that can be used to narrow down the search to a certain timestamp or node:
Usage: isi_audit_viewer [ -n <nodeid> | -t <topic> | -s <starttime>| -e <endtime> | -v ] -n <nodeid> : Specify node id to browse (default: local node) -t <topic> : Choose topic to browse. Topics are "config" and "protocol" (default: "config") -s <start> : Browse audit logs starting at <starttime> -e <end> : Browse audit logs ending at <endtime> -v verbose : Prints out start / end time range before printing records Note: Start and End times are expressable as a date format "YYYY-MM-DD HH:MM:SS", where fields represent year/month/day/hours/minutes/seconds. If time is not specified, end time defaults to now and start time to 24 hours before end time. For example, the below command shows the protocol audit logs from node 3 for the month of June 2020: # isi_audit_viewer -n 3 -t protocol -s "2020-06-01 00:00:00" -e "2020-07-01 00:00:00"
For more information about the audit payload values, refer to the following article Isilon: List of Isilon audit payload values.