Isilon: List of Isilon audit payload values

Summary: A list of possible Isilon values that can be seen in the raw outputs of isi_audit results.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The following is a list of possible Isilon values that can be seen in the raw outputs of isi_audit results.

This listing is not version specific: some of these will be only on certain versions of OneFS, with later versions having expanded options. This list is intended to be a reference in reviewing individual audit events in general.

When you use the Isilon protocol auditing system, you can monitor and track the actions of users within the OneFS filesystem on protocols such as SMB and NFS.

The actions recorded, in their raw form, will look like this (some variance will be expected between versions and eras of OneFS):

 

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     
 
{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}


Within that, the terms are defined as:
  • clientIPAddr: String of the IP of the user performing the action.
  • clientIp: The IP address of the client which initiated the request (causing the event).
  • createDispo: Creation disposition specified by user at create/open time.
  • desiredAccess: Desired access specified by user at create/open time.
  • encodedNewName: The encoded new name in case of a rename.
  • encodedPath: The encoded UNC Path of the file.
  • encodedRelativePath: The encoded relative path.
  • encodingType: The encoding used for values, if the value contains characters that cannot be included in XML.
  • event: The event that caused the check.
  • fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\").
  • fileSize: Size of the file at the time of manipulation.
  • flag: One of the CEPP_FLAG_XXX defined above.
  • fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default  1 ).
  • id: A value based on the cluster GUID and the audited Zone ID, unique for the audited event. This is a UUID for that event.
  • inode: Integer of the inode of the file or directory.
  • isDirectory: Boolean for whether the event is for a file or a directory.
  • newFSId: new file system Id (if different from fsId) of target parent directory (rename).
  • newName: The new name (on a rename operation).
  • newParentInode: The inode of the target parent directory (rename).
  • ntStatus: The NTSTATUS code of the action. 0 is STATUS_SUCCESS.
  • ownerId: The id of the owner of the file.
  • ownerSid: Sid of the file owner.
  • parentInode: The inode of the containing directory.
  • partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\").
  • partialPathParentInode: parent inode of the partial path above.
  • path: UNC name of the file (or dir) - absolute path.
  • payload: The complete delivered audit event, encapsulating most of these values.
  • payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events.
  • payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events.
  • payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events.
  • payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events.
  • protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS".
  • relativePath: UNC name of the file (or dir) as accessed by the client.
  • rootInode: Integer of the inode of the directory where the partialPath is.
  • serverIp: The IP address of the server at which the event was recorded.
  • server: The Server name where the event occurred. Server IP for NFS.
  • share: The Share on the server. The Export name for NFS.
  • timeStamp: The time at which the event occurred on the server. It is a 64 bit value, where the high 32 bits represent the time and lower 32 bits represent the microseconds. format: 0x1234abcd1234abcd
  • type: File, Directory etc.
  • userID: Integer of the UID of the user performing the action. (OneFS 7.2 and later)
  • userSID: String of the SID of the user performing the action.  ("userSID" is not available in "logon" failure events.)
  • zoneID: Integer of the OneFS access zone ID the action is being performed on/through.
  • zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through.




Additionally, there are a few other values and fields that may have a few possible variables. 

For the "eventType" object, some event types have extra payload fields listed under the types below:
 
eventType = create: For creating or opening a file or directory.

eventType = close: For closing a file or directory.
Extra payload fields: (Only meaningful when "isDirectory is false / for files.)
  • bytesRead: Integer of the total number of bytes read since the open / create.
  • bytesWritten: Integer of the total number of bytes written since the opening.
  • numberOfReads: Integer of the total number of reads made to the file since opening.
  • numberOfWrites: Integer of the total number of writes made to the file.
eventType = read: The first read to a file since opening it.
Extra payload fields:
  • bytesRead: Integer of the number of bytes read in the first read.
eventType = write: The first write to a file since opening it.
Extra payload fields:
  • bytesWritten: Integer of the number of bytes written in the first write.
eventType = rename: Rename of a file or directory.
Extra payload fields:
  • newFileName: String of the absolute path of the new file name or "UNKNOWN". The path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath".
eventType = get-security: Get security information / permissions from the file or directory.
                              (no extra fields)

eventType = set-security: Set security information / permissions on the file or directory.
(no extra fields)
 
eventType = delete: Delete a file or directory.
(no extra fields)
 
eventType = logon: Logging on.
(no extra fields)
 
eventType = logoff: Logging off.
(no extra fields)
 
eventType = tree-connect: Performing an SMB tree connect.
(no extra fields)



For audit events with payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (Audit Driver Loaded Audit Events).

These are audit events signaling when the audit filter driver was loaded.

These audit events contain a "payload" which contains a JSON string specifying which audit driver loaded.

  • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.



For audit events with payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (Audit Driver Unload Audit Events).

These are audit events signaling when the audit filter driver was unloaded.

These audit events contain a "payload" which contains a JSON string specifying which audit driver stopped.

  • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.


eventType: String of the audit event type / type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information / permissions on a file or directory.
  • get-security: Get security information / permissions on a file or directory.


createDispo: Integer of the create/open disposition. This is the request of how the file / directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a non-existing file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.


createResult: String of the create/open result. One of:
  • SUPERSEDED: File existed and was replaced.
  • OPENED: File existed and was opened.
  • CREATED: File did not exist and was created.
  • EXISTS: File exists and was not created.
  • DOES_NOT_EXIST: File did not exist and was not opened.
  • UNKNOWN: Unknown.


desiredAccess: Integer of the bitwise combined desired access of the following:

Affected Products

Isilon

Products

Isilon
Article Properties
Article Number: 000019850
Article Type: How To
Last Modified: 18 Dec 2022
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.