PowerScale: Find User Information for who Continuously sends Wrong Password in the Audit Log

Some badly configured application or cyber attack may continuously attempt to access the cluster with the wrong password. This can cause the account to get locked based on the user's security policy. OneFS protocol audit can help to locate the user information of these requests.

Audit service and Protocol Auditing features must be enabled on the cluster. 

User must audit for the relevant access zone to monitor and for the log-in failure event. They should avoid auditing for too many events as that can impact performance on some clusters.

Enable Audit service:

isi services isi_audit_d enable

Enable Protocol Auditing:

isi audit settings global modify --protocol-auditing-enabled=true

Add the relevant access zone for monitoring:

isi audit settings global modify --audited-zones=Production

Add the log in failure event in the access zone:

isi audit settings modify --zone=Production --add-audit-failure=logon

After the audit is properly configured, when the login issue happens, user can use the "isi_audit_viewer" command to search the audit log.

The ntstatus error code in hexadecimal format:

STATUS_WRONG_PASSWORD = 0xC000006A

In the audit log, the ntstatus code is in decimal format. You must convert the 0xC0zzz06A to 3221zzz578.

Example audit event for the log-in failure with the wrong password:

[5: Fri Oct 24 02:15:47 2025] {"id":"354f003e-97f7-11ef-9d81-0050569b863c","timestamp":1730427347886092,"payloadType":"4b66b1eb-6e1a-416d-b80c-5a642a603a0b","payload":{"zoneID":1,"zoneName":"Production","eventType":"logon","clientIPAddr":"192.1xx.1.1x0","ntStatus":3221zzz578}}

Related content:

• Dell article Isilon: How to view audit logs for OneFS? (Log in as a registered Dell Support user may be required to view this article.)
• Microsoft article [MS-ERREF]: NTSTATUS Values