Isilon: Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
概要: Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
現象
Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
Operation from Windows(SMB), NFS show wrong client IP.
Example:
Operation from Windows(SMB), NFS show wrong client IP.
Example:
Deletion of file from Windows Client 10.226.14.14x
File Delete operation on - /ifs/logs/Logs_ESXi/test-l4-013170_BAK/test-13170-vmkwarning.6
Audit logs the IP shown is different - 10.228.234.19x
[1019: Fri Jun 9 08:32:51 2023] {"id":"bfd202ad-06c1-11ee-ad51-0060486e3a9c","timestamp":1686313971173038,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":4,"zoneName":"xxx","eventType":"close","detailType":"close-file-unmodified","isDirectory":false,"clientIPAddr":"10.228.234.19x","fileName":\\ifs\\logs\\Logs_ESXi\\test-l4-013170_BAK\\test-13170-vmkwarning.6 ,"userSID":"S-1-22-1-0","userID":0,"bytesRead":0,"bytesWritten":0,"numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"fsId":1,"partialPath":"Logs_ESXi\\test-l4-013170_BAK\\vmkwarning.1_040621","rootInode":4454154241,"inode":4457763462}}原因
After setup/config audit setting, the configuration are not correctly refresh and the events from zone do not forward as they should.
解決方法
Made audit settings changes as below:
Changing the following setting as example (or other audited event):
Similar issue as reported on
Isilon: Non-System access zones configured for syslog forwarding of protocol audit events do not forward events as they should
Changing the following setting as example (or other audited event):
# isi audit settings modify --remove-audit-success open_file # isi audit settings modify --add-audit-success open_fileChange the list of events being audited, then after change, change it back to the original list. In some cases this can refresh the configuration and get the events from the zone to start sending correctly.
Similar issue as reported on
Isilon: Non-System access zones configured for syslog forwarding of protocol audit events do not forward events as they should
対象製品
Isilon, PowerScale OneFS文書のプロパティ
文書番号: 000215225
文書の種類: Solution
最終更新: 16 11月 2023
バージョン: 1
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。