Isilon: Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
Сводка: Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
Данная статья применяется к
Данная статья не применяется к
Эта статья не привязана к какому-либо конкретному продукту.
В этой статье указаны не все версии продуктов.
Симптомы
Protocol Audit logs showing wrong client IP “audit events not showing correct client IP “
Operation from Windows(SMB), NFS show wrong client IP.
Example:
Operation from Windows(SMB), NFS show wrong client IP.
Example:
Deletion of file from Windows Client 10.226.14.14x
File Delete operation on - /ifs/logs/Logs_ESXi/test-l4-013170_BAK/test-13170-vmkwarning.6
Audit logs the IP shown is different - 10.228.234.19x
[1019: Fri Jun 9 08:32:51 2023] {"id":"bfd202ad-06c1-11ee-ad51-0060486e3a9c","timestamp":1686313971173038,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":4,"zoneName":"xxx","eventType":"close","detailType":"close-file-unmodified","isDirectory":false,"clientIPAddr":"10.228.234.19x","fileName":\\ifs\\logs\\Logs_ESXi\\test-l4-013170_BAK\\test-13170-vmkwarning.6 ,"userSID":"S-1-22-1-0","userID":0,"bytesRead":0,"bytesWritten":0,"numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"fsId":1,"partialPath":"Logs_ESXi\\test-l4-013170_BAK\\vmkwarning.1_040621","rootInode":4454154241,"inode":4457763462}}Причина
After setup/config audit setting, the configuration are not correctly refresh and the events from zone do not forward as they should.
Разрешение
Made audit settings changes as below:
Changing the following setting as example (or other audited event):
Similar issue as reported on
Isilon: Non-System access zones configured for syslog forwarding of protocol audit events do not forward events as they should
Changing the following setting as example (or other audited event):
# isi audit settings modify --remove-audit-success open_file # isi audit settings modify --add-audit-success open_fileChange the list of events being audited, then after change, change it back to the original list. In some cases this can refresh the configuration and get the events from the zone to start sending correctly.
Similar issue as reported on
Isilon: Non-System access zones configured for syslog forwarding of protocol audit events do not forward events as they should
Затронутые продукты
Isilon, PowerScale OneFSСвойства статьи
Номер статьи: 000215225
Тип статьи: Solution
Последнее изменение: 16 Nov 2023
Версия: 1
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.