JSON reporting issues in file audit logging

This topic describes limitations that the user might observe in the file audit logging JSON logs.

SMB

• For a created file, there can be many OPEN and CLOSE events.
• For a deleted file, a DESTROY event might never get logged. Instead, the JSON might show an UNLINK event only.

NFS

• For NFSv3, upon file creation, audit logs only get an OPEN event without a corresponding CLOSE event. The CLOSE event only occurs when a subsequent operation is done on the file (for example, RENAME).
• The file path name, NFS IP for kNFS might not always be available.

Object

Object is not supported for file audit logging in IBM Storage Scale.

Note: In addition, file activity in the primary object fileset does not generate events.

Unified file

Unified file is not supported for file audit logging in IBM Storage Scale.

Access denied event

When access to a file might be overridden to allow a user to operate on a file, an ACCESS_DENIED event might be generated even if the operation went through. For example, if a user without write permission on a file tries to delete the file, but has read, write, and execute permissions on the parent directory, there might be an ACCESS_DENIED event generated even though the delete operation goes through.

Access to files through protocols might be denied at the protocol level (NFS and SMB). In these scenarios, file audit logging does not generate an event for ACCESS_DENIED because IBM Storage Scale is not made aware that access to the file was denied.

There is not an ACCESS_DENIED event generation for failed attempts to write to immutable files or for attempts to, for example, truncate appendOnly files.