Monitoring the file audit logging fileset for events
To verify that a node is getting events in the file audit logging fileset after file audit logging is enabled, use the tail command and write IO to the audited device.
If fileset auditing or skip fileset auditing is enabled, ensure that you write IO to the correct
directory path. The audit log files that contain the events are in the same location for all
types.
tail -f /<path>/<to>/<audit>/<fileset>/auditLogFile.latest*
for i in {1..10};do touch /<path>/<to>/<audited_device>/file$i;doneThe output should look similar to the following
example:
==> auditLogFile.latest_node1.ibm.com <==
{"LWE_JSON": "0.0.2", "path": "/gpfs/gpfs5040/file2", "clusterName": "cluster.ibm.com", "nodeName": "node1", "nfsClientIp": "",
"fsName": "gpfs5040", "event": "CREATE", "inode": "167938", "linkCount": "1", "openFlags": "0", "poolName": "system", "fileSize": "0",
"ownerUserId": "0", "ownerGroupId": "0", "atime": "2020-04-06_05:23:41-0700", "ctime": "2020-04-06_05:23:41-0700",
"mtime": "2020-04-06_05:23:41-0700", "eventTime": "2020-04-06_05:23:41-0700", "clientUserId": "0", "clientGroupId": "0", "processId": "29909",
"permissions": "200100644", "acls": null, "xattrs": null, "subEvent": "NONE"}
{"LWE_JSON": "0.0.2", "path": "/gpfs/gpfs5040/file2", "clusterName": "cluster", "nodeName": "node1", "nfsClientIp": "",
"fsName": "gpfs5040", "event": "OPEN", "inode": "167938", "linkCount": "1", "openFlags": "35138", "poolName": "system", "fileSize": "0",
"ownerUserId": "0", "ownerGroupId": "0", "atime": "2020-04-06_05:23:41-0700", "ctime": "2020-04-06_05:23:41-0700",
"mtime": "2020-04-06_05:23:41-0700", "eventTime": "2020-04-06_05:23:41-0700", "clientUserId": "0", "clientGroupId": "0", "processId": "29909",
"permissions": "200100644", "acls": null, "xattrs": null, "subEvent": "NONE"}
{"LWE_JSON": "0.0.2", "path": "/gpfs/gpfs5040/file2", "clusterName": "cluster", "nodeName": "node1", "nfsClientIp": "",
"fsName": "gpfs5040", "event": "CLOSE",
"inode": "167938", "linkCount": "1", "openFlags": "35138", "poolName": "system", "fileSize": "0",
"ownerUserId": "0", "ownerGroupId": "0", "atime": "2020-04-06_05:23:41-0700", "ctime": "2020-04-06_05:23:41-0700",
"mtime": "2020-04-06_05:23:41-0700", "eventTime": "2020-04-06_05:23:41-0700", "clientUserId": "0", "clientGroupId": "0", "processId": "29909",
"permissions": "200100644", "acls": null, "xattrs": null, "subEvent": "NONE"}