JSON attributes in file audit logging
Use this information to learn more about the JSON attributes that are associated with the 11 events in file audit logging.
- LWE_JSON
- The version of the record.
- path
- The path name of the file that is involved in the event.
- oldPath
- The previous path name of the file during the RENAME event. For all other events, it is not displayed.
- clusterName
- The name of the cluster where the event took place.
- nodeName
- The name of the node where the event took place.
- nfsClientIp
- The IP address of the remote client that is involved in the event.
- fsName
- The name of the file system that is involved in the event.
- event
-
This is one of the following events: OPEN, CREATE, CLOSE, CLOSEWRITE, RENAME, UNLINK, XATTRCHANGE, ACLCHANGE, RMDIR, GPFSATTRCHANGE, or ACCESS_DENIED.
- inode
- The inode number of the file that is involved in the event.
- linkCount
- The Unix link count of the file that is involved in the event.
- openFlags
- The open flags that are specified during the event. For example:
fcntl.h ( O_RDONLY,O_WRONLY,O_RDWR, O_CREAT, ...)For example:"openFlags": "32962" = 0x80C2 = o100302 translates to ( O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE) - poolName
- The pool name where the file resides.
- fileSize
- The current size of the file in bytes.
- ownerUserId
- The owner ID of the file that is involved in the event.
- ownerGroupId
- The group ID of the file that is involved in the event.
- atime
- The time in UTC format of the last access of the file that is involved in the event.
- ctime
- The time in UTC format of the last status change of the file that is involved in the event.
- mtime
- The time in UTC format of the last modification to the file that is involved in the event.
- eventTime
- The time in UTC format of the event.
- clientUserId
- The user ID of the process that is involved in the event.
- clientGroupId
- The group ID of the process that is involved in the event.
- accessMode
- The access type for which the operation was denied for the ACCESS_DENIED event.
- processId
- The process ID that is involved in the event.
- bytesRead
- The bytes read from a file.
- bytesWritten
- The bytes written to a file.
- minReadOffset
- The starting position of bytes read from a file.
- maxReadOffset
- The ending position of bytes read from a file.
- minWriteOffset
- The starting position of bytes written to a file.
- maxWriteOffset
- The ending position of bytes written to a file.
- permissions
- The permissions on the file that is involved in the event.
- acls
- The access control lists that are involved in the event.
- xattrs
- The extended attributes that are involved in the event.
- subEvent
- The type of IBM Storage Scale attribute change. Only applies to the immutability and appendOnly flags.
The following table describes the JSON attributes that are provided for the 10 events in file
audit logging:
|
Attribute
|
OPEN
|
CREATE
|
CLOSE
|
CLOSEWRITE
|
RENAME
|
XATTRCHANGE
|
ACLCHANGE
|
UNLINK
|
RMDIR
|
GPFSATTRCHANGE
|
ACCESS_
DENIED |
|---|---|---|---|---|---|---|---|---|---|---|---|
| LWE_JSON | X | X | X | X | X | X | X | X | X | X | X |
| path | X | X | X | X | X | X | X | X | X | X | X |
| oldPath | X | ||||||||||
| clusterName | X | X | X | X | X | X | X | X | X | X | X |
| nodeName | X | X | X | X | X | X | X | X | X | X | X |
| nfsClientIp | X1 | X1 | X1 | X1 | X1 | X1,2 | X1 | X1 | X1 | X1 | |
| fsName | X | X | X | X | X | X | X | X | X | X | X |
| event | X | X | X | X | X | X | X | X | X | X | X |
| inode | X | X | X | X | X | X | X | X | X | X | X |
| linkCount | X | X | X | X | X | X | X | X | X | X | |
| openFlags | X | 0 | X | X | 0 | 0 | 0 | 0 | 0 | 0 | X |
| poolName | X | X | X | X | X | X | X | X | X | X | X |
| fileSize | X | X | X | X | X | X | X | X | X | X | X |
| ownerUserId | X | X | X | X | X | X | X | X | X | X | X |
| ownerGroupId | X | X | X | X | X | X | X | X | X | X | X |
| atime | X | X | X | X | X | X | X | X | X | X | X |
| ctime | X | X | X | X | X | X | X | X | X | X | X |
| mtime | X | X | X | X | X | X | X | X | X | X | X |
| eventTime | X | X | X | X | X | X | X | X | X | X | X |
| clientUserId | X | X | X | X | X | X | X | X | X | X | X |
| clientGroupId | X | X | X | X | X | X | X | X | X | X | X |
| processId | X | X | X | X | X | X | X | X | X | 0 | X |
|
bytesRead
|
0 | Null | X5 | X5 | Null | Null | 0 | Null | Null | Null | Null |
|
bytesWritten
|
0 | Null | X5 | X5 | Null | Null | 0 | Null | Null | Null | Null |
|
minReadOffset
|
MAX INT | Null | X5 | X5 | Null | Null | MAX INT | Null | Null | Null | Null |
|
maxReadOffset
|
0 | Null | X5 | X5 | Null | Null | 0 | Null | Null | Null | Null |
|
minWriteOffset
|
MAX INT | Null | X5 | X5 | Null | Null | MAX INT | Null | Null | Null | Null |
|
maxWriteOffset
|
0 | Null | X5 | X5 | Null | Null | 0 | Null | Null | Null | Null |
| permissions | X | X | X | X | X | X | X | X | X | X | X |
| acls | Null | Null | Null | Null | Null | Null | X | Null | Null | Null | Null |
| xattrs | Null | Null | Null | Null | Null | X3 | Null | Null | Null | Null | Null |
| subEvent | NONE | NONE | NONE | NONE | NONE | NONE | NONE | NONE | NONE | APPENDONLY IMMUTABILITY |
NONE |
| accessMode | Null | Null | Null | Null | Null | Null | Null | Null | Null | Null | X |
Note: In the above table, 0, Null, or MAX INT represents
that the attribute is not applicable for that particular event.
For more information about
some of the issues that might occur with the events and when they might occur, see JSON reporting issues in file audit logging
.Note:
- The nfsClientIp attribute is provided for NFS clients that use Ganesha. The value is NULL for kernel NFS versions and SMB.
- The nfsClientIp attribute is populated for an XATTRCHANGE event when SELinux is enabled and a CREATE event is generated via NFS.
- The xattrs attribute only shows the xattr that was changed.
- The best effort is made to provide both path and nfsClientIp attributes for files accessed via NFS, but it is not guaranteed.
- Results might be inaccurate with mmap IO, mmap IO via SMB, or IO via NFS.