JSON attributes in file audit logging

Use this information to learn more about the JSON attributes that are associated with the ten events in file audit logging.

LWE_JSON

The version of the record.

path

The path name of the file that is involved in the event.

oldPath

The previous path name of the file during the RENAME event. Start of change

For all other events, it is not displayed. End of change

clusterName

The name of the cluster where the event took place.

nodeName

The name of the node where the event took place.

nfsClientIp

The IP address of the remote client that is involved in the event.

fsName

The name of the file system that is involved in the event.

event

This is one of the following events: OPEN, CREATE, CLOSE, RENAME, XATTRCHANGE, ACLCHANGE, UNLINK, DESTROY, RMDIR, or GPFSATTRCHANGE.

inode

The inode number of the file that is involved in the event.

linkCount

The Unix link count of the file that is involved in the event. End of change

openFlags

The open flags that are specified during the event, as defined in

fcntl.h ( O_RDONLY,O_WRONLY,O_RDWR, O_CREAT, ...)

For example:

"openFlags": "32962" = 0x80C2 = o100302 translates to ( O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE)

poolName

The pool name where the file resides.

fileSize

The current size of the file in bytes.

ownerUserId

The owner id of the file that is involved in the event.

ownerGroupId

The group id of the file that is involved in the event.

atime

The time in UTC format of the last access of the file that is involved in the event.

ctime

The time in UTC format of the last status change of the file that is involved in the event.

mtime

The time in UTC format of the last modification to the file that is involved in the event. End of change

eventTime

The time in UTC format of the event.

clientUserId

The user id of the process that is involved in the event.

clientGroupId

The group id of the process that is involved in the event.

processId

The process id that is involved in the event.

permissions

The permissions on the file that is involved in the event.

acls

The access control lists that are involved in the event.

xattrs

The extended attributes that are involved in the event.

subEvent

The type of IBM Spectrum Scale attribute change. Only applies to the immutability and appendOnly flags.

The following table describes the JSON attributes that are provided for the ten events in file audit logging.

Table 1. JSON attributes in file audit logging
Attribute	OPEN	CREATE	CLOSE	RENAME	XATTRCHANGE	ACLCHANGE	UNLINK	DESTROY	RMDIR	GPFSATTRCHANGE
LWE_JSON	X	X	X	X	X	X	X	X	X	X
path	X	X	X	X	X	X	X	X¹	X	X
oldPath				X
clusterName	X	X	X	X	X	X	X	X	X	X
nodeName	X	X	X	X	X	X	X	X	X	X
nfsClientIp	X²
fsName	X	X	X	X	X	X	X	X	X	X
event	X	X	X	X	X	X	X	X	X	X
inode	X	X	X	X	X	X	X	X	X	X
linkCount	X	X	X	X	X	X	X	X	X	X
openFlags	X	0	X	0	0	0	0	0	0	0
poolName	X	X	X	X	X	X	X	X	X	X
fileSize	0	0	X	X	X	X	X	X	X	X
ownerUserId	X	X	X	X	X	X	X	X	X	0
ownerGroupId	X	X	X	X	X	X	X	X	X	0
atime	X	X	X	X	X	X	X	X	X	X
ctime	X	X	X	X	X	X	X	X	X	X
mtime	X	X	X	X	X	X	X	X	X	X
eventTime	X	X	X	X	X	X	X	X	X	X
clientUserId	X	X	X	X	X	X	X		X	0
clientGroupId	X	X	X	X	X	X	X		X	0
processId	X	X	X	X	X	X	X	NA	X	NA
permissions	X	X	X	X	X	X	X	X	X	X
acls	Null	Null	Null	Null	Null	X	Null	Null	Null	Null
xattrs	Null	Null	Null	Null	X³	Null	Null	Null	Null	Null
subEvent	NONE	NONE	NONE	NONE	NONE	NONE	NONE	NONE	NONE	APPENDONLY IMMUTABILITY

For information about some of the issues that might occur with the events and when they might occur, see JSON reporting issues in file audit logging.

Note:

The path attribute is sometimes available for the DESTROY event, but it is not guaranteed.
The nfsClientIp attribute is provided for NFS clients using Ganesha. The value is NULL for kernel NFS versions and SMB.
The xattrs attribute only shows the xattr that was changed.
The best effort is made to provide the path attribute for files accessed via NFS, but it is not guaranteed.