JSON attributes in file audit logging
Use this information to learn more about the JSON attributes that are associated with the ten events in file audit logging.
- LWE_JSON
- The version of the record.
- path
- The path name of the file that is involved in the event.
- oldPath
- The previous path name of the file during the RENAME event. For all other events, it is not displayed.
- clusterName
- The name of the cluster where the event took place.
- nodeName
- The name of the node where the event took place.
- nfsClientIp
- The IP address of the remote client that is involved in the event.
- fsName
- The name of the file system that is involved in the event.
- event
This is one of the following events: OPEN, CREATE, CLOSE, RENAME, XATTRCHANGE, ACLCHANGE, UNLINK, DESTROY, RMDIR, or GPFSATTRCHANGE.
- inode
- The inode number of the file that is involved in the event.
- linkCount
- The Unix link count of the file that is involved in the event.
- openFlags
- The open flags that are specified during the event, as defined in
fcntl.h ( O_RDONLY,O_WRONLY,O_RDWR, O_CREAT, ...)
For example:"openFlags": "32962" = 0x80C2 = o100302 translates to ( O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE)
- poolName
- The pool name where the file resides.
- fileSize
- The current size of the file in bytes.
- ownerUserId
- The owner id of the file that is involved in the event.
- ownerGroupId
- The group id of the file that is involved in the event.
- atime
- The time in UTC format of the last access of the file that is involved in the event.
- ctime
- The time in UTC format of the last status change of the file that is involved in the event.
- mtime
- The time in UTC format of the last modification to the file that is involved in the event.
- eventTime
- The time in UTC format of the event.
- clientUserId
- The user id of the process that is involved in the event.
- clientGroupId
- The group id of the process that is involved in the event.
- processId
- The process id that is involved in the event.
- permissions
- The permissions on the file that is involved in the event.
- acls
- The access control lists that are involved in the event.
- xattrs
- The extended attributes that are involved in the event.
- subEvent
- The type of IBM Spectrum Scale attribute change. Only applies to the immutability and appendOnly flags.
The following table describes the JSON attributes that are provided for the ten events in file
audit logging.
For information about some of the issues that might occur with the events and
when they might occur, see JSON reporting issues in file audit logging.
Attribute | OPEN | CREATE | CLOSE | RENAME | XATTRCHANGE |
ACLCHANGE |
UNLINK | DESTROY | RMDIR | GPFSATTRCHANGE |
---|---|---|---|---|---|---|---|---|---|---|
LWE_JSON | X | X | X | X | X | X | X | X | X | X |
path | X | X | X | X | X | X | X | X1 | X | X |
oldPath | X | |||||||||
clusterName | X | X | X | X | X | X | X | X | X | X |
nodeName | X | X | X | X | X | X | X | X | X | X |
nfsClientIp | X2 | |||||||||
fsName | X | X | X | X | X | X | X | X | X | X |
event | X | X | X | X | X | X | X | X | X | X |
inode | X | X | X | X | X | X | X | X | X | X |
linkCount | X | X | X | X | X | X | X | X | X | X |
openFlags | X | 0 | X | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
poolName | X | X | X | X | X | X | X | X | X | X |
fileSize | 0 | 0 | X | X | X | X | X | X | X | X |
ownerUserId | X | X | X | X | X | X | X | X | X | 0 |
ownerGroupId | X | X | X | X | X | X | X | X | X | 0 |
atime | X | X | X | X | X | X | X | X | X | X |
ctime | X | X | X | X | X | X | X | X | X | X |
mtime | X | X | X | X | X | X | X | X | X | X |
eventTime | X | X | X | X | X | X | X | X | X | X |
clientUserId | X | X | X | X | X | X | X | X | 0 | |
clientGroupId | X | X | X | X | X | X | X | X | 0 | |
processId | X | X | X | X | X | X | X | NA | X | NA |
permissions | X | X | X | X | X | X | X | X | X | X |
acls | Null | Null | Null | Null | Null | X | Null | Null | Null | Null |
xattrs | Null | Null | Null | Null | X3 | Null | Null | Null | Null | Null |
subEvent | NONE | NONE | NONE | NONE | NONE | NONE | NONE | NONE | NONE | APPENDONLY |
Note:
- The path attribute is sometimes available for the DESTROY event, but it is not guaranteed.
- The nfsClientIp attribute is provided for NFS clients using Ganesha. The value is NULL for kernel NFS versions and SMB.
- The xattrs attribute only shows the xattr that was changed.
- The best effort is made to provide the path attribute for files accessed via NFS, but it is not guaranteed.