Understanding the Protocol Syslog Format in PowerScale OneFS
Wed, 23 Feb 2022 19:23:07 -0000
|Read Time: 0 minutes
Recently I’ve received several queries on the format of the audit protocol syslog in PowerScale. It is a little bit complicated for the following reasons:
- For different protocol operations (such as OPEN and CLOSE), various fields have been defined to meet auditing goals.
- Some fields are easy to parse and some are more difficult.
- It is not currently documented.
Syslog format
The following table shows the details of the format of the syslog protocol in PowerScale. (This table is very wide. Extend your browser to show all 13 fields.):
Operation | Field 1 | Field 2 | Field 3 | Field 4 | Field 5 | Field 6 | Field 7 | Field 8 | Field 9 | Field 10 | Field 11 | Field 12 | Field 13 |
LOGON | userSID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | username |
|
|
|
|
|
LOGOFF | userSID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | username |
|
|
|
|
|
TREE-CONNECT | userSID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus |
|
|
|
|
|
|
READ | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename |
|
|
WRITE | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename |
|
|
CLOSE | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | bytesRead | bytesWrite | inode/lin | filename |
DELETE | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename |
|
|
GET_SECURITY | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename |
|
|
SET_SECURITY | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename |
|
|
OPEN | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | desiredAccess | isDirectory | createResult | inode/lin | filename |
RENAME | userSID | userID | zoneName | ZoneID | clientIPAddr | protocol | operation | ntStatus | isDirectory | inode/lin | filename | newFileName |
|
Some Notes:
- Starting with OneFS 9.2.0.0, we apply the RFC 5425 as the standard of the syslog protocol.
- userSID: UserSID is a unique identifier for an object in Active Directory or NT4 domains. On a native Windows file server (as well as some other CIFS server implementations), this SID is used directly to determine a user's identity, and is generally stored on every file or folder in the file system that the user has rights to. SIDs commonly start with the letter `S', and include a series of numbers and dashes.
- userID: On most UNIX based systems, file and folder permissions are assigned to UIDs and GIDs (most commonly found in /etc/passwd and /etc/group).
- protocol: it’s one of the following:
- SMB
- NFS
- HDFS
SMB is also returned for the LOGON, LOGOFF, and TREE-CONNECT operations.
5. ntStatus:
- If the ntStatus field is 0, it will return “SUCCESS”.
- If the ntStatus field is non-zero, it will return “FAILD: <NT Status Code>”.
- If the ntStatus field is not in the payload, it will return “ERROR”.
- You can refer to the Microsoft Open Specifications (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55) for the value and description of the NT Status Code.
6. isDirectory:
- If it’s a file, it will return “FILE”.
- If it’s a directory, it will return “DIR”.
Example
Conclusion
I hope you have found this helpful.
Thanks for reading!
Author: Vincent Shen