Sample audit log

You can view both configuration audit and protocol audit logs by running the isi_audit_viewer command on any node in the Isilon cluster.

You can view protocol access audit logs by running isi_audit_viewer -t protocol. You can view system configuration logs by running isi_audit_viewer -t config. The following output is an example of a system configuration log:

[0: Fri Jan 23 16:17:03 2015] {"id":"524e0928-a35e-11e4-9d0c-005056302134","timestamp":1422058623106323,"payload":"PAPI config logging started."} 

[1: Fri Jan 23 16:17:03 2015] {"id":"5249b99d-a35e-11e4-9d0c-005056302134","timestamp":1422058623112992,"payload":{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID": "SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:70", "GID:10"], "protocol": 17, "zone id": 1, "client": "10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/protocols/smb/shares","method":"POST","args":"","body":{"path": "/ifs/data", "name": "Test"}}} 

[2: Fri Jan 23 16:17:05 2015] {"id":"5249b99d-a35e-11e4-9d0c-005056302134","timestamp":1422058625144567,"payload":{"status":201,"statusmsg":"Created","body":{"id":"Test"}}} 

[3: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62-a35e-11e4-9d0c-005056302134","timestamp":1422058659345539,"payload":{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID": "SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:70", "GID:10"], "protocol": 17, "zone id": 1, "client": "10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/audit/settings","method":"PUT","args":"","body":{"config_syslog_enabled": true}}} 

[4: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62-a35e-11e4-9d0c-005056302134","timestamp":1422058659387928,"payload":{"status":204,"statusmsg":"No Content","body":{}}}

Configuration audit events come in pairs; a pre event is logged before the command is carried out and a post event is logged after the event is triggered. Protocol audit events are logged as post events after an operation has been carried out. Configuration audit events can be correlated by matching the id field.

The pre event always comes first, and contains user token information, the PAPI path, and whatever arguments were passed to the PAPI call. In event 1, a POST request was made to /1/protocols/smb/shares with arguments path=/ifs/data and name=Test. The post event contains the HTTP return status and any output returned from the server.