How Audit Logging Works

This section explains the different formats of audit logs for file system operations that Qumulo Core generates whenever a connected client sends a request to a Qumulo cluster.

Qumulo Core creates a descriptive audit log message for every operation that a client attempts. Then, Qumulo Core sends the audit log messages to the remote syslog instance that the audit logging configuration specifies in compliance with RFC 5424 .

This section explains the differences between the levels of detail of audit logs in syslog CSV, syslog JSON, and CloudWatch JSON formats. (In general, the syslog CSV and CloudWatch JSON formats contain audit logs contain an identical number of fields, some named differently, while the syslog JSON format has additional audit logging information.)

Note

A Qumulo cluster uses the static IP address assigned to each of its nodes to send audit logs to the audit log server.
Qumulo Core doesn't parse, analyze, index, or visualize the data. For more information, see the following articles on Qumulo Care:

Details Included in the Default syslog CSV Format

Note

Because the user ID, path fields, and secondary path fields can contain characters that must be escaped (such as quotation marks and commas), you must enclose these fields in quotation marks.
Qumulo Core system strips out the \n and \r newline characters from the user ID, file path, and secondary file path fields.
Both syslog CSV and syslog JSON formats deduplicate repeated file reads. However, for metadata changes—such as modifications to an access-control list (ACL)—only the syslog CSV deduplicates repeated operations.
Unlike the syslog JSON format, the syslog CSV format has only values (no keys) and the fields are empty when unused. The following table helps explain the fields and their possible values.

By default, Qumulo Core formats audit log messages in the syslog CSV format, prefaced by the date, time, and the name of the machine that issues the operation. The syslog CSV format includes the following fields in the following order within the log message body.

Field	Description	Possible Values
User IP address	The IP address of the user that performed the operation.	IPv4 address IPv6 address
User ID	The ID of the user who performed the operation. Note Qumulo Core specifies the Qumulo authentication ID if it can’t resolve any of the other user ID types.	String in quotation marks: Active Directory (AD) username Qumulo local username POSIX user ID (UID) Windows security identifier (SID) Qumulo authentication ID
Protocol	The protocol that the operation uses.	`api` `ftp` `internal` `nfsv3` `nfsv4.1` `s3` `smb`
Operation Type	The operation that the user or the system attempts to perform.	Connectivity operation, such as `ftp_login` SMB-Specific operation, such as `smb_create_share` Audit logging operation, such as `remote_syslog_startup` File system operation, such as `fs_create` REST API operation, such as `ad_join`
Operation Status	A success status or an error status.	Success status message: `ok` Error message: Credential error message, such as `cred_invalid_sid_error` File system operation error message, such as `fs_access_perm_not_owner_error`
File ID	The ID of the file on which the system performed an operation. Note For non-file entities, this field is empty.	Integer
File Path	The path to the file on which the system performed an operation. Note For files accessed by using a snapshot, the system prefixes the path with `/.snapshot`. (This is the same path prefix that the system uses to access snapshotted files through NFSv3 and SMB.)	String in quotation marks
Target File Path	The target path to the file on which the system performed a rename or move operation.	String in quotation marks

For example:

Jun 6 14:52:28 my-machine qumulo 203.0.113.0,"system",internal,remote_syslog_startup,ok,,"",""
Jun 6 14:52:28 my-machine qumulo 203.0.113.0,"AD\alice",api,audit_modify_syslog_config,ok,,"",""
Jun 6 14:52:40 my-machine qumulo 203.0.113.0,"AD\alice",api,rest_login,ok,,"",""
Jun 6 14:53:22 my-machine qumulo 203.0.113.0,"AD\alice",api,fs_read_metadata,ok,3,"/my_file",""
Jun 6 14:53:22 my-machine qumulo 203.0.113.0,"AD\alice",api,fs_write_metadata,ok,3,"/my_file",""
Jun 6 14:53:22 my-machine qumulo 203.0.113.0,"AD\alice",api,fs_write_data,ok,3,"/my_file",""
Jun 6 14:54:05 my-machine qumulo 203.0.113.0,"AD\alice",api,fs_rename,ok,3,"/my_file","/another_file"
Jun 6 14:55:24 my-machine qumulo 203.0.113.0,"AD\alice",api,begin_audit_modify_syslog_config,ok,,"",""
Jun 6 14:55:24 my-machine qumulo 203.0.113.0,"system",internal,remote_syslog_shutdown,ok,,"","

Details Included in the syslog JSON Format

You can configure Qumulo Core to format audit log messages in the syslog JSON format. The fields in this format are similar to the fields that the syslog CSV format provides, with the following exceptions.

Note
The syslog JSON format isn’t available in the Qumulo Core Web UI.

Field	Description	Possible Values
`user_id` Object	In Qumulo Core 6.0.1 (and higher) the `user_id` object replaces the single user ID field in the syslog CSV format and contains the fields `sid`, `auth_id`, and `name`.	`sid`: Security identifier `auth_id`: Authentication ID `name`: User role
`details` Object	For most file system operations, the `details` object replaces the file path, secondary file path, and file ID fields in the syslog CSV format and contains the fields `path`, `target`, and `file_id`. For `fs_write_` and `fs_read_` operations, the `details` object also includes the `offset` and `file_size` fields. For operations that write metadata or change access-control lists (ACLs), the `details` object also includes the `after` and `before` objects that include fields for current and previous metadata.	`details` object: `path`: File path `target`: Target file path `file_id`: File ID `fs_write_` and `fs_read_` operations only: `offset`: The starting position of the operation `file_size`: The size of the operation `after` and `before` objects: `ctime`: Changed timestamp `mtime`: Modified timestamp `owner` `sid`: Security identifier `auth_id`: Authentication ID

For example:

Tip
The following example is too wide for the page. To explore this example, click Reading Mode or scroll the example horizontally.

Jun 6 14:52:28 my-machine qumulo {"user_id": {"auth_id": "1", "sid": "S-1-5-21-9876543210-5678901234-1234567890-1", "name": "system"}, "user_ip": "203.0.113.0", "protocol": "internal", "operation": "remote_syslog_startup", "status": "ok", "details": {}}
Jun 6 14:52:28 my-machine qumulo {"user_id": {"sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "auth_id": "500", "name": "AD\alice"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "audit_modify_syslog_config", "status": "ok", "details": {"second_extra_name": "", "extra_name": ""}}
Jun 6 14:52:40 my-machine qumulo {"user_id": {"auth_id": "500", "name": "AD\alice", "sid": "S-1-5-21-9876543210-5678901234-1234567890-500"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "rest_login", "status": "ok", "details": {"second_extra_name": "", "extra_name": ""}}
Jun 6 14:53:22 my-machine qumulo {"user_id": {"sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "name": "AD\alice", "auth_id": "500"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "fs_read_metadata", "status": "ok", "details": {"path": "/my_file", "file_id": "4"}}
Jun 6 14:53:22 my-machine qumulo {"user_id": {"name": "AD\alice", "sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "auth_id": "500"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "fs_write_metadata", "status": "ok", "details": {"file_id": "4", "after": {"ctime": "2024-06-11T14:55:58.187394089Z", "mtime": "2024-06-11T14:55:58.187394089Z", "owner": {"sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "auth_id": "500"}}, "path": "/my_file", "before": {"ctime": "2024-06-11T14:55:43.616292461Z", "mtime": "2024-06-11T14:55:43.616292461Z", "owner": {"sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "auth_id": "500"}}}}
Jun 6 14:53:22 my-machine qumulo {"user_id": {"auth_id": "500", "sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "name": "AD\alice"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "fs_write_data", "status": "ok", "details": {"path": "/my_file", "size": 261456, "file_id": "4", "offset": 0, "file_size": 261456}}
Jun 6 14:54:05 my-machine qumulo {"user_id": {"name": "AD\alice", "auth_id": "500", "sid": "S-1-5-21-9876543210-5678901234-1234567890-500"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "fs_rename", "status": "fs_entry_exists_error", "details": {"path": "/my_file", "target": "/another_file", "file_id": "4"}}
Jun 6 14:55:24 my-machine qumulo {"user_id": {"sid": "S-1-5-21-9876543210-5678901234-1234567890-500", "auth_id": "500", "name": "AD\alice"}, "user_ip": "203.0.113.0", "protocol": "api", "operation": "begin_audit_modify_syslog_config", "status": "ok", "details": {"second_extra_name": "", "extra_name": ""}}
Jun 6 14:55:24 my-machine qumulo {"user_id": {"auth_id": "1", "sid": "S-1-5-21-9876543210-5678901234-1234567890-1", "name": "system"}, "user_ip": "203.0.113.0", "protocol": "internal", "operation": "remote_syslog_shutdown", "status": "ok", "details": {}}

Details Included in the Amazon CloudWatch JSON Format

You can configure Qumulo Core to format audit log messages in the Amazon CloudWatch JSON format.

Tip
To download the audit log from the CloudWatch console, on the left navigation panel click Logs > Log groups, click a log group, and then on the Log events page click Actions > Copy search results (ASCII).

Rather than preface each line of CSV or JSON with the date and time, CloudWatch creates an ASCII table, which contains Unix timestamps in its first column. The second column contains the fields that are similar to the fields that both the syslog CSV format and the syslog JSON format provide, with the following exceptions.

The result field replaces the Operation Status or status field.
The object_id field replaces the File ID file_id field.
The path_1 field replaces the File Path or path field.
The path_2 field replaces the Target File Path or target field.

For example:

Tip
The following example is too wide for the page. To explore this example, click Reading Mode or scroll the example horizontally.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|   timestamp   |                                                                                         message                                                                                    |
|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1717679548000 | {"ip_address": "203.0.113.0", "user": "system", "protocol": "internal", "operation": "remote_syslog_startup", "result": "ok", "object_id": "", "path_1": "", "path_2": ""}         |
| 1717679548000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "audit_modify_syslog_config", "result": "ok", "object_id": "", "path_1": "", "path_2": ""}       |
| 1717679560000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "rest_login", "result": "ok", "object_id": "", "path_1": "", "path_2": ""}                       |
| 1717679602000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "fs_read_metadata", "result": "ok", "object_id": "3", "path_1": "/my_file", "path_2": ""}        |
| 1717679602000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "fs_write_metadata", "result": "ok", "object_id": "3", "path_1": "/my_file", "path_2": ""}       |
| 1717679602000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "fs_write_data", "result": "ok", "object_id": "3", "path_1": "/my_file", "path_2": ""}           |
| 1717679645000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "fs_rename", "result": "ok", "object_id": "3", "path_1": "/my_file", "path_2": "/another_file"}  |
| 1717679724000 | {"ip_address": "203.0.113.0", "user": "AD\alice", "protocol": "api", "operation": "begin_audit_modify_syslog_config", "result": "ok", "object_id": "", "path_1": "", "path_2": ""} |
| 1717679724000 | {"ip_address": "203.0.113.0", "user": "system", "protocol": "internal", "operation": "remote_syslog_shutdown", "result": "ok", "object_id": "", "path_1": "", "path_2": ""}        |
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Operation Names in Audit Logging

This section lists the operation names in Qumulo Core audit logging.

Connectivity Operations

ftp_login
nfs_mount
rest_login
share_connect
smb_close_handle
smb_close_session
smb_login

SMB-Specific Operations

smb_create_share
smb_modify_share
smb_delete_share
smb2_notify_req

Audit Logging Operations

remote_syslog_shutdown
remote_syslog_startup

File System Operations

fs_copy_chunk
fs_create_directory
fs_create_directories
fs_create_file
fs_create_hard_link
fs_create_symlink
fs_create_stream
fs_create
Note
This operation type applies to any but the previous file types.
fs_delete
fs_fsstat
fs_list_directory
fs_open
fs_read_data
fs_read_link
fs_read_metadata
fs_read_user_metadata
fs_rename
fs_set_quota
fs_tree_delete
fs_write_data
fs_write_metadata
fs_write_file_lock
fs_write_user_metadata

REST API Operations

Click to expand

ad_cancel_operation
ad_dismiss_error
ad_join
ad_kerberos_renew_ticket
ad_leave
ad_modify_settings
ad_reconfigure
audit_modify_cloudwatch_config
audit_modify_syslog_config
auth_add_group
auth_add_member_to_group
auth_assign_role
auth_create_access_token
auth_create_role
auth_create_user
auth_delete_access_token
auth_delete_group
auth_delete_identity_attributes
auth_delete_role
auth_delete_user
auth_get_access_token
auth_get_access_tokens
auth_modify_access_token
auth_modify_group
auth_modify_identity_attributes
auth_modify_role
auth_modify_user
auth_modify_user_password
auth_remove_member_from_group
auth_set_user_defined_mappings
auth_unassign_role
cluster_add_nodes
cluster_calculate_node_add_capacity
cluster_generate_vpn_private_key
cluster_initiate_node_replacement_plan
cluster_install_vpn_keys
cluster_locate_disk_slot
cluster_modify_config
cluster_modify_monitoring_config
cluster_modify_nodes
cluster_modify_nodes_dry_run
cluster_modify_upgrade_config
cluster_nodes_resolve_indeterminate_modification
dns_create
dns_delete
dns_modify
dns_set_lookup_overrides
encryption_create_key
encryption_rotate_keys
encryption_update_config
fs_create_public_key
fs_delete_public_key
fs_modify_atime_settings
fs_modify_notify_settings
fs_modify_permissions_settings
fs_modify_public_key
fs_release_nlm_locks_by_client
fs_release_nlm_locks_by_file
fs_replace_public_key
fs_sample
ftp_modify_settings
identity_create
identity_delete
identity_modify
kerberos_delete_keytab
kerberos_modify_settings
kerberos_set_keytab
ldap_modify_settings
network_create_config
network_delete_config
network_modify_config
network_modify_interface
nfs_create_export
nfs_delete_export
nfs_delete_settings
nfs_modify_export
nfs_modify_settings
node_halt
node_restart
node_set_identify_light
portals_authorize_hub_portal
portals_create_spoke_portal
portals_delete_hub_portal
portals_delete_spoke_portal
portals_evict_inode
portals_modify_eviction_configuration
portals_modify_hub_portal
portals_modify_spoke_portal
portals_propose_portal_relationship
reboot_pause
reboot_resume
reboot_start
replication_abort
replication_abort_object_relationship
replication_authorize_target_relationship
replication_create_object_relationship
replication_create_source_relationship
replication_delete_object_relationship
replication_delete_source_relationship
replication_delete_target_relationship
replication_dismiss_source_relationship_error
replication_dismiss_target_relationship_error
replication_make_target_writable
replication_modify_source_relationship
replication_reconnect_target_relationship
replication_release_queued_snapshot
replication_replicate_object_relationship
replication_reverse_target_relationship
replication_start
replication_target_relationship_lock
s3_abort_upload
s3_add_bucket
s3_bucket_policy_explain_access
s3_create_key
s3_delete_bucket
s3_delete_key
s3_get_bucket_policy
s3_modify_bucket
s3_modify_settings
s3_put_bucket_policy
saml_modify_settings
session_change_password
shutdown_halt
smb_delete_settings
smb_modify_settings
snapshot_create_policy
snapshot_create_snapshot
snapshot_delete_policy
snapshot_delete_snapshot
snapshot_lock_snapshot
snapshot_modify_policy
snapshot_modify_snapshot
snapshot_unlock_snapshot
snapshot_unlock_snapshot_challege
ssl_delete_ca_certificate
ssl_modify_ca_certificate
ssl_modify_certificate
tenant_create
tenant_delete
tenant_modify
time_modify_config
tree_delete_cancel
tree_delete_start
web_ui_modify_settings

Error Status Messages

This section lists the error status messages in Qumulo Core audit logging.

Credential Error Messages

cred_error
cred_identity_not_supported_error
cred_invalid_local_user_error
cred_invalid_sid_error
cred_remote_resource_unavailable_error

File System Operation Error Messages

Click to expand

fs_access_denied_error
fs_access_error
fs_access_perm_not_owner_error
fs_already_read_only_error
fs_default_stream_of_directory_error
fs_directory_cycle_error
fs_directory_error
fs_directory_hash_exhaustion_error
fs_directory_is_symlink_error
fs_directory_not_empty_error
fs_encountered_portal_error
fs_entry_exists_error
fs_entry_hardlink_ambiguity_error
fs_entry_not_in_subtree_error
fs_exceeded_maximum_stream_count_error
fs_file_dirent_id_stale_error
fs_file_is_named_stream_error
fs_file_is_symlink_error
fs_file_not_covered_by_snapshot_error
fs_file_not_empty_error
fs_file_path_invalid_error
fs_file_size_error
fs_file_too_many_links_error
fs_invalid_acl_error
fs_invalid_attrs_error
fs_invalid_file_type_error
fs_invalid_name_error
fs_invalid_offset_error
fs_invalid_size_error
fs_name_size_error
fs_no_such_entry_error
fs_no_such_file_version_error
fs_no_such_inode_error
fs_no_such_path_error
fs_not_a_directory_error
fs_not_a_file_error
fs_not_a_symlink_error
fs_opened_file_stale_error
fs_path_size_error
fs_permissions_mode_operation_unsupported_error
fs_portal_create_orphanage_error
fs_portal_disconnected_error
fs_portal_error
fs_portal_eviction_error
fs_portal_inconsistent_data_error
fs_portal_incorrect_state_error
fs_portal_invalid_lease_break_range_error
fs_portal_not_covered_by_snapshot_error
fs_portal_not_found_error
fs_portal_out_of_order_lease_break_error
fs_quota_limit_already_set_error
fs_quota_limit_does_not_exist_error
fs_quota_no_space_error
fs_read_only_error
fs_revision_mismatch_error
fs_s3_versioning_full_error
fs_same_inode_error
fs_sharing_violation_error
fs_smb_share_root_deleted_error
fs_stream_is_default_error
fs_symlink_loop_error
fs_tag_mismatch_error
fs_too_many_aces_error
fs_user_metadata_continuation_token_type_mismatch
fs_user_metadata_empty_insertion_error
fs_user_metadata_hash_exhaustion_error
fs_user_metadata_key_already_exists
fs_user_metadata_key_not_found
fs_user_metadata_too_large
fs_watcher_missed_events_error

Details Included in the Default syslog CSV Format

Details Included in the syslog JSON Format

Details Included in the Amazon CloudWatch JSON Format

Operation Names in Audit Logging

Connectivity Operations

SMB-Specific Operations

Audit Logging Operations

File System Operations

REST API Operations

Error Status Messages

Credential Error Messages

File System Operation Error Messages

Related Topics