Overview
You can configure extensive file system auditing and logging of operations for a volume.
As an alternative to Nasuni’s own auditing options, Nasuni also supports auditing by Varonis. Events created by the Nasuni Edge Appliance propagate to the Varonis monitoring infrastructure.
Syslog Export enables you to direct Nasuni notifications and file auditing messages to your syslog server.
Tip: Auditing volume events such as Create, Delete, Rename, and Security can aid in recovering from ransomware attacks.
Note: It is possible that occasionally a specified operation might not be audited and logged, such as when a Nasuni Edge Appliance reboots or restarts. Also, if events occur faster than the auditing, a “Lost Events” entry is made in the log file.
Tip: Log files take up space. To reduce the amount of space necessary for log files, you can: limit the number of event categories to audit, limit which volumes to audit, use filters to reduce the directories or files to audit, and limit the log file retention period.
Note: Enabling file system auditing generally affects performance less than 5–10 percent. The effect is greater if auditing writes. The effect is less if using solid-state drives (SSD), rather than hard disk drives (HDD). We do not recommend auditing additional events for these purposes, because that can consume system resources unnecessarily.
Note: For ransomware violations, of the 43 defined event types, Nasuni currently reports 4 (Rename), 6 (Read), 7 (Write), 10 (New File), and 12 (Delete File). See Audit types.
Audit log files
When you enable file system auditing for a volume, auditing log files are written to the .nasuni\audit\<description>\<yyyymmdd> directory,
where <description> is the Nasuni Edge Appliance description and
<yyyymmdd> is the date (local time) of the log file.
Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user. On the Nasuni Edge Appliance, select General Settings from the Configuration menu. In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show Hidden Files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled. Alternatively, you can use the File System Browser to view the .nasuni directory and its contents. On the File System Browser page, select the volume, click the gear icon, then select “Show Hidden Files”.
Tip: Log files take up space. To reduce the amount of space necessary for log files, you can: limit the number of event categories to audit, limit which volumes to audit, use filters to reduce the directories or files to audit, and limit the log file retention period.
Audit log format
Audit events appear in the following format:
timestamp(UTC), category, event type, path/from,
new path/to, user, group, sid, share/export name, volume type, client IP, snapshot timestamp(UTC), shared link
where
timestamp(UTC): Epoch timestamp (+ hundredths of seconds) in UTC time.
category: Category of event, such as Security, Delete, or Rename.
event type: The type of the event.
path/from: The path of the target of the operation.
new path/to: Destination, such as what target was renamed to.
user: The user for the operation.
group: The group of the user for the operation.
sid: SID (CIFS only).
share/export name: All of the exports and shares that the user was connected to when the operation occurred.
volume type: The type of volume, such as CIFS or Internal.
client IP: The IP address used by the client.
snapshot timestamp(UTC): Not currently used.
shared link: For shared link events, the identifier for the shared link.
Common audit events
The following pages show commonly-occurring audit events.
Change Owner (CHOWN)
Owner of a file or directory was changed.
timestamp(UTC) | Timestamp (UTC time). |
category | Security |
event type | Change Owner |
path/from | Path to file |
new path/to | Not used. |
user | User, such as root. |
group | Group of the User, such as root. |
sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Change Permissions (CHMOD)
Permissions of a file or directory were changed.
timestamp(UTC) | Timestamp (UTC time). |
Category | Security |
event type | Change Permissions |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
group | Group of the User, such as root. |
sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Create File (MKNOD)
File or directory was created.
timestamp(UTC) | Timestamp (UTC time). |
category | Create |
event type | Create File |
path/from | Path to new file |
new path/to | Not used. |
User | User, such as root. |
group | Group of the User, such as root. |
sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Delete Directory (UNLINK)
Directory was deleted.
timestamp(UTC) | Timestamp (UTC time). |
Category | Delete |
event type | Delete Directory |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
Group | Group of the User, such as root. |
Sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Delete File (UNLINK)
File was deleted.
timestamp(UTC) | Timestamp (UTC time). |
Category | Delete |
event type | Delete File |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
Group | Group of the User, such as root. |
Sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Rename (RENAME)
File or directory was renamed.
timestamp(UTC) | Timestamp (UTC time). |
Category | Rename |
event type | Rename |
path/from | Path to file |
new path/to | New path to file |
User | User, such as root. |
group | Group of the User, such as root. |
sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Set ACL (Set ACL)
ACL was set.
timestamp(UTC) | Timestamp (UTC time). |
Category | Security |
event type | Set ACL |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
Group | Group of the User, such as root. |
Sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Set DOS Attribute (Set DOS Attribute)
DOS Attribute was set.
timestamp(UTC) | Timestamp (UTC time). |
Category | Security |
event type | Set DOS Attribute |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
Group | Group of the User, such as root. |
Sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Set Extended Attributes (SETXATTR)
Extended Attributes were set.
timestamp(UTC) | Timestamp (UTC time). |
Category | Security/Metadata |
event type | Set Extended Attributes |
path/from | Path to file |
new path/to | Not used. |
User | User, such as root. |
Group | Group of the User, such as root. |
Sid | SID (CIFS only). |
share/export name | All of the exports and shares that the user was connected to when the operation occurred. |
volume type | Type of volume, such as CIFS or Internal. |
client IP | IP address used by client. |
snapshot timestamp(UTC) | Not used. |
shared link | Not used. |
Sample Audit output
This output is sent by the Auditing function when the events are sent either via Syslog or via AMQP (when using the JSON format).
JSON output
The JSON output is of the form:
<to_gid><event_type><sequence><pid><groupname><result>
<uid><is_dir><size><timestamp><proto><ipaddr><ts><to>
<gid><filesize><to_uid><sid><tid><username>
<path_timestamp><datasync><volume><offset><path>
<newpath><shared_link_key><resource><name><length>
<flags><mode>
Sample JSON output:
{"to_gid": null,
"event_type": "AUDIT_UNLINK",
"sequence": 7,
"pid": 14551,
"groupname": "root",
"result": 0,
"uid": 0,
"is_dir": false,
"size": null,
"timestamp": 1602179168.0716472,
"proto": "AUDIT_PROTO_NFS",
"ipaddr": "",
"ts": null,
"to": null,
"gid": 0,
"filesize": null,
"to_uid": null,
"sid": "S-1-22-1-0",
"tid": 14551,
"username": "root",
"path_timestamp": 0.0,
"datasync": null,
"volume": "cc69f2d1-e83c-46dc-b2b4-0e20734d096b_2",
"offset": null,
"path": "/now/nfs_export/test.txt",
"newpath": null,
"shared_link_key": null,
"resource": "",
"name": null,
"length": null,
"flags": null,
"mode": null
}
Field | Type | Description |
|---|---|---|
<to_gid> | gid_t | The gid that the file has been chowned to. |
<event_type> | enum audit_type | Type of operation being performed. |
<sequence> | uint64_t | Rotating incrementing uint64 that acts as an event id. |
<pid> | pid_t | The pid of the internal service serving the client. |
<groupname> | char | Name of group that the user belongs to. |
<result> | int | Result of the operation. |
<uid> | uid_t | User ID. |
<is_dir> | bool | Indicates if this is a directory. |
<size> | size_t | Argument to the called function. |
<timestamp> | timespec | Timestamp in UTC. |
<proto> | enum audit_protocol | The protocol used to access the resource. |
<ipaddr> | char | IP Address used by the client. |
<ts> | timespec | atime and mtime timestamps. |
<to> | char | Target of the link. |
<gid> | gid_t | Group ID. |
<filesize> | off_t | Size of file. |
<to_uid> | uid_t | The uid that the file has been chowned to. |
<sid> | char | Security Identifier of the user (CIFS only). |
<tid> | pid_t | Thread ID. |
<username> | char | Username of user who issued command. |
<path_timestamp> | timespec | Unused. |
<datasync> | int | Datasync (no metadata) if true or full fsync if false. |
<volume> | char | The GUID of the volume being operated on. |
<offset> | off_t | The offset from the start of the file that the read or write used. |
<path> | char | Path of the file or directory that triggered the event; starts at root. |
<newpath> | char | New path generated during rename or move events. |
<shared_link_key> | char | Unique identifier created when a shared link is created or available for the file. |
<resource> | char | Name of the share or export that the client used. |
<name> | char | Name of xattr being set. |
<length> | size_t | The client requested length of a read or write. |
<flags> | int | The O_ flags as specified in fnctl.h (can be considered constant but may expand in future). |
<mode> | mode_t | Set mode (mode_t). mode_t is the new mode or target mode for operations such as MKNOD, MKDIR, and CHMOD. |
Audit types
AUDIT_RESERVED = 0,
AUDIT_STARTUP,
AUDIT_LOST_EVENT,
AUDIT_TIMESTAMP,
AUDIT_RENAME,
AUDIT_CLOSE,
AUDIT_READ,
AUDIT_WRITE,
AUDIT_GETATTR,
AUDIT_READLINK,
AUDIT_MKNOD,
AUDIT_MKDIR,
AUDIT_UNLINK,
AUDIT_RMDIR,
AUDIT_SYMLINK,
AUDIT_LINK,
AUDIT_CHMOD,
AUDIT_CHOWN,
AUDIT_TRUNCATE,
AUDIT_OPEN,
AUDIT_OPENDIR,
AUDIT_FSYNC,
AUDIT_FLUSH,
AUDIT_RELEASE,
AUDIT_RELEASEDIR,
AUDIT_READDIR,
AUDIT_UTIMENS,
AUDIT_GETXATTR,
AUDIT_SETXATTR,
AUDIT_LISTXATTR,
AUDIT_REMOVEXATTR,
AUDIT_STATFS,
AUDIT_RESTORE,
AUDIT_SHARED_LINK_ACCESS,
AUDIT_SHARED_LINK_CREATE,
AUDIT_SHARED_LINK_MODIFY,
AUDIT_SHARED_LINK_DELETE,
AUDIT_SHARED_LINK_REGEN,
AUDIT_FAST_PUSH,
AUDIT_DATA_PUSH,
AUDIT_AV_VIOLATION,
AUDIT_AV_VIOLATION_IGNORE,
AUDIT_AV_VIOLATION_DELETE,
_AUDIT_MAX
Audit protocols
AUDIT_PROTO_RESERVED,
AUDIT_PROTO_UNKNOWN,
AUDIT_PROTO_ADMIN,
AUDIT_PROTO_CIFS,
AUDIT_PROTO_NFS,
AUDIT_PROTO_FTP
Example JSON responses
Event: Read Directory
{
"to_gid": null,
"event_type": "AUDIT_READDIR",
"sequence": 23,
"pid": 24198,
"groupname": "Filer Users",
"result": 0,
"uid": 5000,
"is_dir": true,
"size": null,
"timestamp": 1617656899.135072,
"proto": "AUDIT_PROTO_CIFS",
"ipaddr": "10.254.249.104",
"ts": null,
"to": null,
"gid": 5000,
"filesize": null,
"to_uid": null,
"sid": "S-1-5-21-944229690-3088317123-890066184-501",
"tid": 24198,
"username": "nasuni",
"path_timestamp": 0.0,
"datasync": null,
"volume": "ba8fb078-d0f6-4237-bda4-6645ec8bfbb3_3",
"offset": 512,
"path": "/",
"newpath": null,
"shared_link_key": null,
"resource": "test",
"name": null,
"length": null,
"flags": null,
"mode": null
}
Event: Setting Xattr
{
"to_gid": null,
"event_type": "AUDIT_SETXATTR",
"sequence": 25,
"pid": 24198,
"groupname": "Filer Users",
"result": 0,
"uid": 5000,
"is_dir": false,
"size": null,
"timestamp": 1617656899.2332652,
"proto": "AUDIT_PROTO_CIFS",
"ipaddr": "10.254.249.104",
"ts": null,
"to": null,
"gid": 5000,
"filesize": null,
"to_uid": null,
"sid": "S-1-5-21-944229690-3088317123-890066184-501",
"tid": 24198,
"username": "nasuni",
"path_timestamp": 0.0,
"datasync": null,
"volume": "ba8fb078-d0f6-4237-bda4-6645ec8bfbb3_3",
"offset": null,
"path": "/New Text Document.txt",
"newpath": null,
"shared_link_key": null,
"resource": "test",
"name": "user.DOSATTRIB",
"length": null,
"flags": null,
"mode": null
}
Event: Read Directory
{
"to_gid": null,
"event_type": "AUDIT_READDIR",
"sequence": 27,
"pid": 24198,
"groupname": "Filer Users",
"result": 0,
"uid": 5000,
"is_dir": true,
"size": null,
"timestamp": 1617656903.6419023,
"proto": "AUDIT_PROTO_CIFS",
"ipaddr": "10.254.249.104",
"ts": null,
"to": null,
"gid": 5000,
"filesize": null,
"to_uid": null,
"sid": "S-1-5-21-944229690-3088317123-890066184-501",
"tid": 24198,
"username": "nasuni",
"path_timestamp": 0.0,
"datasync": null,
"volume": "ba8fb078-d0f6-4237-bda4-6645ec8bfbb3_3",
"offset": 512,
"path": "/",
"newpath": null,
"shared_link_key": null,
"resource": "test",
"name": null,
"length": null,
"flags": null,
"mode": null
}
Event: Close
{
"to_gid": null,
"event_type": "AUDIT_CLOSE",
"sequence": 28,
"pid": 24198,
"groupname": "Filer Users",
"result": 0,
"uid": 5000,
"is_dir": false,
"size": null,
"timestamp": 1617656903.6878539,
"proto": "AUDIT_PROTO_CIFS",
"ipaddr": "10.254.249.104",
"ts": null,
"to": null,
"gid": 5000,
"filesize": 0,
"to_uid": null,
"sid": "S-1-5-21-944229690-3088317123-890066184-501",
"tid": 24198,
"username": "nasuni",
"path_timestamp": 0.0,
"datasync": null,
"volume": "ba8fb078-d0f6-4237-bda4-6645ec8bfbb3_3",
"offset": null,
"path": "/New Text Document.txt",
"newpath": null,
"shared_link_key": null,
"resource": "test",
"name": null,
"length": null,
"flags": 0,
"mode": null
}
Event: Rename
{
"to_gid": null,
"event_type": "AUDIT_RENAME",
"sequence": 29,
"pid": 24198,
"groupname": "Filer Users",
"result": 0,
"uid": 5000,
"is_dir": false,
"size": null,
"timestamp": 1617656903.74538,
"proto": "AUDIT_PROTO_CIFS",
"ipaddr": "10.254.249.104",
"ts": null,
"to": null,
"gid": 5000,
"filesize": null,
"to_uid": null,
"sid": "S-1-5-21-944229690-3088317123-890066184-501",
"tid": 24198,
"username": "nasuni",
"path_timestamp": 0.0,
"datasync": null,
"volume": "ba8fb078-d0f6-4237-bda4-6645ec8bfbb3_3",
"offset": null,
"path": "/New Text Document.txt",
"newpath": "/file1.txt",
"shared_link_key": null,
"resource": "test",
"name": null,
"length": null,
"flags": null,
"mode": null
}
Copyright © 2010-2024 Nasuni Corporation. All rights reserved.