With OES 2018 SP2 or later, the Storage Services Auditing Client Logger (VLOG) supports output in Common Event Format. This output can be integrated with third-party auditing software that supports CEF.
The following table displays the CEF key names and their description.
Table 7-1 CEF Key Names with Description
|
CEF Key Name |
Description |
|---|---|
|
deviceCustomDate2 |
Access time of the file |
|
not mapping |
Application registered for events |
|
sourceProcessName |
Users who are registered for the application |
|
deviceCustomNumber1 |
File close with flags such as delete on close |
|
destinationProcessName |
Process name who access the files |
|
deviceCustomNumber3 |
File access protocol connection ID |
|
DeviceCustomNumber2 |
File creation or open mode/flags |
|
fileCreateTime |
Time when the file was created or time when the file was created from protocols. |
|
filePermission |
Access rights request to open a file by protocols or File permission to rename the flags or rights permission request for the file. |
|
destinationUserName |
Users FQDN |
|
deviceEventClassId, name |
Actual file operations event from NSS, NCP, CIFS, and VIGIL (vigil events) |
|
deviceCustomeNumber4 |
File handle state during the file close (such as modify, snapshot and so on) |
|
deviceCustomNumber1 |
Flag to indicate delete a file on close |
|
fileSize |
Size of the file |
|
fileType |
The type of the file such as datastream and socket |
|
deviceCustomString2 |
Linux file system user ID |
|
deviceCustomString1 |
Linux file system user name |
|
deviceCustomDate2 |
Last accessed time of a file through NCP |
|
fileModificationTime |
Time when the file was last modified through NCP |
|
filePath |
Full path to the file or NSS file path or data target of the file or Rename - destination path of the file |
|
fileModificationTime |
Data modified time of deleted time of a file |
|
deviceCustomString5 |
File modifier GUID |
|
deviceCustomString6 |
File modifier DN |
|
message |
Modifying the file mask |
|
sourceAddress |
File access client IP address |
|
eventOutcome |
Operation return status or data status output |
|
deviceCustomString3 |
File owner GUID |
|
deviceCustomString4 |
File owner DN |
|
deviceProcessId |
Process PID that performs the operation |
|
DeviceCustomNumber2 |
File Sgid's GUID |
|
flexString2 |
File Sgid name or file Sgid (folder) name |
|
deviceCustomNumber3 |
File Suid's GUID |
|
flexString1 |
File Suid name or file Suid (folder) name |
|
flexnumber1 |
File TaskID's GUID |
|
deviceReceiptTime |
Time of the event occurred |
|
deviceEventCategory (only NSS info) |
Data type or application type |
|
sourceUserId |
File UID's GUID |
|
sourceUserName |
File UID name or file UID (folder) name |
|
destinationUserName |
File user DN |
|
destinationUserId |
Data userid suid of suid |
|
fileId |
Data ZID ID of the file |
|
flexnumber2 |
File key's GUID |
|
oldFilePath |
Data source path of old file |
|
filePath |
Data target path of the file |
|
oldFilePermission |
Old access rights for the file |
|
The following CEF key names are OES specific attributes and hence they are preceded with OES. |
|
|
OESEgid |
Linux Effective group ID |
|
OESEgidName |
Linux Effective group name |
|
OESEuid |
Linux Effective user ID |
|
OESEuidName |
Linux Effective user name |
|
OESFileAttributes |
File attributes such as archive, hidden, and system while open, close, and modify |
|
OESFileAttributesModMask |
Modifying file attributes MASK |
|
OESParentFileId |
Parent file (folder) ZID |
|
OESFileHandle |
Virtual file handle for the file opened |
|
OESRetOpenCreateAction |
Operation return status for file create |
|
OESSearchAttributes |
File search (folder) attributes |
|
OESMetaDataModified |
The metadata modified time of a file |
|
OESFileNameType |
The name formats are Long, UNIX, and DOS |
|
OESVolumeDn |
FQDN of the data volume |
|
OESVolumeId |
Data volid ID of the device |
|
OESVigilRecNo |
vigilrec no id of the file |
|
OESvlogRecNo |
vlogrec no id of the file |
|
OESFsgid |
Linux file system group ID |
|
OESFsgid_Name |
Linux file system group name |
|
OESFsguid_Name |
Linux file system group name |
|
OESGid |
Linux group ID |
|
OESGidName |
Linux group name |
|
OESGidName |
Linux group name |
|
OESPurgedFileFlag |
OES specific attributes |
|
OESFileExectueType |
File execute type |
|
OESElementType |
Element type |
|
OESPrimaryNameSpaceID |
namespace used when the file was created |
|
OESFinderInfo |
Macintosh FInfo data (as stored and retrieved for Macintosh files) |
|
OESProDOSInfo |
Macintosh proDOSInfo as a 2-byte file type and 4-byte aux type for Pro DOS workstations |
|
OESFiller |
Is Unused |
|
OESDirRightsMask |
Is Unused |
|
OESFMode |
UNIX File Permission / Access Modes |
|
OESRdev |
UNIX root device |
|
OESMyFlags |
Unix NS specific flag |
|
OESNfsUID |
Unix NS specific flag |
|
OESNfsGID |
Unix NS specific flag |
|
OESNwUID |
Unix NS specific flag |
|
OESNwGID |
Unix NS specific flag |
|
OESNwEveryone |
Unix NS specific flag |
|
OESNwUIDRights |
Unix NS specific flag |
|
OESNwGIDRights |
Unix NS specific flag |
|
OESNwEveryoneRights |
Unix NS specific flag |
|
OESAcsFlags |
Unix NS specific flag |
|
OESFirstCreated |
Unix NS specific flag |
|
OESVariableSize |
Additional data space size |
|
OESVariableData |
Additional data space |
|
OESExtAttrUserFlags |
An arbitrary value that is set by the user. This field only applies to extend attributes andhas no particular significance to the file system |
|
OESPoolFeaturesEnabled |
Enabled pool features |
|
OESVolFeaturesEnableModMask |
Bit mask that defines which bits in the volume features are to be set and/or cleared |
|
OESVolNdsObjectId |
eDirectory volume object GUID |
|
OESVolNdsObjectIdDn |
eDirectory volume object DN |
|
OESVolSalvageMaxKeepSeconds |
The number of seconds a file must remain in a salvageable state before the file system is allowed to automatically purge the file (if free space is needed) |
|
OESVolSalvageLowWaterMark |
Low water mark percentage for the volume |
|
OESVolSalvageHighWaterMark |
High water mark percentage for the volume |
|
OESPoolFeaturesEnabled |
Enabled pool features |
|
OESPoolFeaturesEnableModMask |
Bit mask that defines which bits in the pool features are to be set and/or cleared |
|
OESPoolNdsObjectId |
Pool eDirectory object ID |
|
OESVolDataShreddingCount |
Volume data shredding count |
|
OESVolTotalSpaceQuota |
Volume total space quota |
|
OESDirQuota |
Quota information for a directory |
|
OESReadAheadBlocks |
Readahead blocks |
|
OESNumOfTrustees |
Number of Trustees getting modified |
|
OESMetaDataModifier |
Metadata Modifier GUID |
|
OESMetaDataModifierDn |
Metadata Modifier Dn |
|
OESArchived |
Archived time |
|
OESLinkFlags |
Link flags |
|
OESCreateAndOpen |
Create and Open flag |
|
OESCreateFlags |
Specifies the actions to take place if the file object being created already exist |
|
OESDesiredAccessRights |
Desired Access Rights |
|
OESNSSFileAttributes |
Specifies a bit mask that identifies specific file attributes to be associated with the newly created file |
|
OESfilePermission |
Bit mask that defines which bits in the fileAttributes are to be set and/or cleared |
|
OESLinuxPosixFileHandle |
Linux Posix file handle |
|
OESParentZid |
ZID of the parent that was used to open the file. |
|
OESRenameFlags |
Bit mask that identifies various modes to the rename function |
|
OESRequestedRights |
Rights that are requested for this instance |
|
OESSuid |
SUID |
|
OESSuidName |
SUID Name |
|
OESPmdNcpTaskID |
NCP task ID |
|
OESUid |
Linux UID |
|
OESUidName |
Linux user name |
|
OESUserDN |
DN of the user performing the operation |
|
OESUserID |
GUID of the user performing the operation |