6.0 Common Event Format (CEF)

With OES 2018 SP2 or later, the Storage Services Auditing Client Logger (VLOG) supports output in Common Event Format. This output can be integrated with third-party auditing software that supports CEF.

The following table displays the CEF key names and their description.

Table 6-1 CEF Key Names with Description

CEF Key Name

Description

deviceCustomDate2

Access time of the file

not mapping

Application registered for events

sourceProcessName

Users who are registered for the application

deviceCustomNumber1

File close with flags such as delete on close

destinationProcessName

Process name who access the files

deviceCustomNumber3

File access protocol connection ID

DeviceCustomNumber2

File creation or open mode/flags

fileCreateTime

Time when the file was created or time when the file was created from protocols.

filePermission

Access rights request to open a file by protocols

or

File permission to rename the flags or rights permission request for the file.

destinationUserName

Users FQDN

deviceEventClassId, name

Actual file operations event from NSS, NCP, CIFS, and VIGIL (vigil events)

deviceCustomeNumber4

File handle state during the file close (such as modify, snapshot and so on)

deviceCustomNumber1

Flag to indicate delete a file on close

fileSize

Size of the file

fileType

The type of the file such as datastream and socket

deviceCustomString2

Linux file system user ID

deviceCustomString1

Linux file system user name

deviceCustomDate2

Last accessed time of a file through NCP

fileModificationTime

Time when the file was last modified through NCP

filePath

Full path to the file or NSS file path or data target of the file

or

Rename - destination path of the file

fileModificationTime

Data modified time of deleted time of a file

deviceCustomString5

File modifier GUID

deviceCustomString6

File modifier DN

message

Modifying the file mask

sourceAddress

File access client IP address

eventOutcome

Operation return status or data status output

deviceCustomString3

File owner GUID

deviceCustomString4

File owner DN

deviceProcessId

Process PID that performs the operation

DeviceCustomNumber2

File Sgid's GUID

flexString2

File Sgid name or file Sgid (folder) name

deviceCustomNumber3

File Suid's GUID

flexString1

File Suid name or file Suid (folder) name

flexnumber1

File TaskID's GUID

deviceReceiptTime

Time of the event occurred

deviceEventCategory (only NSS info)

Data type or application type

sourceUserId

File UID's GUID

sourceUserName

File UID name or file UID (folder) name

destinationUserName

File user DN

destinationUserId

Data userid suid of suid

fileId

Data ZID ID of the file

flexnumber2

File key's GUID

oldFilePath

Data source path of old file

filePath

Data target path of the file

oldFilePermission

Old access rights for the file

The following CEF key names are OES specific attributes and hence they are preceded with OES.

OESEgid

Linux Effective group ID

OESEgidName

Linux Effective group name

OESEuid

Linux Effective user ID

OESEuidName

Linux Effective user name

OESFileAttributes

File attributes such as archive, hidden, and system while open, close, and modify

OESFileAttributesModMask

Modifying file attributes MASK

OESParentFileId

Parent file (folder) ZID

OESFileHandle

Virtual file handle for the file opened

OESRetOpenCreateAction

Operation return status for file create

OESSearchAttributes

File search (folder) attributes

OESMetaDataModified

The metadata modified time of a file

OESFileNameType

The name formats are Long, UNIX, and DOS

OESVolumeDn

FQDN of the data volume

OESVolumeId

Data volid ID of the device

OESVigilRecNo

vigilrec no id of the file

OESvlogRecNo

vlogrec no id of the file

OESFsgid

Linux file system group ID

OESFsgid_Name

Linux file system group name

OESFsguid_Name

Linux file system group name

OESGid

Linux group ID

OESGidName

Linux group name

OESGidName

Linux group name

OESPurgedFileFlag

OES specific attributes

OESFileExectueType

File execute type

OESElementType

Element type

OESPrimaryNameSpaceID

namespace used when the file was created

OESFinderInfo

Macintosh FInfo data (as stored and retrieved for Macintosh files)

OESProDOSInfo

Macintosh proDOSInfo as a 2-byte file type and 4-byte aux type for Pro DOS workstations

OESFiller

Is Unused

OESDirRightsMask

Is Unused

OESFMode

UNIX File Permission / Access Modes

OESRdev

UNIX root device

OESMyFlags

Unix NS specific flag

OESNfsUID

Unix NS specific flag

OESNfsGID

Unix NS specific flag

OESNwUID

Unix NS specific flag

OESNwGID

Unix NS specific flag

OESNwEveryone

Unix NS specific flag

OESNwUIDRights

Unix NS specific flag

OESNwGIDRights

Unix NS specific flag

OESNwEveryoneRights

Unix NS specific flag

OESAcsFlags

Unix NS specific flag

OESFirstCreated

Unix NS specific flag

OESVariableSize

Additional data space size

OESVariableData

Additional data space

OESExtAttrUserFlags

An arbitrary value that is set by the user. This field only applies to extend attributes andhas no particular significance to the file system

OESPoolFeaturesEnabled

Enabled pool features

OESVolFeaturesEnableModMask

Bit mask that defines which bits in the volume features are to be set and/or cleared

OESVolNdsObjectId

eDirectory volume object GUID

OESVolNdsObjectIdDn

eDirectory volume object DN

OESVolSalvageMaxKeepSeconds

The number of seconds a file must remain in a salvageable state before the file system is allowed to automatically purge the file (if free space is needed)

OESVolSalvageLowWaterMark

Low water mark percentage for the volume

OESVolSalvageHighWaterMark

High water mark percentage for the volume

OESPoolFeaturesEnabled

Enabled pool features

OESPoolFeaturesEnableModMask

Bit mask that defines which bits in the pool features are to be set and/or cleared

OESPoolNdsObjectId

Pool eDirectory object ID

OESVolDataShreddingCount

Volume data shredding count

OESVolTotalSpaceQuota

Volume total space quota

OESDirQuota

Quota information for a directory

OESReadAheadBlocks

Readahead blocks

OESNumOfTrustees

Number of Trustees getting modified

OESMetaDataModifier

Metadata Modifier GUID

OESMetaDataModifierDn

Metadata Modifier Dn

OESArchived

Archived time

OESLinkFlags

Link flags

OESCreateAndOpen

Create and Open flag

OESCreateFlags

Specifies the actions to take place if the file object being created already exist

OESDesiredAccessRights

Desired Access Rights

OESNSSFileAttributes

Specifies a bit mask that identifies specific file attributes to be associated with the newly created file

OESfilePermission

Bit mask that defines which bits in the fileAttributes are to be set and/or cleared

OESLinuxPosixFileHandle

Linux Posix file handle

OESParentZid

ZID of the parent that was used to open the file.

OESRenameFlags

Bit mask that identifies various modes to the rename function

OESRequestedRights

Rights that are requested for this instance

OESSuid

SUID

OESSuidName

SUID Name

OESPmdNcpTaskID

NCP task ID

OESUid

Linux UID

OESUidName

Linux user name

OESUserDN

DN of the user performing the operation

OESUserID

GUID of the user performing the operation