With OES 2018 SP2 or later, the Storage Services Auditing Client Logger (VLOG) supports output in Common Event Format. This output can be integrated with third-party auditing software that supports CEF.
The following table displays the CEF key names and their description.
Table 6-1 CEF Key Names with Description
CEF Key Name |
Description |
---|---|
deviceCustomDate2 |
Access time of the file |
not mapping |
Application registered for events |
sourceProcessName |
Users who are registered for the application |
deviceCustomNumber1 |
File close with flags such as delete on close |
destinationProcessName |
Process name who access the files |
deviceCustomNumber3 |
File access protocol connection ID |
DeviceCustomNumber2 |
File creation or open mode/flags |
fileCreateTime |
Time when the file was created or time when the file was created from protocols. |
filePermission |
Access rights request to open a file by protocols or File permission to rename the flags or rights permission request for the file. |
destinationUserName |
Users FQDN |
deviceEventClassId, name |
Actual file operations event from NSS, NCP, CIFS, and VIGIL (vigil events) |
deviceCustomeNumber4 |
File handle state during the file close (such as modify, snapshot and so on) |
deviceCustomNumber1 |
Flag to indicate delete a file on close |
fileSize |
Size of the file |
fileType |
The type of the file such as datastream and socket |
deviceCustomString2 |
Linux file system user ID |
deviceCustomString1 |
Linux file system user name |
deviceCustomDate2 |
Last accessed time of a file through NCP |
fileModificationTime |
Time when the file was last modified through NCP |
filePath |
Full path to the file or NSS file path or data target of the file or Rename - destination path of the file |
fileModificationTime |
Data modified time of deleted time of a file |
deviceCustomString5 |
File modifier GUID |
deviceCustomString6 |
File modifier DN |
message |
Modifying the file mask |
sourceAddress |
File access client IP address |
eventOutcome |
Operation return status or data status output |
deviceCustomString3 |
File owner GUID |
deviceCustomString4 |
File owner DN |
deviceProcessId |
Process PID that performs the operation |
DeviceCustomNumber2 |
File Sgid's GUID |
flexString2 |
File Sgid name or file Sgid (folder) name |
deviceCustomNumber3 |
File Suid's GUID |
flexString1 |
File Suid name or file Suid (folder) name |
flexnumber1 |
File TaskID's GUID |
deviceReceiptTime |
Time of the event occurred |
deviceEventCategory (only NSS info) |
Data type or application type |
sourceUserId |
File UID's GUID |
sourceUserName |
File UID name or file UID (folder) name |
destinationUserName |
File user DN |
destinationUserId |
Data userid suid of suid |
fileId |
Data ZID ID of the file |
flexnumber2 |
File key's GUID |
oldFilePath |
Data source path of old file |
filePath |
Data target path of the file |
oldFilePermission |
Old access rights for the file |
The following CEF key names are OES specific attributes and hence they are preceded with OES. |
|
OESEgid |
Linux Effective group ID |
OESEgidName |
Linux Effective group name |
OESEuid |
Linux Effective user ID |
OESEuidName |
Linux Effective user name |
OESFileAttributes |
File attributes such as archive, hidden, and system while open, close, and modify |
OESFileAttributesModMask |
Modifying file attributes MASK |
OESParentFileId |
Parent file (folder) ZID |
OESFileHandle |
Virtual file handle for the file opened |
OESRetOpenCreateAction |
Operation return status for file create |
OESSearchAttributes |
File search (folder) attributes |
OESMetaDataModified |
The metadata modified time of a file |
OESFileNameType |
The name formats are Long, UNIX, and DOS |
OESVolumeDn |
FQDN of the data volume |
OESVolumeId |
Data volid ID of the device |
OESVigilRecNo |
vigilrec no id of the file |
OESvlogRecNo |
vlogrec no id of the file |
OESFsgid |
Linux file system group ID |
OESFsgid_Name |
Linux file system group name |
OESFsguid_Name |
Linux file system group name |
OESGid |
Linux group ID |
OESGidName |
Linux group name |
OESGidName |
Linux group name |
OESPurgedFileFlag |
OES specific attributes |
OESFileExectueType |
File execute type |
OESElementType |
Element type |
OESPrimaryNameSpaceID |
namespace used when the file was created |
OESFinderInfo |
Macintosh FInfo data (as stored and retrieved for Macintosh files) |
OESProDOSInfo |
Macintosh proDOSInfo as a 2-byte file type and 4-byte aux type for Pro DOS workstations |
OESFiller |
Is Unused |
OESDirRightsMask |
Is Unused |
OESFMode |
UNIX File Permission / Access Modes |
OESRdev |
UNIX root device |
OESMyFlags |
Unix NS specific flag |
OESNfsUID |
Unix NS specific flag |
OESNfsGID |
Unix NS specific flag |
OESNwUID |
Unix NS specific flag |
OESNwGID |
Unix NS specific flag |
OESNwEveryone |
Unix NS specific flag |
OESNwUIDRights |
Unix NS specific flag |
OESNwGIDRights |
Unix NS specific flag |
OESNwEveryoneRights |
Unix NS specific flag |
OESAcsFlags |
Unix NS specific flag |
OESFirstCreated |
Unix NS specific flag |
OESVariableSize |
Additional data space size |
OESVariableData |
Additional data space |
OESExtAttrUserFlags |
An arbitrary value that is set by the user. This field only applies to extend attributes andhas no particular significance to the file system |
OESPoolFeaturesEnabled |
Enabled pool features |
OESVolFeaturesEnableModMask |
Bit mask that defines which bits in the volume features are to be set and/or cleared |
OESVolNdsObjectId |
eDirectory volume object GUID |
OESVolNdsObjectIdDn |
eDirectory volume object DN |
OESVolSalvageMaxKeepSeconds |
The number of seconds a file must remain in a salvageable state before the file system is allowed to automatically purge the file (if free space is needed) |
OESVolSalvageLowWaterMark |
Low water mark percentage for the volume |
OESVolSalvageHighWaterMark |
High water mark percentage for the volume |
OESPoolFeaturesEnabled |
Enabled pool features |
OESPoolFeaturesEnableModMask |
Bit mask that defines which bits in the pool features are to be set and/or cleared |
OESPoolNdsObjectId |
Pool eDirectory object ID |
OESVolDataShreddingCount |
Volume data shredding count |
OESVolTotalSpaceQuota |
Volume total space quota |
OESDirQuota |
Quota information for a directory |
OESReadAheadBlocks |
Readahead blocks |
OESNumOfTrustees |
Number of Trustees getting modified |
OESMetaDataModifier |
Metadata Modifier GUID |
OESMetaDataModifierDn |
Metadata Modifier Dn |
OESArchived |
Archived time |
OESLinkFlags |
Link flags |
OESCreateAndOpen |
Create and Open flag |
OESCreateFlags |
Specifies the actions to take place if the file object being created already exist |
OESDesiredAccessRights |
Desired Access Rights |
OESNSSFileAttributes |
Specifies a bit mask that identifies specific file attributes to be associated with the newly created file |
OESfilePermission |
Bit mask that defines which bits in the fileAttributes are to be set and/or cleared |
OESLinuxPosixFileHandle |
Linux Posix file handle |
OESParentZid |
ZID of the parent that was used to open the file. |
OESRenameFlags |
Bit mask that identifies various modes to the rename function |
OESRequestedRights |
Rights that are requested for this instance |
OESSuid |
SUID |
OESSuidName |
SUID Name |
OESPmdNcpTaskID |
NCP task ID |
OESUid |
Linux UID |
OESUidName |
Linux user name |
OESUserDN |
DN of the user performing the operation |
OESUserID |
GUID of the user performing the operation |