With OES 2018 SP2, the Storage Services Auditing Client Logger (VLOG) supports output in Common Event Format. This output can be integrated with third-party auditing software that supports CEF.
The following table displays the CEF key names and their description.
Table 6-1 CEF Key Names with Description
|
CEF Key Name |
Description |
|---|---|
|
deviceCustomDate2,deviceCustomDate2Label |
Access time of the file |
|
not mapping |
Application registered for events |
|
sourceProcessName |
Users who are registered for the application |
|
deviceCustomNumber1 |
File close with flags such as delete on close |
|
destinationProcessName |
Process name who access the files |
|
deviceCustomNumber3 |
File access protocol connection ID |
|
DeviceCustomNumber2 |
File creation or open mode/flags |
|
fileCreateTime |
Time when the file was created or time when the file was created from protocols. |
|
filePermission |
Access rights request to open a file by protocols or File permission to rename the flags or rights permission request for the file. |
|
destinationUserName |
Users FQDN |
|
deviceEventClassId, name |
Actual file operations event from NSS, NCP, CIFS, and VIGIL (vigil events) |
|
deviceCustomeNumber4 |
File handle state during the file close (such as modify, snapshot and so on) |
|
deviceCustomNumber1 |
Flag to indicate delete a file on close |
|
fileSize |
Size of the file |
|
fileType |
The type of the file such as datastream and socket |
|
deviceCustomString2 |
Linux file system user ID |
|
deviceCustomString1 |
Linux file system user name |
|
deviceCustomDate2,deviceCustomDate2Label |
Last accessed time of a file through NCP |
|
fileModificationTime |
Time when the file was last modified through NCP |
|
filePath |
Full path to the file or NSS file path or data target of the file or Rename - destination path of the file |
|
OES |
Linux file handle |
|
fileModificationTime |
Data modified time of deleted time of a file |
|
deviceCustomString5 |
File modifier GUID |
|
deviceCustomString6 |
File modifier DN |
|
message |
Modifying the file mask |
|
sourceAddress |
File access client IP address |
|
eventOutcome |
Operation return status or data status output |
|
deviceCustomString3 |
File owner GUID |
|
deviceCustomString4 |
File owner DN |
|
deviceProcessId |
Process PID that performs the operation |
|
DeviceCustomNumber2 |
File Sgid's GUID |
|
flexString2 |
File Sgid name or file Sgid (folder) name |
|
deviceCustomNumber3 |
File Suid's GUID |
|
flexString1 |
File Suid name or file Suid (folder) name |
|
flexnumber1 |
File TaskID's GUID |
|
deviceReceiptTime |
Time of the event occurred |
|
deviceEventCategory (only NSS info) |
Data type or application type |
|
sourceUserId |
File UID's GUID |
|
sourceUserName |
File UID name or file UID (folder) name |
|
destinationUserName |
File user DN |
|
destinationUserId |
Data userid suid of suid |
|
fileId |
Data ZID ID of the file |
|
flexnumber2 |
File key's GUID |
|
oldFilePath |
Data source path of old file |
|
filePath |
Data target path of the file |
|
The following CEF key names are OES specific attributes and hence they are preceded with OES. |
|
|
OESEgid |
Linux Effective group ID |
|
OESEgidName |
Linux Effective group name |
|
OESEuid |
Linux Effective user ID |
|
OESEuidName |
Linux Effective user name |
|
OESFileAttributes |
File attributes such as archive, hidden, and system while open, close, and modify |
|
OESFileAttributesModMask |
Modifying file attributes MASK |
|
OESParentFileId |
Parent file (folder) ZID |
|
OESFileHandle |
Virtual file handle for the file opened |
|
OESRetOpenCreateAction |
Operation return status for file create |
|
OESSearchAttributes |
File search (folder) attributes |
|
OESMetaDataModified |
The metadata modified time of a file |
|
OESFileNameType |
The name formats are Long, UNIX, and DOS |
|
OESVolumeDn |
FQDN of the data volume |
|
OESVolumeId |
Data volid ID of the device |
|
OESVigilRecNo |
vigilrec no id of the file |
|
OESvlogRecNo |
vlogrec no id of the file |
|
OESFsgid |
Linux file system group ID |
|
OESFsgid_Name |
Linux file system group name |
|
OESFsguid_Name |
Linux file system group name |
|
OESGid |
Linux group ID |
|
OESGidName |
Linux group name |
|
OESGidName |
Linux group name |
|
OESPurgedFileFlag |
OES specific attributes |
|
OESFileExectueType |
|
|
OESElementType |
|
|
OESPrimaryNameSpaceID |
|
|
OESFinderInfo |
|
|
OESProDOSInfo |
|
|
OESFiller |
|
|
OESDirRightsMask |
|
|
OESFMode |
|
|
OESRdev |
|
|
OESMyFlags |
|
|
OESNfsUID |
|
|
OESNfsGID |
|
|
OESNwUID |
|
|
OESNwGID |
|
|
OESNwEveryone |
|
|
OESNwUIDRights |
|
|
OESNwGIDRights |
|
|
OESNwEveryoneRights |
|
|
OESAcsFlags |
|
|
OESFirstCreated |
|
|
OESVariableSize |
|
|
OESVariableData |
|
|
OESExtAttrUserFlags |
|
|
OESVolFeaturesEnabled |
|
|
OESVolFeaturesEnableModMask |
|
|
OESVolNdsObjectId |
|
|
OESVolNdsObjectIdDn |
|
|
OESVolSalvageMinKeepSeconds |
|
|
OESVolSalvageMaxKeepSeconds |
|
|
OESVolSalvageLowWaterMark |
|
|
OESVolSalvageHighWaterMark |
|
|
OESPoolFeaturesEnabled |
|
|
OESPoolFeaturesEnableModMask |
|
|
OESPoolNdsObjectId |
|
|
OESVolDataShreddingCount |
|
|
OESVolTotalSpaceQuota |
|
|
OESDirQuotQuota |
|
|
OESReadAheadBlocks |
|
|
OESNumOfTrustees |
|
|
OESMetaDataModifier |
|
|
OESMetaDataModifierDn |
|
|
OESArchived |
|