Top audit failures by user in Dell Isilon NAS
If a user is unable to access content or resources for any reason, it’s reported in the audit logs. For example, you might have an application that’s not behaving the way you expect it to because access is no longer granted to it. Alternatively, the audit logs might expose an unauthorized user looking around the file system and getting multiple access denied messages. You want to detect and fix permissions issues for applications, and to monitor and address potentially suspicious user access issues.
Data required
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=emc:isilon:* app=audit_protocol event_result=FAILED | stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path | fieldformat Times=strftime(Times, "%+") | sort - Failures
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=emc:isilon:* |
Search only EMC Isilon data. |
app=audit_protocol |
Select events where the app field is set to audit_protocol. |
event_result=FAILED |
Search for failed events. |
| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path |
Count the number of failed attempts and get the corresponding user and cluster name. |
| fieldformat Times=strftime(Times, "%+") |
Convert the way the time is displayed into the format of the locale, as defined by the server's operating system. Fieldformat does not change the underlying value of the field. |
| sort - Failures |
Sort the results with the highest number of failures per file path first. |
Next steps
This search produces a table showing the user and the file path involved in the failure grouped by cluster. The number of faults and the time the fault occurred is also listed. If you wanted to condense the output, you could omit the values(_time) operator from the stats command. Then, the fieldformat would be ignored. You may want to do this if the frequency of errors on a single file path is high.
Finally, you might be interested in other processes associated with the Managing Dell Isilon network attached storage use case.