Skip to main content
Splunk Lantern

Top audit failures by user in Dell Isilon NAS

If a user is unable to access content or resources for any reason, it’s reported in the audit logs. For example, you might have an application that’s not behaving the way you expect it to because access is no longer granted to it. Alternatively, the audit logs might expose an unauthorized user looking around the file system and getting multiple access denied messages. You want to detect and fix permissions issues for applications, and to monitor and address potentially suspicious user access issues. 

Data required 

Dell EMC Isilon data

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=emc:isilon:* app=audit_protocol event_result=FAILED
| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path
| fieldformat Times=strftime(Times, "%+")
| sort - Failures

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=emc:isilon:* 

Search only EMC Isilon data.

app=audit_protocol 

Select events where the app field is set to audit_protocol. 

event_result=FAILED

Search for failed events. 

| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path

Count the number of failed attempts and get the corresponding user and cluster name. 

| fieldformat Times=strftime(Times, "%+")

Convert the way the time is displayed into the format of the locale, as defined by the server's operating system.

Fieldformat does not change the underlying value of the field.

| sort - Failures

Sort the results with the highest number of failures per file path first.

Next steps

This search produces a table showing the user and the file path involved in the failure grouped by cluster. The number of faults and the time the fault occurred is also listed. If you wanted to condense the output, you could omit the values(_time) operator from the stats command. Then, the fieldformat would be ignored. You may want to do this if the frequency of errors on a single file path is high.

Finally, you might be interested in other processes associated with the Managing Dell Isilon network attached storage use case.