If a user is unable to access content or resources for any reason, it’s reported in the audit logs. For example, you might have an application that’s not behaving the way you expect it to because access is no longer granted to it. Alternatively, the audit logs might expose an unauthorized user looking around the file system and getting multiple access denied messages. You want to detect and fix permissions issues for applications, and to monitor and address potentially suspicious user access issues.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=emc:isilon:* app=audit_protocol event_result=FAILED | stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path | fieldformat Times=strftime(Times, "%+") | sort - Failures
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only EMC Isilon data.
Select events where the app field is set to audit_protocol.
Search for failed events.
| stats count AS Failures, values(_time) AS Times BY Cluster_Name, user, file_path
Count the number of failed attempts and get the corresponding user and cluster name.
| fieldformat Times=strftime(Times, "%+")
Convert the way the time is displayed into the format of the locale, as defined by the server's operating system.
Fieldformat does not change the underlying value of the field.
| sort - Failures
Sort the results with the highest number of failures per file path first.
This search produces a table showing the user and the file path involved in the failure grouped by cluster. The number of faults and the time the fault occurred is also listed. If you wanted to condense the output, you could omit the values(_time) operator from the stats command. Then, the fieldformat would be ignored. You may want to do this if the frequency of errors on a single file path is high.
Finally, you might be interested in other processes associated with the Managing Dell Isilon network attached storage use case.