1. No category

New Section 1 - NetApp Community

Native Auditing Event Schema for ONTAP 8.2.1
Open
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to open (and possibly create) a file system object (OPEN)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
<Data required="true" type="string" Name="ObjectName">
New Section 1 Page 1
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="list" Name="AccessList">
<Data-description>List of rights which specifies requested or granted access to an object</Data-description>
- <list-items>
<item description="ReadData (or ListDirectory)">%%4416</item>
<item description="WriteData (or AddFile)">%%4417</item>
<item description="AppendData (or AddSubDirectory)">%%4418</item>
<item description="ReadExtendedAttributes">%%4419</item>
<item description="WriteExtendedAttributes">%%4420</item>
<item description="Execute/Traverse">%%4421</item>
<item description="DeleteChild">%%4422</item>
<item description="ReadAttributes">%%4423</item>
<item description="WriteAttributes">%%4424</item>
<item description="Delete Access">%%1537</item>
<item description="Read Access to owner,group and DACL">%%1538</item>
<item description="Write Access to the DACL">%%1539</item>
<item description="Write Access to owner">%%1540</item>
<item description="Synchronize Access">%%1541</item>
</list-items>
</Data>
- <Data required="true" type="int" Name="AccessMask">
<Data-description>Mask of list of rights which specifies requested or granted access to an object</Data-description>
</Data>
- <Data required="true" type="list" Name="DesiredAccess">
<Data-description>The specific permissions requested on this object</Data-description>
- <list-items>
<item>Read Data</item>
<item>List Directory</item>
<item>Write Data</item>
<item>Add File</item>
<item>Append Data</item>
<item>Add Subdirectory</item>
<item>Read Extended Attributes</item>
<item>Write Extended Attributes</item>
<item>Execute</item>
<item>Traverse</item>
<item>Delete Child</item>
<item>Read Attributes</item>
<item>Write Attributes</item>
<item>Delete</item>
<item>Read ACL</item>
<item>Write ACL</item>
<item>Write Owner</item>
<item>Synchronize</item>
<item>System Security</item>
</list-items>
</Data>
- <Data required="true" type="list" name="Privileges">
<Data-description>Any special privileges granted to this user by virtue of their group membership or other system
configuration.</Data-description>
- <list-items>
<item>...Need to find a list of these that we support, like SeSecurityAudit, etc.</item>
</list-items>
</Data>
- <Data required="false" type="list" name="Attributes">
<Data-description>If attributes are set as a result of this operation, one or more of these will be available.</Datadescription>
- <list-items>
- <item>
<item description="Attributes were specified as part of the request.">Set Attributes</item>
<item description="This is an attempt to create as well as open the object.">Create</item>
<item description="The operation will fail if the object exists.">Fail if exists</item>
<item>Open a directory</item>
New Section 1 Page 2
<item>Open a directory</item>
<item>Open a non-directory</item>
<item description="This is an attempt to open or create a file stream.">Stream</item>
</item>
</list-items>
</Data>
</EventData>
Close
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to close an open file system object (CLOSE)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
<Data required="true" type="string" Name="HandleId">
New Section 1 Page 3
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
</EventData>
Read
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to read the contents of a file system object (READ)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
New Section 1 Page 4
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="string" Name="ReadOffset">
<Data-description>The offset into the object where the read will begin, in bytes.</Data-description>
</Data>
- <Data required="true" type="string" Name="ReadCount">
<Data-description>The amount of data the client is requesting, in bytes.</Data-description>
</Data>
</EventData>
Write
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to write the contents of a file system object (WRITE)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
New Section 1 Page 5
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="string" Name="WriteOffset">
<Data-description>The offset into the object where the write will begin, in bytes.</Data-description>
</Data>
- <Data required="true" type="string" Name="WriteCount">
<Data-description>The amount of data the client is sending, in bytes.</Data-description>
</Data>
</EventData>
Create
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to create a file system object (CREATE)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
New Section 1 Page 6
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="false" type="list" name="Attributes">
<Data-description>If attributes are set as a result of this operation, one or more of these will be available.</Datadescription>
- <list-items>
- <item>
<item description="Attributes were specified as part of the request.">Set Attributes</item>
<item description="This is an attempt to create as well as open the object.">Create</item>
<item description="The operation will fail if the object exists.">Fail if exists</item>
<item>Open a directory</item>
<item>Open a non-directory</item>
<item description="This is an attempt to open or create a file stream.">Stream</item>
</item>
</list-items>
</Data>
</EventData>
Delete
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to delete a file system object (Delete Object Attempt)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
New Section 1 Page 7
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="list" Name="InformationSet">
<Data-description>A detailed list of the information that the client has requested.</Data-description>
- <list-items>
<item>File Type</item>
<item>File Size</item>
<item description="This includes requests that take the user's quota into account.">Available Space</item>
<item>Created Time</item>
<item>Last Accessed Time</item>
<item>Last Modified Time</item>
<item>Last Backed Up Time</item>
<item>Unix Mode</item>
<item>Unix Owner</item>
<item>Unix Group</item>
<item>CIFS ACL</item>
<item>NFSv4 ACL</item>
<item description="Also known as the DOS attributes.">Basic Attributes</item>
</list-items>
</Data>
</EventData>
Rename
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to rename a file system object (RENAME)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
<attribute required="true" type="int" Name="IPVersion">
New Section 1 Page 8
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="OldDirHandle">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="NewDirHandle">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="OldPath">
<Data-description>The path, from the root of the file system, to the source of the link. This may not necessarily be the
same path that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="string" Name="NewPath">
<Data-description>The path, from the root of the file system,to the target location of this object.</Data-description>
</Data>
- <Data required="false" type="list" name="Attributes">
<Data-description>If attributes are set as a result of this operation, one or more of these will be available.</Datadescription>
- <list-items>
<item description="If this is specified, the rename will attempt to overwrite the target location if it already exists.">
Replace existing</item>
</list-items>
</Data>
</EventData>
GetAttr
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to retrieve attributes from a file system object (GETATTR)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
New Section 1 Page 9
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="list" Name="InformationRequested">
<Data-description>A detailed list of the information that the client has requested.</Data-description>
- <list-items>
<item>File Type</item>
<item description="">File Size</item>
<item description="This includes requests that take the user's quota into account.">Available Space</item>
<item>Created Time</item>
<item>Last Accessed Time</item>
<item>Last Modified Time</item>
New Section 1 Page 10
<item>Last Modified Time</item>
<item>Last Backed Up Time</item>
<item>Unix Mode</item>
<item>Unix Owner</item>
<item>Unix Group</item>
<item>CIFS ACL</item>
<item>NFSv4 ACL</item>
<item description="Also known as the DOS attributes.">Basic Attributes</item>
</list-items>
</Data>
</EventData>
SetAttr
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to set attributes on a file system object (SETATTR)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
New Section 1 Page 11
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="list" Name="InformationSet">
<Data-description>A detailed list of the information that the client has requested.</Data-description>
- <list-items>
<item>File Type</item>
<item>File Size</item>
<item description="This includes requests that take the user's quota into account.">Available Space</item>
<item>Created Time</item>
<item>Last Accessed Time</item>
<item>Last Modified Time</item>
<item>Last Backed Up Time</item>
<item>Unix Mode</item>
<item>Unix Owner</item>
<item>Unix Group</item>
<item>CIFS ACL</item>
<item>NFSv4 ACL</item>
<item description="Also known as the DOS attributes.">Basic Attributes</item>
</list-items>
</Data>
</EventData>
Read Dir
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to read the contents of a directory (READDIR)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
New Section 1 Page 12
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a directory in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="false" type="list" Name="SearchPattern">
<Data-description>The pattern specified by the client that will be used to determine whether objects in the directory
will be returned in the result set.</Data-description>
</Data>
- <Data required="false" type="list" name="SearchFilter">
<Data-description>Restricts the search to objects that match these attributes.</Data-description>
- <list-items>
<item>Read Only</item>
<item>Hidden</item>
<item>System</item>
<item>Volume ID</item>
<item>Directory</item>
<item>Archive</item>
</list-items>
</Data>
- <Data required="true" type="list" name="InformationRequested">
<Data-description>A detailed list of the information that the client has requested.</Data-description>
- <list-items>
<item>File Type</item>
<item>File Size</item>
<item description="This includes requests that take the user's quota into account.">Available Space</item>
<item>Created Time</item>
<item>Last Accessed Time</item>
<item>Last Modified Time</item>
<item>Last Backed Up Time</item>
<item>Unix Mode</item>
<item>Unix Owner</item>
<item>Unix Group</item>
<item>CIFS ACL</item>
<item>NFSv4 ACL</item>
<item description="Also known as the DOS attributes.">Basic Attributes</item>
</list-items>
</Data>
</EventData>
Open with Delete Intent
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to open a file system object with delete intent (Open Object with Delete Intent)
</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
New Section 1 Page 13
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectServer">
<Data-description>Name of the Object Server</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="ObjectName">
<Data-description>The path, from the root of the file system, to this object. This may not necessarily be the same path
that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="list" Name="AccessList">
<Data-description>List of rights which specifies requested or granted access to an object</Data-description>
- <list-items>
<item description="ReadData (or ListDirectory)">%%4416</item>
<item description="WriteData (or AddFile)">%%4417</item>
<item description="AppendData (or AddSubDirectory)">%%4418</item>
<item description="ReadExtendedAttributes">%%4419</item>
<item description="WriteExtendedAttributes">%%4420</item>
<item description="Execute/Traverse">%%4421</item>
<item description="DeleteChild">%%4422</item>
<item description="ReadAttributes">%%4423</item>
<item description="WriteAttributes">%%4424</item>
New Section 1 Page 14
<item description="WriteAttributes">%%4424</item>
<item description="Delete Access">%%1537</item>
<item description="Read Access to owner,group and DACL">%%1538</item>
<item description="Write Access to the DACL">%%1539</item>
<item description="Write Access to owner">%%1540</item>
<item description="Synchronize Access">%%1541</item>
</list-items>
</Data>
- <Data required="true" type="int" Name="AccessMask">
<Data-description>Mask of list of rights which specifies requested or granted access to an object</Data-description>
</Data>
- <Data required="true" type="list" Name="DesiredAccess">
<Data-description>The specific permissions requested on this object</Data-description>
- <list-items>
<item>Read Data</item>
<item>List Directory</item>
<item>Write Data</item>
<item>Add File</item>
<item>Append Data</item>
<item>Add Subdirectory</item>
<item>Read Extended Attributes</item>
<item>Write Extended Attributes</item>
<item>Execute</item>
<item>Traverse</item>
<item>Delete Child</item>
<item>Read Attributes</item>
<item>Write Attributes</item>
<item>Delete</item>
<item>Read ACL</item>
<item>Write ACL</item>
<item>Write Owner</item>
<item>Synchronize</item>
<item>System Security</item>
</list-items>
</Data>
- <Data required="false" type="list" name="Attributes">
<Data-description>If attributes are set as a result of this operation, one or more of these will be available.</Datadescription>
- <list-items>
- <item>
<item description="Attributes were specified as part of the request.">Set Attributes</item>
<item description="This is an attempt to create as well as open the object.">Create</item>
<item description="The operation will fail if the object exists.">Fail if exists</item>
<item>Open a directory</item>
<item>Open a non-directory</item>
<item description="This is an attempt to open or create a file stream.">Stream</item>
</item>
</list-items>
</Data>
</EventData>
Hard Link
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to create a hard link to a file(CREATE HARD LINK)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
<attribute required="true" type="string" Name="Source">
New Section 1 Page 15
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="HandleId">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="FileName">
<Data-description>The path, from the root of the file system, to the source of the link. This may not necessarily be the
same path that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="true" type="string" Name="LinkName">
<Data-description>The path, from the root of the file system, to the target of the link.</Data-description>
</Data>
</EventData>
Unlink
<?xml version="1.0" encoding="utf-8" ?>
- <EventData>
<description>An attempt was made to unlink (and possibly remove) a file system object (UNLINK)</description>
- <Data required="true" type="string" Name="SubjectIP">
<Data-description>The Client machine's IP address</Data-description>
- <attribute required="true" type="int" Name="IPVersion">
<attr-description>IP protocol version</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectHostname">
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
New Section 1 Page 16
<Data-description>The DNS and/or NetBIOS workstation name</Data-description>
- <attribute required="true" type="string" Name="Source">
<attr-description>DNS or NetBIOS</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUnix">
<Data-description>Unix account details of the user</Data-description>
- <attribute required="true" type="int" Name="Uid">
<attr-description>UID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="int" Name="Gid">
<attr-description>GID of the unix user</attr-description>
</attribute>
- <attribute required="true" type="bool" Name="Local">
<attr-description>Local user Or Not</attr-description>
</attribute>
</Data>
- <Data required="true" type="string" Name="SubjectUserSid">
<Data-description>The User's Security Identifier(SID)</Data-description>
</Data>
- <Data required="true" type="bool" Name="SubjectUserIsLocal">
<Data-description>Local user OR not in windows</Data-description>
</Data>
- <Data required="true" type="string" Name="SubjectDomainName">
<Data-description>The fully qualified Windows domain (if available), otherwise the NetBIOS domain name</Datadescription>
</Data>
- <Data required="true" type="string" Name="SubjectUserName">
<Data-description>The User's logon name</Data-description>
</Data>
- <Data required="true" type="list" Name="ObjectType">
<Data-description>The type of the target file system object</Data-description>
- <list-items>
<item>File</item>
<item>Directory</item>
<item>Symbolic Link</item>
<item>Stream</item>
<item description="This includes unusual file types like sockets and FIFO, along with any type used for internal
purposes only.">Other</item>
</list-items>
</Data>
- <Data required="true" type="string" Name="DirHandleID">
<Data-description>Uniquely identifies a file system object in a cluster.</Data-description>
</Data>
- <Data required="true" type="string" Name="Filename">
<Data-description>The path, from the root of the file system, to the source of the link. This may not necessarily be the
same path that the client used to attempt the operation.</Data-description>
</Data>
- <Data required="false" type="string" Name="SearchFilter">
<Data-description>Restricts the search to objects that match these attributes.</Data-description>
- <list-items>
<item>Read Only</item>
<item>Hidden</item>
<item>System</item>
<item>Volume ID</item>
<item>Directory</item>
<item>Archive</item>
</list-items>
</Data>
</EventData>
New Section 1 Page 17

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz