Introduction to file audit logging
File audit logging captures file operations on a file system and logs them to a retention enabled fileset.
Each file operation is generated as a local event on the node that serves the file operation. These events are published to a distributed multinode message queue from which they are consumed to be written into the fileset. These events are called lightweight events. Lightweight events occur at the file system level and are protocol agnostic, which means that they capture all access to a monitored file system from protocol exports to even root access that occurs directly on nodes. For more information, see Producers in file audit logging. The most common file operations such as open, close, destroy (delete), rename, unlink, create, remove directory, extended attribute change, ACL change, and GPFS™ attribute change are the events that are captured. Events are created in a highly parsable, JSON formatted string as they are written to the designated fileset. For each file system enabled for file audit logging, a fileset is designated where the audit logs will go. This fileset keeps the logs currently being written to in append only mode and, as it rotates to a new log file, compresses the old log file and makes it immutable for the retention period. Configurable options for file audit logging filesets include the device where they are mounted, their name, and the retention period in days. A separate file audit logging fileset can store the audit log for each file system or they can be shared among multiple file systems that are being audited. File audit logging is integrated into the system health infrastructure, so alerts are generated for elements of the message queue and the processes that consume the events and create the audit logs.
IBM Spectrum Scale™ file audit logging is the preferred method
for logging file system activities.
For more information about file audit logging, see Monitoring file audit logging or File audit logging quick reference.