Introduction to file audit logging

File audit logging captures file operations on a file system and logs them to a retention enabled fileset.

Each file operation is generated as a local event on the node that serves the file operation. These events are produced to the audit fileset. These events are called lightweight events. Lightweight events occur at the file system level and capture all accesses to a monitored file system from protocol exports to even root access that occurs directly on nodes. For more information, see Producers in file audit logging. The most common file operations such as open, close, rename, unlink, create, remove directory, extended attribute change, ACL change, and GPFS attribute change are the events that are captured. Events are created in a highly parseable JSON formatted string as they are written to the designated fileset. For each file system enabled for file audit logging, a fileset is designated for the audit logs. This fileset keeps the logs currently being written to in append-only mode and as it rotates to a new log file, compresses the old log file and makes it immutable for the retention period. Configurable options for file audit logging filesets include their name, whether or not the audit fileset should be IAM mode compliant, and the retention period in days. An entire file system can be audited, a subset of filesets within the file system can be audited, or the file system can be audited while skipping events in selected filesets. File audit logging is integrated into the system health infrastructure, so alerts are generated for the producer and state changes of the producer.

For more information about file audit logging, see Monitoring file audit logging or File audit logging quick reference.