Viewing Protocol Audit Logs

  • Updated on Jan 30, 2026
  • 4 minute(s) read
Prev Next

Protocol audit logs can be saved into audit files in JSON format, or as records in a VAST DataBase table (or both).

Viewing Protocol Audit Log Files

If you've chosen to save logs in JSON format, audit records are written to files that are stored in the audit directory. The files are accessible on client hosts to authorized users which need to mount a view on the directory in order to access the files.

Enabling Access to Audit Files

To enable client users to access audit files:

  1. Give users read access permission to the audit directory. This is done by specifying users and groups in the Read-access Users and Read-access Groups fields in the global auditing settings (Settings -> Auditing).

  2. Ensure that there is a view on the audit directory or on the root directory. Users need to mount the view on their client operating system in order to access the files.

Audit File Location and Name

The audit directory is located directly under the root directory of the Element Store. Audit records are written to files in different subdirectories for different CNodes. There are multiple active audit files for each CNode, identified by silo ID, which represent internal handlers. Each file may contain multiple audit records.

Each subdirectory is named audit_env_#, where # is a data environment ID.

The maximum size of an audit file is set by the Max audit file size field in the global auditing settings (Settings -> Auditing). Audit records roll over to a new file when the file reaches this size.

Files are named audit_log_<silo ID>_<time and date stamp in UTC>. For example: audit_log_13_2022-07-25_10.06.22.971753164.

Audit File Format and Content

The audit files are structured in JSON format with a line per audit record. For example:

{"ClusterName": "vast100", "CnodeName": "cnode-1", "Time": "2024-04-14T20:01:57.430Z", "ClientIP": "192.0.2.15", "ClusterVip": "172.23.28.16", "Tenant": "default", "Protocol": "NFSv3", "RPCType": "GETACL", "ObjectType": "FILE", "Path": {"Path": "/test1/", "EHandle": "0xb1690a056fe09e42", "CloneID": "0x0"}, "LoginName": "user1@example.com", "uid": 1000, "sid": "S-1-5-21-927172180-3694312366-24219317-2311326", "S3AccessKeys": ["", "", "", ""], "Status": "Success"}

The fields in a log record vary depending on the RPC type. For information about fields that can appear in the log, see Audit Log Record Fields.

In some cases, only a subset of data is recorded; for example, when there is an issue with the request, such as invalid access key ID or invalid bucket name.

Viewing and Querying Protocol Audit Log Records in VAST DataBase

If you've chosen to save logs to VAST DataBase, protocol audit log records are saved in a table in the VAST DataBase.

Viewing Audit Log Records in VAST DataBase

To view audit log records in VAST Web UI, choose DataBase -> VAST Audit Log to open the VAST Audit Log page.

You can perform the following actions on the page:

  • Filter by protocol.

    In the Protocol drop-down selector in the upper right, select which protocols for log records should be shown; you can select more than one protocol.

  • Select columns to be displayed.

    Click Column-selector-symbol.png to select columns (fields) to include in the displayed list of audit logs.

  • Download records to a CSV file.

    Click Download-symbol.png to download the currently displayed list of audit logs to a CSV file on your computer.

  • Adjust audit log settings.

    Click settings-symbol.png to open the audit log settings page, to make changes to the settings (for example, to change the retention period, or the baseline audit settings, as described here).

  • Create and run queries.

    Click Open Query Panel, to create a query on the audit logs table (see Querying Audit Log Records from VAST DataBase).

Querying Audit Log Records from VAST DataBase

You can create and run queries on the audit logs in the VAST DataBase, to search for specific records of interest.

  1. Click Open Query Panel.

  2. In the Active Query tab, define a query condition based on a VAST Audit Log table column, as follows:

    1. From the Column name dropdown, select the column on which you want to search.

    2. From the Select operator dropdown, select an operator from the list, according to the data type of the selected column. Then provide any relevant further criteria.

      For example, for the column cluster_name, you can select either is exactly to search for a given cluster, and then enter a group name into a provided field, or is null and then select True or False to search for all entries that have a cluster name, or for entries that do not have a name.

    3. You can add additional clauses to the condition by defining & (AND) conditions, so that the condition will return only results that match all the clauses.

    4. You can add additional conditions to the query, for the same column, by adding OR criteria. Click OR, select another operator for the column, and then add a value. Repeat as needed for additional OR criteria. The query returns results matching any of the conditions.

    5. When you are done defining the condition, click Add. The condition is added to a list of conditions.

  3. Click Execute Query to run it. The results are displayed in the grid.

Related articles
  • Viewing Protocol Audit Logs
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Access Protocols > Protocol Auditing
  • Viewing Protocol Audit Logs
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Access Protocols > Protocol Auditing
  • Viewing Protocol Audit Logs
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Access Protocols > Protocol Auditing