6. Auditing

  • Updated on Jan 27, 2026
  • 2 minute(s) read
Prev Next

VAST supports protocol-level auditing to track client access and activity across views. When auditing is enabled, the system records detailed information about each client-initiated operation, which can be used for security reviews, compliance audits, and operational analysis.

For each request, VAST logs the following information/fields, enabling Administrators to choose which operation categories to audit:

  • Operation: LOOKUP, READ, WRITE, CREATE, REMOVE, RENAME, MKDIR, SETATTR, and others.

  • Path: Full path to the file or directory the operation was performed on.

  • Client IP: Source IP address of the request.

  • User identity: UID/GID or Kerberos principal (when available)

  • Timestamp: Time the operation occurred.

  • Result Code: Whether the operation succeeded or failed.

  • Category: Read, Modify, Metadata, Lookup.

Log Storage Options

Destination

Details & Uses

JSON logs

Written per CNode in structured JSON, ideal for SIEM tools (Splunk, Elastic) or syslog forwarding.

AuditDB

Central database queried via the VAST GUI, vastdb CLI, Python SDK, or SQL engines (Trino, Spark) for fast, large-scale analysis.

Note: Both destinations can be enabled together or separately, each with its own retention and forwarding settings.

Authorization & Access Control:

  • Audit data is visible only to users/groups granted access in Audit Settings.

  • Permissions apply equally to JSON logs and AuditDB queries.

  • Enforcement relies on VAST’s identity-policy framework and cannot be modified elsewhere.

Enabling NFS Auditing (Web UI)

  1. Go to Settings → Auditing → General.

  2. Set an Audit directory name (e.g., .vast_audit_dir).

  3. Define retention (keep forever or set a time period).

  4. Enable at least one destination:

    • Save audit logs to VAST DB.

    • Save audit logs to file (JSON format).

  5. (Optional) Add Read-access Users/Groups.

  6. In Global Baseline Audit Settings:

    • Select protocols: NFSv3, NFSv4, etc.

    • Enable operations:

      • Create/Delete Files/Objects

      • Modify Data

    • Enable logging options:

      • Log Full Path

      • Log Username

  7. Click Enable → then Save

The image displays the auditing configuration panel in VAST, allowing users to set retention periods and select protocols for auditing operations such as create/delete files and modify data. Users can also specify whether audit records should be saved to VAST DB or file (JSON format).

VMS GUI Audit settings

Accessing and Querying Audit Logs on Web GUI

  1. Go to Database → VAST Audit Log in the Web UI.

  2. Select protocol (e.g., NFSv3) from the dropdown.

  3. Click Open Query Panel.

  4. Add conditions:

    • Select a column (e.g., login_name, path, rpc_type).

    • Choose an operator (e.g., “is exactly”).

    • Enter a value, then click Add.

  5. Click Execute to view filtered results

You can also use preset queries like:

  • “Which user/group accessed files under a specific path”.

  • “Find records with num_ops or num_bytes ≥ thresholds”.

Note: Audit results are limited to 1000 rows per query.

The screenshot displays the VAST Audit Log interface, where users can query and analyze audit records related to file operations on an NFSv3 system. The active query panel is open, ready for defining conditions such as user access, path queries, or numerical criteria like number of operations or bytes modified.

VAST Audit Log

Auditing in Multi-Tenant Environments

In multi-tenant environments, VAST auditing continues to log all relevant client operations, but access to these records can be scoped per tenant. While audit data is stored centrally under the default tenant in the audit directory, other tenant managers can view or query their audit records. This supports secure, role-based access to audit data in shared environments—ideal for CSP, internal platform teams, and compliance use cases.

Granting Audit Log Access to Specific Users

Audit log visibility is controlled by assigning read access at the user level:

  1. Navigate to Settings → Auditing → General.

  2. Under Read-access Users, click Add.

  3. Enter the user(s) to be allowed audit log access.

  4. Click Apply to update the policy.

The image displays an auditing configuration page in a management interface, where users can set size limits per audit file and directory, define retention periods, and manage global baseline audit settings to log various operations like file creation/deletion, modification data, and user permissions.

VMS settings, audit access

Querying AuditDB using Trino with Dashboard

Superset is an example of a dashboard solution that provides an interface for querying and visualizing audit records stored in the VAST AuditDB using Trino. Dashboards include filters (e.g., time range, user, protocol, path) to help narrow results for operational or audit review. No SQL knowledge is required to use predefined views or apply filters.

The image displays an audit overview dashboard in Superset, providing detailed logs and metrics on network file system (NFS) activity from the VAST Cluster phx202. The dashboard includes visualizations such as pie charts representing protocols like NFSv3 and user actions with filters allowing for customizable data exploration.

Trino with Dashboard

More information:

Related articles