Using the audit-explain tool

You can use the audit-explain tool to translate the audit messages in the audit log into an easy-to-read format.

Before you begin

About this task

The audit-explain tool, available on the primary Admin Node, provides simplified summaries of the audit messages in an audit log.

Attention: The audit-explain tool is primarily intended for use by technical support during troubleshooting operations. Processing audit-explain queries can consume a large amount of CPU power, which might impact StorageGRID operations.
This example shows typical output from the audit-explain tool. These four SPUT audit messages were generated when the S3 tenant with account ID 92484777680322627870 used S3 PUT requests to create a bucket named bucket1 and add three objects to that bucket.
SPUT S3 PUT bucket bucket1 account:92484777680322627870 usec:124673
SPUT S3 PUT object bucket1/part1.txt tenant:92484777680322627870  cbid:9DCB157394F99FE5 usec:101485
SPUT S3 PUT object bucket1/part2.txt tenant:92484777680322627870  cbid:3CFBB07AB3D32CA9 usec:102804
SPUT S3 PUT object bucket1/part3.txt tenant:92484777680322627870  cbid:5373D73831ECC743 usec:93874

The audit-explain tool can process plain or compressed audit logs. For example:

audit-explain audit.log
audit-explain 2019-08-12.txt.gz

The audit-explain tool can also process multiple files at once. For example:

audit-explain audit.log 2019-08-12.txt.gz 2019-08-13.txt.gz
audit-explain /var/local/audit/export/*

Finally, the audit-explain tool can accept input from a pipe, which allows you to filter and preprocess the input using the grep command or other means. For example:

grep SPUT audit.log | audit-explain
grep bucket-name audit.log | audit-explain
Since audit logs can be very large and slow to parse, you can save time by filtering parts that you want to look at and running audit-explain on the parts, instead of the entire file.
Note: The audit-explain tool does not accept compressed files as piped input. To process compressed files, provide their file names as command-line arguments, or use the zcat tool to decompress the files first. For example:
zcat audit.log.gz | audit-explain

Use the help (-h) option to see the available options. For example:

$ audit-explain -h

Procedure

  1. Log in to the primary Admin Node:
    1. Enter the following command: ssh admin@primary_Admin_Node_IP
    2. Enter the password listed in the Passwords.txt file.
  2. Enter the following command, where /var/local/audit/export/audit.log represents the name and the location of the file or files you want to analyze: $ audit-explain /var/local/audit/export/audit.log
    The audit-explain tool prints human-readable interpretations of all messages in the specified file or files.
    Note: To reduce line lengths and to aid readability, timestamps are not shown by default. If you want to see the timestamps, use the timestamp (-t) option.