Auditing the history of BlueXP classification actions

BlueXP classification logs management activities that have been performed on files from all the working environments and data sources that BlueXP classification is scanning. BlueXP classification also logs the activities when deploying the BlueXP classification instance.

You can view the contents of the BlueXP classification audit log files, or download them, to see what file changes have occurred, and when. For example, you can see what request was issued, the time of the request, and details such as source location in case a file was deleted, or source and destination location in case a file was moved.

Log file contents

Each line in the audit log contains information in this format:

<full date> | <status> | ds_audit_logger | <module> | 0 | 0 | File <full file path> deleted from device <device path> - <result>

  • Date and time - full timestamp for the event

  • Status - INFO, WARNING

  • Action type (delete, copy, move, create policy, update policy, rescan files, download JSON report, etc.)

  • File name (if the action is relevant to a file)

  • Details for the action - what was done: depends on the action

    • Policy name

    • For move - Source and destination

    • For copy - Source and destination

    • For tag - tag name

    • For assign to - user name

    • For email alert - email address / account

For example, the following lines from the log file show a successful copy operation and a failed copy operation.

2022-06-06 15:23:08,910 | INFO | ds_audit_logger | es_scanned_file | 237 | 49 | Copy file /CIFS_share/data/dop1/random_positives.tsv from device 10.31.133.183 (type: SMB_SHARE) to device 10.31.130.133:/export_reports (NFS_SHARE) - SUCCESS
2022-06-06 15:23:08,968 | WARNING | ds_audit_logger | es_scanned_file | 239 | 153 | Copy file /CIFS_share/data/compliance-netapp.tar.gz from device 10.31.133.183 (type: SMB_SHARE) to device 10.31.130.133:/export_reports (NFS_SHARE) - FAILURE

Access the log file

The management audit log files are located on the BlueXP classification machine in: /opt/netapp/audit_logs/

The installation audit log files are written to /opt/netapp/install_logs/

Each log file can be a maximum of 10 MB in size. When that limit is reached, a new log file is started. The log files are named "DataSense_audit.log", "DataSense_audit.log.1", "DataSense_audit.log.2", and so on. A maximum of 100 log files are retained on the system - old log files are deleted automatically after the maximum has been reached.

When BlueXP classification is installed on a Linux machine on your premises, or on a Linux machine you deployed in the cloud, you can navigate directly to the log file.

When BlueXP classification is deployed in the cloud, you need to SSH to the BlueXP classification instance. You SSH to the system by entering the user and password, or by using the SSH key you provided during the BlueXP Connector installation. The SSH command is:

ssh -i <path_to_the_ssh_key> <machine_user>@<datasense_ip>

  • <path_to_the_ssh_key> = location of ssh authentication keys

  • <machine_user>:

    • For AWS: use the <ec2-user>

    • For Azure: use the user created for the BlueXP instance

    • For GCP: use the user created for the BlueXP instance

  • <datasense_ip> = IP address of the virtual machine instance

Note that you’ll need to modify the security group inbound rules to access the system in the cloud. For details, see: