File TSV Log File
The following information lists all of the columns generated by File Activity Monitor into a TSV log file, along with descriptions.
| Column Name(s) | Description |
|---|---|
| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option |
| Host | Host name of the monitored device |
| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID |
| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) |
| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) |
| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. |
| Rename Path | New name of the path if a rename event occurs |
| Process or IP | Indicates the source of the activity event: - For local Windows activity – Process name (e.g. notepad.exe) - For network Windows activity – IP Address of the user - For NAS device activity – IP Address for the NAS device of the user |
| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. |
| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. |
| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS |
| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \[SERVER][SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt |
| Volume ID | ID of the volume where the event occurred |
| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. |
| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 |
| File Size | Size of File |
| Tags | (Windows hosts only) Contains 'Copy' for read events that are probably file copies |
| Group ID | Linux hosts only Unique identifier for the File System Group (GID) |
| Group Name | Linux hosts only Name of the File System Group (GID) |
| Process ID | Linux hosts only Name of the File System Group (GID) |
Sub-Operation, Old Attributes, and New Attributes Table
The following table lists details for Sub-Operation, Old Attributes, and New Attributes according to File Operation.
| File Operation | Sub-Operation | Old Attributes | New Attributes |
|---|---|---|---|
| Owner was changed | Own | Old owner in SDDL format | New owner in SDDL format |
| Permissions were changed (DACL) | Dac | Old DACL in SDDL format | New DACL in SDDL format |
| Audit was changed (SACL) | Sac | Old SACL in SDDL format | New SACL in SDDL format |
| File attributes were changed | Att | Old attributes as a hexadecimal number (0xNNN) | New attributes as a hexadecimal number (0xNNN) |
| File is read from a shadow copy | VSS | Shadow copy creation time in YYYYMMDDThhmmss format (20180905T123456) |