Versions Compared

Version Old Version 13 New Version Current
Changes made by

Bala Harish A(AC)

Anjali Tyagi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typelist
printablefalse

...

Name of bucketNamed of object, excluding bucket name, or UUID for unnamed streams

Field Name

Description

Auth Domain

Tenant or storage domain name used to authenticate user; tenant names prefixed with "+"

Auth User

User ID used to authenticate; empty if anonymous

Bucket

Backend IP Address

The IP address of the backend service

Date

Date (in YYYY-MM-DD)

DNS Domain

Origin DNS domain; value of Host header from the request

Swarm Domain

Swarm domain name to which operation refers to

Elapsed Time

Transaction time in milliseconds

HTTP Status Code

Request response code. Exceptions in request handling return a 500. All SCSP requests with authorization errors output a 401.

Log Level

Logging level for the audit log entry

Message Type

Message category to simplify filtering

Object Name or UUID

Path

The object path targeted by the request

Operation

The operation. Examples: POST, HEAD, DELETE, INVOKEINVOKE, ACL, POLICY_PUT, POLICY_GET, POLICY_DELETE, MULTI_DELETE, MULTIPART_INITIATE, MULTIPART_PUT, MULTIPART_COPY, MULTIPART_ABORT, LIST_MULTIPART, LIST_MULTIPARTS, LIST_OBJECTS, LIST_BUCKETS, LIST_OBJECTS, LIST_DOMAINS

Record Format Version

Audit A version of the audit log record format version. This changes if the format of the output records is different from the previous release.

Request ID

A unique identifier for client request requests is attached to all associated audit messages. This value matches the HTTP response header Gateway-Request-Id given to the client and is used in the server log.

Response Bytes Count

Number of bytes sent to Source IP in the HTTP response body

Source Bytes Count

Number of bytes received from Source IP in the message body

Source IP Address

IP address from which a request originated

Timestamp

High resolution timestamp up to millisecond

Swarm Bucket

Name of the Swarm bucket

Time

Time (in HH:MM:SS UTC)

Version ID

The version ID of an object in a versioned bucket

queryString

The query portion of the URI

Authentication Action

The authentication action for the request. See https://perifery.atlassian.net/wiki/spaces/public/pages/2443816981/Policy+Document#Request-Actions.

Tags

Arbitrary name/value pairs for debugging purposes

Audit Log Message Formats

...

The fields in each log message are separated by spaces. If a field value is missing, the string (none) “-” is substituted. Field values are subject to HTML URL encoding to make spaces, UTF-8, and other special characters safe for inclusion in the audit log entry.

  • Alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain unchanged

  • Characters ".", "-", "*", and "_" remain unchanged

  • Space character is converted into a plus sign "+"

  • All other characters are converted into %HH byte values using UTF-8 encoding

Note

The "/" character in an object's name appear as "%2F" in the log, based on the previous rules.

Common Prefix Fields

All messages are prefixed by the following fields in this order:

...

Note

Before Gateway 8.0 and audit log version 4, the “/” character in an object’s name appears as “%2F” in the log.

Common Fields

The common fields/messages are as follows:

  1. Date

  2. Time

  3. Log Level

  4. Request ID

  5. Record Format Version

  6. Source IP Address

  7. DNS Domain

  8. Message Type

  9. Operation

  10. Auth User

  11. Auth Domain

  12. HTTP Http Status Code

  13. Source Bytes Count

  14. Response Bytes Count

  15. Elapsed Time

Suffix Fields

This table defines the suffix fields that are included with each log message following the common prefix fields.

...

Event

...

Message Type

...

Operation

...

Suffix Fields

...

User requests token

...

Auth

...

GET

...

User deletes token

...

DELETE

...

List available domains

...

Admin

...

LIST_DOMAINS

...

Domain creation

...

Domain

...

POST

...

Domain

...

Domain policy create/ update

...

POLICY_PUT

...

Domain policy read

...

POLICY_GET

...

Domain policy delete

...

POLICY_DELETE

...

Domain copy

...

COPY

...

Domain delete

...

DELETE

...

Domain read

...

GET

...

Domain info

...

HEAD

...

List buckets in a domain

...

LIST_BUCKETS

...

Bucket creation

...

Bucket

...

POST

...

Domain, Bucket

...

Bucket policy create/ update

...

POLICY_PUT

...

Bucket policy read

...

POLICY_GET

...

Bucket policy delete

...

POLICY_DELETE

...

Bucket copy

...

COPY

...

Bucket delete

...

DELETE

...

Bucket read

...

GET

...

Bucket info

...

HEAD

...

List objects in a bucket

...

LIST_OBJECTS

...

S3 list multiparts

...

LIST_MULTIPARTS

...

Object creation

Scsp

...

POST

...

Domain, Bucket, Object name or UUID

...

Object update

...

PUT

...

Object append

...

APPEND

...

Object copy

...

COPY

...

Object delete

...

DELETE

...

Object read

...

GET

...

Object info

...

HEAD

...

S3 multipart initiate

...

MULTIPART_INITIATE

...

Domain, Bucket, Object name

...

S3 multipart put

...

MULTIPART_PUT

...

S3 multipart copy

...

MULTIPART_COPY

...

S3 multipart abort

...

MULTIPART_ABORT

...

S3 multipart complete

...

MULTIPART_COMPLETE

...

S3 list multipart

...

LIST_MULTIPART

  1. Backend IP Address

  2. Swarm Domain

  3. Swarm Bucket

  4. Object Path

  5. Version ID

  6. QueryString

  7. Authentication Action

  8. Tags

Audit Tags

These fields and names may change in future versions.

Field Name

Description

auth

Shows the time spent in authentication and authorization

refresh

Listings show the index "refresh" time before S3 listings ("F" means failure)

nondelimited

Query time for non-delimiter listings

query and commonprefixes

Query times for delimiter listings

collections

Collections show the query time for collections

indexing

Show the time spent synchronous indexing writes and deletes into Elasticsearch

rswfeeds and rswtime

Requests where Remote Synchronous Writes are configured will show status and timing

quota

Time spent evaluating quota

Example Log Messages

These are examples of a variety of audit log messages.

Successful login for user muser1 to the domain nom.dom.com
Code Block
languagetext
 2019-05-13 19:28:29,671 INFO [9D9A577B66D2DD56] 2 172.20.1.1 172.20.1.2 
  Auth POST muser1 nom.dom.com 201 0 0 0.48

...

Code Block
languagetext
 2019-10-16 10:37:29,719 INFO [D580617E135E35DF] 2 172.30.1.1 172.20.1.2
 Domain POLICY_PUT !superuser@ nom.dom.com 201 123 0 1.08 nom.dom.com
Locking-enabled bucket creation with a search feed indexing error
Code Block
2024-12-19 05:48:29,500 INFO [CB6CAB3AF58ED233] 4 127.0.0.1 127.0.0.1 
Bucket PUT admin @ 200 0 0 61061.00 - objlockdomain objlockbucket - - ?domain=objlockdomain&objectlock=governance:1d 
PutBucket [auth:122,quota:1,OBJLCK:ENABLE:GOVERNANCE:1d,indexing:F/60010/timeout]
S3 object write with a search feed indexing error
Code Block
2025-01-14 19:22:57,850 INFO [6316295C1CB4A9DC] 4 172.42.0.23 backup.example.com 
S3 PUT admin @ 200 3180 0 60104.00 172.42.0.13:80 backup.example.com mybucket 4/hawkey.log - - 
PutObject [auth:3,quota:0,indexing:F/60006/timeout]

Behaviors of Operations

Interrupted GET: When a GET operation is interrupted, such as if the socket closed unexpectedly prior to reading all data, the audit log may record an HTTP 200 response with response bytes equal to the size of the object. When interruption takes place, an HTTP 500 response is logged with response bytes equal to the actual number of bytes transmitted.

...

INVOKE operations: The optional feature Video Clipping (v11.0) logs INVOKE operations. Each  Each video clipping event logs multiple events to provide auditing through the process, which may take a while to complete. When you create a video clip, Gateway acknowledges the request with an INVOKE message. See https://perifery.atlassian.net/wiki/spaces/public/pages/2990833665/Video+Clipping+for+Partial+File+Restore?search_id=35c5b723-71ac-4f83-a075-95c094398997.

Application-Supplied Tag

Gateway's audit logging allows for the client application to supply a custom tag that can be used to correlate multiple audit log entries to one application-level transaction. The application specifies this tag in a Gateway-Audit-Id request header and it must be alpha-numeric and is truncated at 32 characters. When this optional tag is received, the Request ID field of the audit log entry contains the automatically-generated request identifier from the Gateway, a dash ("-"), and the application-supplied tag.

...