Introduction
The LucidLink Audit Trail feature provides Administrators and IT professionals the ability to monitor file system operations within LucidLink filespaces.
Requirements.
- LucidLink client version 2.7 or higher
How to enable the Audit Trail Feature.
- A LucidLink filespace Administrator can globally enable it for the filespace by using the following command in a command-line interface [Terminal on macOS and Linux and CMD on Windows]:
lucid3 config --global --set --Audit.FsEvents 1
Enabling the audit trail feature will prevent filespace users with LucidLink client version lower than 2.7 from connecting until they update their client.
File system operations included in the Audit Trail logs.
- File & folder creation
- File & folder deletion
- File & folder moves
- Reading of a file
- Definition: “Reading” a file refers to opening a file to view it, or opening a file within a software application (example: playing a video file in a video editing tool constitutes “reading” the file)
- Writing to a file
- Definition: “Writing” into a file means changing or adding to a file as part of a creative operation.
- Symbolic link creation
- Definition: Symbolic links represent another “pointer” to a file. Symbolic links are similar to an “alias.”
- Setting an extended attribute
- Definition: Extended attributes for a file refer to additional metadata used for a given file.
- Deleting an extended attribute
- LucidLink Pin & Unpin
Storage location of the Audit Trail logs.
- Audit Trail logs are stored on the filespace in a directory named .lucid_audit at the root of the filespace. The directory has the following structure:
.lucid_audit/<node_id>/<year>/<month>/<begin_date>.log
Audit log files are rotated every 15 minutes, and the currently active one has the extension .log.active.
- The folder the Audit Trail logs are stored within is a unique, and restricted one on the filespace, accessible only to Administrators. This means that a standard user cannot ever access, modify, or delete the activity logs in any way.
- By storing the logs on the filespace itself, we keep our Zero Knowledge promise. Meaning that the logs are inaccessible to LucidLink and to LucidLink partners.
Format details of the Audit Trail logs.
- Each file operation is recorded as an audit entry in the log files. The event is represented in NDJSON format and follows the structure outlined below. Please note that the schema is not fixed and will likely evolve in the future, with changes made in a backward-compatible manner.
- The
"entryPath"
audit log entry inherits the path-sharing model of the filespaces. In filespace formats 2.2 and higher, the full pathname of the operation is recorded. For formats prior to 2.2, the audit log entry shows the path as seen by the end user. In these instances, the"fileId"
entry can be used in addition to distinct between matching"entryPath"
s.
{
"schemaVersion": "1.0",
"user": {
"id": "70e5aaab-7feb-428b-b566-630faf4d94b3",
"name": "john.doe"
},
"operation": {
"entryPath": "/work/movie",
"action": "DirectoryDelete",
"fileId": "260:15"
},
"event": {
"filespaceUuid": "b8d714c9-fa33-49d4-a294-e6da4ee037e2",
"filespace": "audit-trail-test.corporate",
"nodeId": "19"
},
"device": {
"osName": "Windows NT(Windows 10 Pro)",
"osVersion": "10.0.19041",
"hostName": "DESKTOP-4MEI2V9"
}
}
Ways to review the Audit Trail log records.
- The Audit Trail feature does not provide a built-in UI for browsing the audit log files. To review the produced log files, you need to set up an agent that listens for changes in the
.lucid_audit
directory and forwards them to log management software such as:
-
- PowerBI
- OpenSearch
- Splunk
- Elastic Stack (ELK)
- CloudWatch.
Will the Audit Trail feature affect my filespace performance?
- The Audit Trail feature was designed with performance in mind, and extensive internal performance tests have shown negligible performance overhead.