File Format

High Assurance Audit Log Record Format

Each record in the audit log is a newline-terminated list of key=value pairs, separated by a space. Values may be "quoted", and quoted values may contain a space. Values will also be url-encoded if they contain %, ", or non-ascii printable text.

Record types are session login records, operation records, and operation end records. Session login records contain collection, user and task information for each login. Operation records contain a reference to the session record, as well as information about each of the multiple operations that occur during that login session. Operation end records contain final details for transfer operations.

Session Login Record

A session login record is written for each login. One or more logins can occur for each transfer task, interactive access via the Globus Web App or CLI, or direct HTTPS access to a collection.

Example:

t=S ts=2018-01-30T20:15:53Z ref=c1f420f2-05fb-11e8-bcad-000c297ab3c2 c_ip=54.237.254.192:43536 auth=TLSFTP+GUEST s_usr=mlink p_usr=mlink r=/ g_tid=95d7d216-1637-11e7-bb8b-22000b9a448b g_cid=a6915d24-a10d-11e6-b0f0-22000b92c261 g_uid=a6996d24-a10d-11e6-b0f0-32000b9b147b

Key

Value

t

Type. The log record type, which is always S for session records.

ts

Timestamp. ISO8601 timestamp with second precision, always UTC.

ref

Session reference. A unique id for this session. All operation records from this session will have a matching ref value.

c_ip

Client IP. The control channel client IP address and source port. This is a Globus service IP address for Globus transfers.

auth

Authentication method. Will be one of:

TLSFTP

TLS control channel authenticated by the Globus Service. This is the usual method for Globus transfers.

HTTPS

Direct HTTPS access from transferring user, authenticated by the Globus Service.

GSIFTP

GSSAPI control channel authenticated with user X509 certificates.

For guest collection access, +GUEST will be appended to one of the above.

p_usr

Process user. The local account the globus-gridftp-server process ran as. May be the same as s_usr for connectors that use local accounts, or a GCS service account for other connectors.

s_usr

Storage user. The connector-specific storage system account.

r

Root path. The configured storage gateway root path.

g_tid

Globus transfer task ID. The id of the Globus transfer task driving this session. A single transfer task ID will often result in multiple sessions. A task ID is only present for transfer and delete tasks.

g_eid

Globus endpoint ID. The ID of the collection being accessed.

g_uid

Globus user ID. Identity IDs of the Globus user requesting the transfer. If the user presented multiple identities for login, they will be separated by a comma.

Operation Record

The operation record is written before each operation is attempted. The end operation record is written upon failure of any operation, or completion of a transfer operation. An end operation record is not written for successful non-transfer operations.

Example:

t=O ts=2018-02-05T16:20:31Z ref=7c5840e8-0a90-11e8-aeb5-b75e98b1747b op=RETR c_path=/etc/group s_path=c_path

t=E ts=2018-02-05T16:20:31Z ref=7c5840e8-0a90-11e8-aeb5-b75e98b1747b op=RETR c_path=/etc/group s_path=c_path d_ip=10.1.1.128 len=27825 res=ok

Key

Value

t

Type. The log record type, which is O for the operation start, and E for operation end. An E record is always written for transfers, and only on error for other operations.

ts

Timestamp. ISO8601 timestamp with second precision, always UTC.

ref

Session reference. The login session under which this operation was performed.

op

File access operation. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL. See Operations.

c_path

Client path. Path as visible to the end user.

s_path

Storage path. Actual path on storage, which may be different due to symlinks, storage gateway, or collection root. If same as c_path, c_path is the value.

d_ip

E record only. Destination IP. IP address of the endpoint that the data was transferred to or from.

len

E record only. Data length. Bytes of data actually transferred, which may be less than the full file size in case of error.

res

E record only. Result. ok or an error string.

Operations

Possible operation types:

STOR

Transfer a file into the collection.

RETR

Transfer a file out of the collection.

STAT

File attribute check or directory listing.

CKSM

Request for a file’s checksum.

DELE

Deletion of a file.

REN

File or directory rename.

MKD

Directory creation.

RMD

Directory deletion.

RDEL

Recursive deletion of a directory and all files within.