2 Posts
0
475
May 11th, 2023 02:00
SMB Log Formatting
We started ingesting Isilon SMB audit events in our SIEM and we're working on developing parsers for it, but need to understand what every piece in the event represents.
Sample:
<30>1 2023-05-10T22:44:47.000000-04:00 USXX-ISI-C021-5(id2) audit_protocol 5185 - - S-1-5-21-3108209963-2641128813-111641110-799630|1000008|Zone-XXXXX|36|10.1.1.1|SMB|CLOSE|SUCCESS|FILE|0:0|0:0|5912317292|/ifs/XXX0161/FNP/FNP8_5/fs18/system/InboundLock_1683771138145
The ones I'm trying to understand are:
- 5185
- S-1-5-21-3108209963-2641128813-111641110-799630
- 1000008
- 36
- 0:0
- 5912317292
If anyone could help, it would be really appreciated.
No Events found!