Linux TSV Log File
The following information lists all of the columns generated by Linux Activity Monitor into a TSV log file, along with descriptions.
| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option |
| Host | Host name of the monitored device |
| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID |
| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) |
| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) |
| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. |
| Rename Path | New name of the path if a rename event occurs |
| Process or IP | Indicates the source of the activity event: - For Local activity – Process name (e.g. notepad.exe) - For Remote network activity – IP Address of the user |
| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. |
| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. |
| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS |
| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \[SERVER][SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt |
| Volume ID | ID of the volume where the event occurred |
| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. |
| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 |
| File Size | Size of File |
| Tags | Windows hosts only Contains 'Copy' for read events that are probably file copies |
| Group ID | Linux hosts only Unique identifier for the File System Group (GID). |
| Group Name | Linux hosts only Name of the File System Group (GID). |
| Process ID | Linux hosts only Name of the File System Group (GID). |