Linux TSV Log File
The following information lists all of the columns generated by Linux Activity Monitor into a TSV log file, along with descriptions.
| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option |
| Host | Host name of the monitored device |
| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID |
| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) |
| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) |
| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. |
| Rename Path | New name of the path if a rename event occurs |
| Process or IP | Indicates the source of the activity event: - For Local activity – Process name (e.g. notepad.exe) - For Remote network activity – IP Address of the user |
| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. |
| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. |
| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS |
| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \[SERVER][SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt |
| Volume ID | ID of the volume where the event occurred |
| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. |
| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 |
| File Size | Size of File |
| Tags | Windows hosts only Contains 'Copy' for read events that are probably file copies |
| Group ID | Linux hosts only Unique identifier for the File System Group (GID). |
| Group Name | Linux hosts only Name of the File System Group (GID). |
| Process ID | Linux hosts only Name of the File System Group (GID). |
SharePoint JSON Log File
The JSON log file format is used to send SharePoint activity monitoring data to Access Analyzer v10.0 consoles. The following information lists all of the attributes generated by SharePoint Activity Monitor into a JSON log file:
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | DateTime/ string | 2019-03-14T18:13:39.00Z |
| ActivityType | Constant “SharePoint” | SharePoint |
| AgentHost | Host name where agent is installed | sphost |
| UserSid | User SID who caused the event | S-1-0-0 |
| UserName | User Name who caused the event | System Account |
| UserID | ID of the user who caused the event | 1073741823 |
| UserLogin | User Login who caused the event | SHAREPOINT\system |
| Protocol | Protocol: HTTP / HTTPS.. | HTTP |
| AbsoluteUrl | Full Url: SiteUrl + DocLocation | http://sphost/Lists/Comments/1\_.000 |
| WebApplication | Web application name | SharePoint – 80 |
| SiteId | Site Id (guid) | 7b2c8d23-a74f-4c3c-985d-2c7facb5ebae |
| SiteUrl | Site Url | http://sphost/sites/mysite |
| WebTitle | Web title | my site |
| DocLocation | Location of an audited object at the time of the audited event | Lists/Comments/1_.000 |
| ItemId | A Guid that the object whose event is represented by the entry | 2c4174dc-322d-47bc-a420-52968fc3ba6c |
| ItemTitle | Title of the object | Welcome to my blog! |
| ItemType | Type of the object: Document / ListItem / List / Folder / Web / Site | ListItem |
| EventType | An SPAuditEventType that represents the type of event | Update |
| EventSource | A value that indicates whether the event occurred as a result of user action in the SharePoint Foundation user interface (UI) or programmatically. Values: SharePoint / ObjectModel | SharePoint |
| LocationType | Specifies the actual location of a document in a SharePoint document library: Invalid, Url, ClientLocation | Url |
| AppPrincipalId | The ID of the app principal who caused the event. If the value of EventSource is ObjectModel, thenAppPrincipalId holds the ID of the app principal whose context the code that caused the event was running. If there is no app context, the AppPrincipalId is null. | 0 |
| SourceName | The name of the application that caused the event | <empty> |
| RawEventData | A String that holds XML markup providing data that is specific to the type of event that the entry object represents. | <RelatedItem><Id>06C49477-0498-4858-900C-45B595337462</Id><Relationship><NewName> MyDocs/myfile.zip</NewName></RelatedItem |
| AuditMask | The new audit mask | [“CheckIn”,“View”,“Delete”,“Update”] |
| ChildId | The GUID of the child that is deleted/moved. | 06C49477-0498-4858-900C-45B595337462 |
| ChildDocLocation | The pre-deletion URL of the child item | Lists/Posts/2_.000 |
| NewDocLocation | The URL to which the item is moved | MyNewDocs/myfile.zip |
| Version | The new version of the document / The version that was deleted | 1.0 |
| DeleteType | Whether it is moved to the recycle bin (1) or is deleted completely (0). 1 - MovedToRecycle; 0 - DeletedCompletely | MovedToRecycle |
| SearchQuery | myfile | |
| SearchConstraint | site:“http://sphost/sites/mysite” | |
| GroupId | The ID of the new/deleted group The ID of the group that was bound to the role | 11 |
| GroupName | The name of the new/deleted group The name of the group that was bound to the role | My Super Group |
| TrusteeId | The ID of the user that was added/deleted from the group The ID of the user that was bound to the role | 8 |
| TrusteeName | The Name of the user/group that was added/deleted from the group The Name of the user/group that was bound to the role | spuser |
| TrusteeType | The name is the name of group or user: User / Group | User |
| UpdateType | Added or Removed | Added, Removed, or Updated |
| RoleId | The ID of the new/changed/deleted permission level | 1073741924 |
| RoleName | The name of the new/changed/deleted permission level | My Role |
| Permissions | The combination of permissions | [“ViewListItems”,“AddListItems”,“EditListItems”] |
SharePoint Online JSON Log File
The JSON log file format is used to send SharePoint Online activity monitoring data to Access Analyzer v10.0 consoles. The following information lists all of the attributes generated by SharePoint Online Activity Monitor into a JSON log file:
Base Schema
The following table details lists of attributes for base schema generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | Event time (UTC) | 2019-03-14T18:13:39.0 00Z |
| ActivityType | Constant "SharePoint" | SharePointOnline |
| AgentHost | Host name where agent is installed. | sphost |
| Source | SharePoint, SharePointFileOperation, SharePointListOperation, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, SharePointSharingOperation, ComplianceDLPSharePoint, ComplianceDLPSharePointClassification | SharePointFileOperation |
| Id | Unique id of an audit record | 5ed5f834-7609-4ea6-df9b-08d76f79a875 |
| EventType | AccessInvitationCreated AccessInvitationExpired AccessInvitationRevoked AccessInvitationUpdated AccessRequestApproved AccessRequestCreated AccessRequestRejected ActivationEnabled AdministratorAddedToTermStore AdministratorDeletedFromTermStore AllowGroupCreationSet AppCatalogCreated AuditPolicyRemoved AuditPolicyUpdate AzureStreamingEnabledSet CollaborationTypeModified ConnectedSiteSettingModified CreateSSOApplication CustomFieldOrLookupTableCreated CustomFieldOrLookupTableDeleted CustomFieldOrLookupTableModified CustomizeExemptUsers DefaultLanguageChangedInTermStore DelegateModified DelegateRemoved DeleteSSOApplication eDiscoveryHoldApplied eDiscoveryHoldRemoved eDiscoverySearchPerformed EngagementAccepted EngagementModified EngagementRejected EnterpriseCalendarModified EntityDeleted EntityForceCheckedIn ExemptUserAgentSet FileAccessed FileCheckOutDiscarded FileCheckedIn FileCheckedOut FileCopied FileDeleted FileDeletedFirstStageRecycleBin FileDeletedSecondStageRecycleBin FileDownloaded FileFetched FileModified FileMoved FilePreviewed FileRenamed FileRestored FileSyncDownloadedFull FileSyncDownloadedPartial FileSyncUploadedFull FileSyncUploadedPartial FileUploaded FileViewed FolderCopied FolderCreated FolderDeleted FolderDeletedFirstStageRecycleBin FolderDeletedSecondStageRecycleBin FolderModified FolderMoved FolderRenamed FolderRestored GroupAdded GroupRemoved GroupUpdated LanguageAddedToTermStore LanguageRemovedFromTermStore LegacyWorkflowEnabledSet LookAndFeelModified ManagedSyncClientAllowed MaxQuotaModified MaxResourceUsageModified MySitePublicEnabledSet NewsFeedEnabledSet ODBNextUXSettings OfficeOnDemandSet PageViewed PeopleResultsScopeSet PermissionSyncSettingModified PermissionTemplateModified PortfolioDataAccessed PortfolioDataModified PreviewModeEnabledSet ProjectAccessed ProjectCheckedIn ProjectCheckedOut ProjectCreated ProjectDeleted ProjectForceCheckedIn ProjectModified ProjectPublished ProjectWorkflowRestarted PWASettingsAccessed PWASettingsModified QueueJobStateModified QuotaWarningEnabledModified RenderingEnabled ReportingAccessed ReportingSettingModified ResourceAccessed ResourceCheckedIn ResourceCheckedOut ResourceCreated ResourceDeleted ResourceForceCheckedIn ResourceModified ResourcePlanCheckedInOrOut ResourcePlanModified ResourcePlanPublished ResourceRedacted ResourceWarningEnabledModified SSOGroupCredentialsSet SSOUserCredentialsSet SearchCenterUrlSet SecondaryMySiteOwnerSet SecurityCategoryModified SecurityGroupModified SendToConnectionAdded SendToConnectionRemoved SharedLinkCreated SharedLinkDisabled SharingInvitationAccepted SharingRevoked SharingSet SiteAdminChangeRequest SiteCollectionAdminAdded SiteCollectionCreated SiteRenamed StatusReportModified SyncGetChanges TaskStatusAccessed TaskStatusApproved TaskStatusRejected TaskStatusSaved TaskStatusSubmitted TimesheetAccessed TimesheetApproved TimesheetRejected TimesheetSaved TimesheetSubmitted UnmanagedSyncClientBlocked UpdateSSOApplication UserAddedToGroup UserRemovedFromGroup WorkflowModified | FileDeleted |
| OrganizationId | Organization tenant ID | 86e5dcbf-56e9-4452-8c43-1e99f0e9aabd |
| UserType | Type of the user performed the operation. | Regular |
| UserId | The UPN of the user who performed the operation | user1@stealthbitstechnologie.onmicrosoft.com |
| UserName | Name of the user who performed the operation | User1 |
| UserLogin | An alternative ID of the user. "DlpAgent" for DLP events | i:0h.f/membership/10033fff8a7ae322@live.com |
| ClientIP | IP address of the user or a trusted application | 75.155.180.82 |
| Protocol | Protocol: HTTPS | HTTPS |
| Workload | Office 365 service where the activty occurred. | SharePoint |
| ResultStatus | Succeeded, ParticallySucceeded, Failed, True, False | ParticallySucceeded |
| AbsoluteUrl | Full path of the file/folder accessed by the user | https://stealthbitstechnologie-my.sharepoint.com/personal/sgiles_stealthbitstechnologie_onmicrosoft_com/personal/myfiles/21ded |
| Scope | Was this event created by a hosted O365 service or an on-premises server? online or onprem | |
| SiteId | Guid of the site | aef1ad6b-11c5-4b25-a669-b5f8379f8c55 |
| ItemType | Object type: File, Folder, Web, Site, Tenant, DocumentLibrary, Page, Differs from SP types | File |
| ItemTitle | ||
| EventSource | SharePoint or ObjectModel | SharePoint |
| UserAgent | User client or browser | |
| MachineDomainInfo | Information about device sync operations | |
| MachineId | Information about device sync operations | |
| UpdateType | Added, Removed, or Updated | Added |
| Version | The new version of the document/version of deleted document | 1 |
File/Folder Operations
The following table details lists of attributes for file/folder operations generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| SiteUrl | URL of the site | https://example-url.sharepoint.com/ |
| DocLocation | Relative URL of the file or document accessed by the user | Shared Documents/100 Sensitive Docs/Document.docx |
| SourceRelativeUrl | The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the AbsoluteUrl property | Shared Documents/100 Sensitive Docs |
| SourceFileName | File or folder name | My Document.docx |
| SourceFileExtension | File extension | docx |
| NewDocLocation | A relative URL to which the object is copied or moved | Shared Documents/100 Sensitive Docs/Copy.docx |
| DestinationRelativeUrl | Only for EventType: FileCopied, FileMoved The URL of the destination folder where a file is copied or moved. | Shared Documents/100 Sensitive Docs |
| DestinationFileName | Only for EventType: FileCopied, FileMoved The name of the file that is copied or moved. | Copy.docx |
| DestinationFileExtension | Only for EventType: FileCopied, FileMoved | docx |
Sharing
The following table details lists of attributes for sharing generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| SharingType | The type of sharing permissions that were assigned to the user that the resource was shared with |
| TargetUserOrGroupName | UPN or name of the target user or group that a resource was shared with |
| TargetUserOrGroupType | Member, Guest, Group, or Partner |
| EventData |
Other SharePoint Events
The following table details lists of attributes for other SharePoint events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| CustomEvent | |
| EventData | Optional payload |
| ModifiedProperties | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified, old, and new value |
DLP Events
The following table details lists of attributes for DLP events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description | Example |
|---|---|---|
| SharePointMetaData | Metadata about the document that contained the sensitive information | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#sharepointmetadata-complex-type |
| ExceptionInfo | Reasons why a policy no longer applies and any information about false positive or override | |
| PolicyDetails | Policy(s) that triggered the event | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#policydetails-complex-type |
| SensitiveInfoDetectionIsIncluded | Indicates whether the event contains the value of the sensitive data type |
SharePoint TSV Log File
The TSV log file format is used to send SharePoint activity monitoring data to Access Analyzer v10.0 and earlier consoles. The following information lists all of the columns generated by SharePoint Activity Monitor into a TSV log file:
| Column Name | Description |
|---|---|
| Operation Time | Date timestamp of the event in UTC time |
| Host | Host name of the monitored device as entered by the user |
| UserSid/Uid | Unique identifier for the SharePoint user: - For CIFS activity – user SID - For NFS activity – UID |
| User Name | SharePoint user name |
| UserID | ID of the SharePoint user |
| UserLogin | Identity claims using encoding format for user login |
| Path | Truncated path where the event took place, e.g. sites/TestSite/Shared Documents/Testing.txt |
| Protocol | Protocol of the event |
| FullPath | Full path where the event took place, e.g. http://sharepoint.local/sites/TestSite/Shared Documents/Testing.txt |
| WebApplication | Title of the SharePoint web application |
| SiteId | ID of the site collection |
| SiteUrl | URL of the site collection |
| WebTitle | Title of the site collection |
| DocLocation | Location of the document |
| ItemID | ID of the item |
| ItemTitle | Title of the item |
| Item Type | Type of item |
| EventType | Type of SharePoint event |
| EventSource | Source where the event came from |
| LocationType | Location type of the SharePoint document location |
| AppPrincipalId | Application principal ID |
| SourceName | Name of the source |
| EventData | Raw event data |
| Param | Parameters for the event |
SQL Server JSON Log File
The following information lists all of the columns generated by SQL Server Activity Monitor into a JSON log file, along with descriptions.
| Field | Type | Description | Example |
|---|---|---|---|
| TimeLogged | DateTime | UNC Datetime of the event, format: yyyy-MM-ddTHH:mm:ss.fffZ | 2021-02-18T15:39:29.424Z |
| ActivityType | Fixed string | SqlServer | |
| AgentHost | String | Host of Stealthbits Activity Monitor Agent Service | W7-VS17 |
| UserName | String | Name of user performed the operation | admin |
| Success | bool | The result of the operation. For Login operations, False means the login has failed. For other operations, the result is always True. | True |
| TypeMask | uint | Integer representation of performed operation: combination (mask) of codes of SqlServerEvent enumeration. - Select = 0x01, - Insert = 0x02, - Update = 0x04, - Delete = 0x08, - Merge = 0x10, - Execute = 0x20, - LoginSuccessful = 0x40, - LoginFailed = 0x80, - Logout = 0x0100, - Grant = 0x0200, - Revoke = 0x0400, - Deny = 0x0800, - Error = 0x1000, - Create = 0x2000, - Alter = 0x4000, - Drop = 0x8000 | 33 (Combination of Select and Execute) |
| TypeMaskDesc | String | Text representation of TypeMask field | Select | Execute |
| ClientAppName | String | Name of application that cause the operation | Microsoft SQL Server Management Studio - Transact-SQL IntelliSense |
| ClientHostName | String | Name of client host | W10 |
| ClientIp | String | IP address of the client (can be empty) | 127.0.0.1 |
| DatabaseName | String | Name of affected Database | AdventureWorks |
| SqlText | String | Query text | select * from [SalesLT].[Customer] |
| ErrorNumber | Integer | MSSQL Error Code | 208 |
| Message | String | Message text of the error | Invalid object name 'SalesLT.Customer1'. |
| Category | String | Category of the error | 2 |
| SqlObjects | String | Array of affected objects |
JSON Examples
Error
{
"TimeLogged": "2021-06-11T12:57:18.600Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "testuser1",
"Success": true,
"TypeMask": 4096,
"TypeMaskDesc": "Error",
"ClientAppName": "Microsoft SQL Server Management Studio - Query",
"ClientHostName": "W10",
"ClientIp": "127.0.0.1",
"DatabaseName": "StealthRECOVER_22-04",
"SqlText": "select * from [SalesLT].[Customer1]",
"ErrorNumber": 208,
"Message": "Invalid object name 'SalesLT.Customer1'.",
"Category": "2"
}
Login (Success)
{
"TimeLogged": "2021-06-11T12:50:40.038Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "testuser1",
"Success": true,
"TypeMask": 64,
"TypeMaskDesc": "Login",
"ClientAppName": "Microsoft SQL Server Management Studio - Query",
"ClientHostName": "W10",
"ClientIp": "127.0.0.1",
"DatabaseName": "master"
}
Login (Failed)
{
"TimeLogged": "2021-06-11T12:28:24.165Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "",
"Success": false,
"TypeMask": 64,
"TypeMaskDesc": "Login",
"ClientAppName": "Microsoft SQL Server Management Studio",
"ClientHostName": "W10",
"ClientIp": "",
"DatabaseName": "master",
"ErrorNumber": 18456,
"Message": "Login failed for user 'testuser'. Reason: Could not find a login matching the name provided. [CLIENT: local machine]"
}
Logout
{
"TimeLogged": "2021-06-11T13:14:28.386Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "testuser1",
"Success": true,
"TypeMask": 256,
"TypeMaskDesc": "Logout",
"ClientAppName": "Microsoft SQL Server Management Studio - Query",
"ClientHostName": "W10",
"ClientIp": "127.0.0.1",
"DatabaseName": "StealthRECOVER_22-04"
}
SqlEvent
{
"TimeLogged": "2021-06-11T13:22:48.682Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "sa",
"Success": true,
"TypeMask": 5,
"TypeMaskDesc": "Select | Update",
"ClientAppName": "Microsoft SQL Server Management Studio - Query",
"ClientHostName": "W10",
"ClientIp": "127.0.0.1",
"DatabaseName": "AdventureWorksLT2019",
"SqlText": "select top 100 * \r\nfrom [SalesLT].[SalesOrderDetail] d\r\nleft join [SalesLT].[Product] p on p.ProductID=d.ProductID;\r\nUpdate [SalesLT].[Product] set ProductNumber='zzz' where ProductNumber='xxx';\r\n",
"SqlObjects": [
{
"t": "U",
"db": "AdventureWorksLT2019",
"s": "saleslt",
"o": "SalesOrderDetail",
"op": "Select"
},
{
"t": "U",
"db": "AdventureWorksLT2019",
"s": "saleslt",
"o": "Product",
"op": "Select | Update"
}
]
}
Permission
{
"TimeLogged": "2021-06-11T13:27:48.009Z",
"ActivityType": "SqlServer",
"AgentHost": "W7-VS17",
"UserName": "sa",
"Success": true,
"TypeMask": 512,
"TypeMaskDesc": "Grant",
"ClientAppName": "Microsoft SQL Server Management Studio - Query",
"ClientHostName": "W10",
"ClientIp": "127.0.0.1",
"DatabaseName": "AdventureWorksLT2019",
"SqlText": "\r\n\r\nGRANT ALL ON [SalesLT].[Product] TO [sqluser3]; ",
"SqlObjects": [{ "t": "U", "db": "AdventureWorksLT2019", "s": "saleslt", "o": "Product", "op": "Grant" }]
}