The EMC events sent by the EMC server to the ChangeAuditor agent are delayed by an internal EMC queue. This can be confirmed by performing the following:
- Increase the ChangeAuditor agent logging to Debug to allow EMC events to be viewed in the Change Auditor agent log
- Below is an example of an EMC event in the ChangeAuditor Agent log:
ID: 4347
Time: 12/12/14 15:50:18.216
<Event event="0x1" path="\\emc.cifs\ifs\test\test.xls" flag="0x2" protocol="0" server="emc.cifs.domain.com" clientIP="192.168.1.2" serverIP="192.168.1.2" timeStamp="0x548B551900055B2E" userSid="S-1-5-21-2966119792-2635991036-4117835597-762845" desiredAccess="0x80" createDispo="0x1" ntStatus="0x0"/>
</EventList>
This is often caused by enabling auditing on the Isilon device for an extended period of time before the Change Auditor agent is actually up and running. The events/logs are kept in the audit folder on the device indefinitely, and when the EMC agent does come up to accept events, they are submitted by the device chronologically, oldest to newest.