Some examples relate generally to computer architecture software for data classification and information security and, in some more particular aspects, to verifying audit events in a file system.

Methods, systems, and devices supporting data storage are described. A database server may store information in a group of files. As more information is stored at the database in the files, the sizes of the files may be increased. Techniques are described for uniformly growing files in the group of files to maintain a similar size for the files as the amount of storage increases. These techniques may prevent one file from becoming disproportionately larger than another file of the file group, supporting efficient read and write operations at the database. The file growth may be based on the file sizes as well as an amount of storage to be added for the group of files. For example, an application managing the file growth may sort the files by size, track uniform growth running totals, and determine file growth commands based on the uniform growth running totals.

A method, computer system, and a computer program product for operating at least one storage server. The present invention may include receiving an access request for at least one storage volume of at least one storage server. The present invention may include collecting data for the at least one storage volume, wherein the at least one storage volume has a corresponding unique volume identifier. The present invention may include storing at least the data for the at least one storage volume and the unique volume identifier in a database, the data being comprised of metadata and subset data, wherein the metadata is comprised of configuration and status information for the at least one storage volume, and wherein the subset data is a set of predefined selection criteria based on a respective computer server.

A method performed by a computing system, includes executing an application, using a data call to an Application Programming Interface, the data call requesting access to a file stored on a storage system associated with the computing system, with a context extraction module, determining contextual information associated with the data call, through use of a library, causing a kernel to access the file according to the data call, storing the contextual information on the storage system, and performing an analysis on the contextual information, the analysis including determining an average size of a call stack when the data was accessed.

A database structure and a system that uses the structure to facilitate efficient context enrichment of low-level events occurring in a distributed computing system. In one aspect, the database structure comprises a table accessible to a distributed storage system. The table comprises a plurality of rows. Each row represents a corresponding process creation event of a particular process at a particular host at a particular time and assigned a particular event identifier. Each row comprises a row key identifying the particular host, the particular process, the particular time, and the particular event identifier of the process creation event corresponding to the row. The particular time and the particular event identifier are stored as part of the row key in a bitwise one's complement format. The row key structure facilitates efficient identification of a process creation event where only hostname and the process identifier of the process creation event are known.

Techniques for fingerprinting and aggregating a virtual private cloud (VPC) flow log stream are provided. Each VPC flow log event in the VPC flow log is first determined to be a request event or a response event. A fingerprint is then generated for each VPC flow log event. The fingerprint for a VPC flow log event is generated based on the determination whether the VPC flow log event is a request event or a response event and by concatenating and encoding data contained in a set of data fields corresponding to the VPC flow log event. Based on the fingerprint generated for each VPC flow log event, related events can be detected and aggregated to form an aggregated event. Information stored with each aggregated event can then be used to better monitor the VPC.

The present disclosure relates to a control system for remotely controlling a change data capture (CDC) system. The CDC system comprises a source computing system and target computing system. The target computing system is configured to store a copy of data of the source computing system. The source computing system and the target computing system are configured to execute coordinated actions using predefined agents in order identify a change to data of the source computing system and to propagate, and store the change to the target computing system. The control system is configured for dynamically installing User-Defined Functions, UDF functions, in the source and target systems in order to control the agents to perform the predefined actions.

In some examples, a database management node updates object metadata with indicators of access frequencies of a plurality of objects in a data store that is remotely accessible by the database management node over a network. The database management node selects a subset of the plurality of objects based on the indicators, and caches the subset in the local storage.

Techniques are disclosed relating to providing and using probabilistic data structures to at least reduce requests between database nodes. In various embodiments, a first database node processes a database transaction that involves writing a set of database records to an in-memory cache of the first database node. As part of processing the database transaction, the first database node may insert, in a set of probabilistic data structures, a set of database keys that correspond to the set of database records. The first database node may send, to a second database node, the set of probabilistic data structures to enable the second database node to determine whether to request, from the first database node, a database record associated with a database key.

Disclosed herein are embodiments of systems, methods, and products comprises a server for monitoring and tracking user activities based on different events in a security log. The server may retrieve the security log and parse the security log to identify a set of predetermined events for a user based on the event IDs, including logon events, logoff events, and privileged events. Based on the time point when privileged events occur at least partially during the pattern of having more logon events than logoff events, the server may determine when the user starts to work. Based on the time point when the logoff events and logon event starts to show the pattern that there are more logoff events than logon events and the difference increasing into a threshold, the server may determine when the user stops working. The server may generate a heat map indicating different users' work time length.