SIEM Logs

SIEM Logging – Event Logs

Introduction

Security Information and Event Management (SIEM) system logs allow you to record and transport event data.

How to Access SIEM Logs

Users have the option to download logs from the UI. Access logs using the steps below.

  • Click on "Profiles" to access the "Session Information."

  • Click on the “Session Information” tab to access the “Activity” button.

  • Click on the “Activity Log” to access user activity.

  • On “Activity Logs”, click on the “Download” dropdown to access the available options.

  • Click any of the options available to download the logs.


APIs

The following APIs are available for SIEM logs.

View or Download Event Logs as a Single File:

Use the API below to view or download event logs as a single file. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response per the requirement and increment the data accordingly to fetch the next set of records.

GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10

  • The from and to parameters are optional.

  • If the to parameter is not provided, it downloads the logs up to the current date. If the from parameter is not provided, it will download the logs from today up to the current time.

  • If the from value is greater than the to value, the API will consider the from value as the to value and vice versa.

  • If you request a file with the same from and to parameters, it will download the log file for that day.

  • The API will prepare a single user file for the given date range without loading the files into Java memory.

  • It will save the consolidated file in the file system.

  • If the user is an admin, it will consolidate all user logs for that organization within the date range.


To download the zip:

Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below:

  1. GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10

Output: A temporary token for the file, which is valid for a minute.

  • The API works in the same manner as described above, with the same from and to parameter validation and process.

  • It will prepare a consolidated zip file for the user.

  • File names are the user's email for that day, with special characters in the email replaced by '_'.

  • It returns a temporary token cached for the file for a minute.

  1. GET: {{url}}/ARVault/eventlogs/download/code/{token}

  • The token is mandatory and should be sent as input to the API.

  • If the token is invalid/expired, the API will respond with a forbidden message.

  • If the token is valid, it will download the zip file, and the token cannot be used again.


To download the consolidated file:

Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below:

  1. GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10

Output: A temporary token for the file, which is valid for a minute.

  • The API works in the same manner as described above, with the same validation and process.

  • It will prepare a consolidated file for the user. All validations are the same as the above API.

  • It returns a temporary token cached for the file for a minute.

  1. GET: {{url}}/ARVault/eventlogs/download/code/{token}

  • The token is mandatory and should be sent as input to the API.

  • If the token is invalid/expired, the API will respond with a forbidden message.

  • If the token is valid, it will download the consolidated log file.

SIEM Log Structure

The following is the structure of the log.

Date (ISO Format) SIEM:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension

Example: 2024-06-17T06:37:44.145Z CEF:0|AutoRabit|Vault|23.2|http-nio-8081-exec-1|ArchivalReport|Low|sessionId=<sessionid> username=example@example.com customerId=<customer id> action=<user loggedin> ip=0:0:0:0:0:0:0:1 userAgent=Chrome

The following table describes the fields of the SIEM log structure.

SL.NoFieldData TypeLengthDescription

1

Date (ISO Format) SIEM

Date Time

24

This field describes the date on which the log is created.

2

CEF Version

Number

2

This defines the version of the SIEM log.

3

Device Vendor

Text

9

This field denotes the vendor providing the device.

4

Device Product

Text

5

This denotes which product of the SIEM logs.

5

Device Version

Number

10

This denotes the product version.

6

Thread Id

Text

32

This is the ID from the server for a request.

7

Name

Text

256

This denotes the module of the product being accessed.

8

Severity

Text

10

This denotes the severity of the event logged.

9

Extension

Text

5120

This provides additional information on the event logged.

Custom Keys

The custom keys or extensions will have the following tracked in the event logs.

Key NameKey TypeModuleData TypeLengthDescription

SessionId

Custom

All

Text

32

Identifies the user login

User Name

Custom

All

Text

255

Identifies the Loggedin User

Action

Custom

All

Text

2048

Identifies the API call

IP

Custom

All

IP

39

Identifies the device address

User Agent

Custom

All

Text

32

Identifier the browser used by the customer

CustomerId

Custom

All

Text

255

Identifies the customer

Message

Custom

All

Text

2048

Audit Log message

Vault Event Type

SI NoEvent TypeModuleDescription

1

AnamolyDetails

Setup > Alerts

Event type to track the configured triggers activity in Vault

2

Archival

Archive

Event type to track the activity on the Archival module

3

ArchivalReport

Archive Reports

Event type to track the user activity on the Archive Reports module

4

ArchivalReportDownload

Archive Reports

Event type to track the user download on the reports module

5

ArchivalReportItem

Archive Reports

Event type to track the user activity on the Archival Report Items

6

ArchivalReportItemQuery

Archive Reports

Event type to track the user activity on the Archival Report Item Queries

7

ArchivalReportQuery

Archive Reports

Event type to track the user activity on the Archival Report Queries

8

AwsEnviReg

Settings

Event type for tracking the AWS storage registration

9

BakupSchedulesManage

Config

Event type for tracking all the user actions on the schedules

10

BlackList

GDPR

Event type to track the user activity on GDPR module

11

Customer

User Management

Event type to track the activity every time the user details are fetched

12

DataMasking

Replicate

Event type to track activity every time the data masking is performed

13

EventLog

CEF Logs

Event type to track the user activity when the CEF logs are downloaded by the user either from API or UI

14

FileDownload

File Downloads

Event type to track the UI file downloads

15

MultiFactorAuth

User Management

Event type to track the login and access of the user(s)

16

Proxy

Vault Settings

Event type to track the activity on the proxy settings page

17

Restore

Replicate Restore

Event type to track the user activity on the Replicate & Restore modules

18

Role

User Management

Event type to track the user activity every time the user role details are fetched

19

SalesforceFeatures

Setup > Config

Event type to track the nCino Features accessed by the Vault application

20

SforgBakupCfg

Setup > BackupConfig

Event type to track the activities performed on the backup config

21

SforgBakupStatus

Backup Restore Replicate

Event type to track the user activity on the Backup Restore Replicate module

22

SfOrgConnectConfig

Setup > Config

Event type to track the Vault connect configuration

23

SfOrgConnectSync

Setup > Config

Event type to track the user activity on the Vault Connect ‘Sync With Salesforce’

24

SforgEnviReg

Settings

Event type to track the storage registration in Vault

25

SforgUniqueFiledsConfig

Unique Identifiers

Event type to track the user activity on the Unique Identifiers tabs

26

SFReader

All Modules

Event type to track the activity every time the SFORG details are read

27

StartBackup

Backup & Archive

Event type to track the activity every time the “Backup & Archive” are triggered

28

User

User Management

Event type to track the activity on the user management

29

Zoho

Zoho Integration

Event type to track the user activity when the user accesses “Zoho”

Messages

Following are the audit log messages

  • Storage

    • Storage configuration request has been submitted."

    • "Storage configuration update request has been submitted.”

  • User Management

    • "User addition request has been submitted."

    • "User activation request has been submitted."

    • "Create password request has been submitted."

    • "Reset password request has been submitted."

    • "Change password request has been submitted."

    • "Delete user request has been submitted."

    • "Deactivate user request has been submitted."

    • "Create user request has been submitted."

    • "Update user request has been submitted."

    • "User profile update request has been submitted."

    • "User logged in with details: "

    • "User logged out with details: "

    • "Session terminated by: "

    • "User got blocked with details: "

    • "MFA verification code validated successfully for user."

    • "MFA is enabled for user."

    • "MFA is disabled for user."

    • "MFA is reset for user."

    • "MFA device is successfully registered by user.”

  • Setup

    • "Backup schedule disable request has been submitted."

    • "Backup schedule enable request has been submitted.”

  • Customer Management

    • "Customer activation request has been submitted."

    • "Customer deactivation request has been submitted."

    • "Customer deletion request has been submitted.”

    • "Enable/disable org access control request has been submitted."

  • Salesforce Operations

    • "Salesforce org creation request has been submitted."

    • "Salesforce org update request has been submitted."

  • Vault Connect

    • "Sforg Odata Connector Config creation/update request has been submitted."

Backup

  • "Backup configuration creation request has been submitted."

  • "Backup configuration update request has been submitted."

  • "Backup configuration delete request has been submitted."

  • "Backup download operation has been initiated."

  • "Backup has been downloaded."

  • "Object has been downloaded from backup."

  • "Backup has been initiated."

  • "Stop backup process has been initiated."

Restore

  • "Restore operation has been initiated.”

  • "Restore deletion request has been submitted."

  • Hierarchial

    • "Hierarchical backup process has been initiated."

    • "Hierarchical backup configuration creation request has been submitted."

    • "Hierarchical backup configuration update request has been submitted."

    • "Hierarchical backup configuration delete request has been submitted.”

    • "Stop hierarchical process has been initiated.”

    • "Hierarchical backup download operation has been initiated."

  • Archive

    • "Archive process has been initiated."

    • "Archive backup configuration creation request has been submitted."

    • "Archive backup configuration update request has been submitted."

    • "Archive backup delete request has been submitted."

    • "Stop archive process has been initiated."

    • "Archive download operation has been initiated."

  • Replication

    • "Replicate operation has been initiated."

    • "Replicate configuration creation request has been submitted."

    • "Replicate configuration update request has been submitted."

    • "Replicate deletion request has been submitted."

  • Alert rules

    • "Create alert rule request has been submitted."

    • "Delete alert rule request has been submitted."

    • "Anomaly detection process has been initiated."

    • "Object has been downloaded for anomaly detection."

    • "All records have been downloaded for anomaly detection."

  • GDPR

    • "Create GDPR request has been submitted."

    • "Delete GDPR request has been submitted."

    • "Object has been downloaded from GDPR."

    • "Upload search file for GDPR request has been initiated."

Last updated