# SIEM Logs ## SIEM Logging – Event Logs ### Introduction Security Information and Event Management (SIEM) system logs allow you to record and transport event data. ### How to Access SIEM Logs Users have the option to download logs from the UI. Access logs using the steps below. * Click on "Profiles" to access the "Session Information."

* Click on the “Session Information” tab to access the “Activity” button.

* Click on the “Activity Log” to access user activity. * On “Activity Logs”, click on the “Download” dropdown to access the available options.

* Click any of the options available to download the logs. *** ### APIs The following APIs are available for SIEM logs. **View or Download Event Logs as a Single File:** Use the API below to view or download event logs as a single file. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response per the requirement and increment the data accordingly to fetch the next set of records. > `GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10`

* The `from` and `to` parameters are optional. * If the `to` parameter is not provided, it downloads the logs up to the current date. If the `from` parameter is not provided, it will download the logs from today up to the current time. * If the `from` value is greater than the `to` value, the API will consider the `from` value as the `to` value and vice versa. * If you request a file with the same `from` and `to` parameters, it will download the log file for that day. * The API will prepare a single user file for the given date range without loading the files into Java memory. * It will save the consolidated file in the file system. * If the user is an admin, it will consolidate all user logs for that organization within the date range. *** **To download the zip:** Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below: 1. `GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10`

**Output:** A temporary token for the file, which is valid for a minute. * The API works in the same manner as described above, with the same from and to parameter validation and process. * It will prepare a consolidated zip file for the user. * File names are the user's email for that day, with special characters in the email replaced by '\_'. * It returns a temporary token cached for the file for a minute. 2. `GET: {{url}}/ARVault/eventlogs/download/code/{token}` * The token is mandatory and should be sent as input to the API. * If the token is invalid/expired, the API will respond with a forbidden message. * If the token is valid, it will download the zip file, and the token cannot be used again. *** **To download the consolidated file:** Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below: > 1. `GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10`

**Output:** A temporary token for the file, which is valid for a minute. * The API works in the same manner as described above, with the same validation and process. * It will prepare a consolidated file for the user. All validations are the same as the above API. * It returns a temporary token cached for the file for a minute. 2. GET: {{url}}/ARVault/eventlogs/download/code/{token} * The token is mandatory and should be sent as input to the API. * If the token is invalid/expired, the API will respond with a forbidden message. * If the token is valid, it will download the consolidated log file. ### SIEM Log Structure **The following is the structure of the log.** Date (ISO Format) SIEM:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension 1. **Extension**: The extension encapsulates the following details **session\_id**='\' username='\' user\_id='\' customer\_id=‘\’ action=‘\’ status=‘\’ src\_ip=‘\' server\_ip='\' user\_agent=‘\’ **Example:**\ 2025-06-24T05:06:19.333Z CEF:0|AutoRABIT|Vault|25.1.2-RELEASE|http-nio-8080-exec-10|LOGON|Low|session\_id='20fc6d469e47457d958f9f9e632335ed' username='' user\_id='82e43155-236f-488c-9ec7-d0ef2fe1964d' customer\_id='Coachtopia-1' action='Login by password' status='success' src\_ip='49.37.150.251' server\_ip='192.168.29.167' user\_agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36' The following table describes the fields of the SIEM log structure.

SL.No	Field	Data Type	Length	Description
1	Date (ISO Format) SIEM	Date Time	24	This field describes the date on which the log is created.
2	CEF Version	Number	2	This defines the version of the SIEM log.
3	Device Vendor	Text	9	This field denotes the vendor providing the device.
4	Device Product	Text	5	This denotes which product of the SIEM logs.
5	Device Version	Number	10	This denotes the product version.
6	Thread Id	Text	32	This is the ID from the server for a request.
7	Name	Text	256	This denotes the module of the product being accessed.
8	Severity	Text	10	This denotes the severity of the event logged.
9	Extension	Text	5120	This provides additional information on the event logged.

**Extension:** The following table provides a detailed explanation of the log extension section

Number	Text	Data Type	Length	Description
1	Session_id	String	36	Unique identifier for the user session (UUID format).
2	Username	String	50	Email or login identifier of the user.
3	User_id	String	36	Unique identifier for the user (UUID format).
4	Customer_id	String	50	Identifier for the customer or tenant using the system.
5	Action	String	100	Description of the user action performed.
6	Status	String	10	Outcome status of the action (e.g., success, failure).
7	Failure_Reason	String	100	Failure Reason will be printed in the event of a failure event
8	Src_ip	IP Address	15	IP address from which the request originated.
9	Server_ip	IP Address	15	IP address of the server that handled the request.
10	User_agent	String	255	User agent string describing the client environment (browser, OS, etc.).

### Custom Keys The custom keys or extensions will have the following tracked in the event logs.

Key Name	Key Type	Module	Data Type	Length	Description
SessionId	Custom	All	Text	32	Identifies the user login
User Name	Custom	All	Text	255	Identifies the Loggedin User
Action	Custom	All	Text	2048	Identifies the API call
IP	Custom	All	IP	39	Identifies the device address
User Agent	Custom	All	Text	32	Identifier the browser used by the customer
CustomerId	Custom	All	Text	255	Identifies the customer
Message	Custom	All	Text	2048	Audit Log message

### **Vault Event Type**

SI No	Event Type	Module	Description
1	AnamolyDetails	Setup > Alerts	Event type to track the configured triggers activity in Vault
2	Archival	Archive	Event type to track the activity on the Archival module
3	ArchivalReport	Archive Reports	Event type to track the user activity on the Archive Reports module
4	ArchivalReportDownload	Archive Reports	Event type to track the user download on the reports module
5	ArchivalReportItem	Archive Reports	Event type to track the user activity on the Archival Report Items
6	ArchivalReportItemQuery	Archive Reports	Event type to track the user activity on the Archival Report Item Queries
7	ArchivalReportQuery	Archive Reports	Event type to track the user activity on the Archival Report Queries
8	AwsEnviReg	Settings	Event type for tracking the AWS storage registration
9	BakupSchedulesManage	Config	Event type for tracking all the user actions on the schedules
10	BlackList	GDPR	Event type to track the user activity on GDPR module
11	Customer	User Management	Event type to track the activity every time the user details are fetched
12	DataMasking	Replicate	Event type to track activity every time the data masking is performed
13	EventLog	CEF Logs	Event type to track the user activity when the CEF logs are downloaded by the user either from API or UI
14	FileDownload	File Downloads	Event type to track the UI file downloads
15	MultiFactorAuth	User Management	Event type to track the login and access of the user(s)
16	Proxy	Vault Settings	Event type to track the activity on the proxy settings page
17	Restore	Replicate Restore	Event type to track the user activity on the Replicate & Restore modules
18	Role	User Management	Event type to track the user activity every time the user role details are fetched
19	SalesforceFeatures	Setup > Config	Event type to track the nCino Features accessed by the Vault application
20	SforgBakupCfg	Setup > BackupConfig	Event type to track the activities performed on the backup config
21	SforgBakupStatus	Backup Restore Replicate	Event type to track the user activity on the Backup Restore Replicate module
22	SfOrgConnectConfig	Setup > Config	Event type to track the Vault connect configuration
23	SfOrgConnectSync	Setup > Config	Event type to track the user activity on the Vault Connect ‘Sync With Salesforce’
24	SforgEnviReg	Settings	Event type to track the storage registration in Vault
25	SforgUniqueFiledsConfig	Unique Identifiers	Event type to track the user activity on the Unique Identifiers tabs
26	SFReader	All Modules	Event type to track the activity every time the SFORG details are read
27	StartBackup	Backup & Archive	Event type to track the activity every time the “Backup & Archive” are triggered
28	User	User Management	Event type to track the activity on the user management
29	Zoho	Zoho Integration	Event type to track the user activity when the user accesses “Zoho”

### Messages Following are the audit log messages * **Storage** * Storage configuration request has been submitted." * "Storage configuration update request has been submitted.” * **User Management** * "User addition request has been submitted." * "User activation request has been submitted." * "Create password request has been submitted." * "Reset password request has been submitted." * "Change password request has been submitted." * "Delete user request has been submitted." * "Deactivate user request has been submitted." * "Create user request has been submitted." * "Update user request has been submitted." * "User profile update request has been submitted." * "User logged in with details: " * "User logged out with details: " * "Session terminated by: " * "User got blocked with details: " * "MFA verification code validated successfully for user." * "MFA is enabled for user." * "MFA is disabled for user." * "MFA is reset for user." * "MFA device is successfully registered by user.” * **Setup** * "Backup schedule disable request has been submitted." * "Backup schedule enable request has been submitted.” * **Customer Management** * "Customer activation request has been submitted." * "Customer deactivation request has been submitted." * "Customer deletion request has been submitted.” * "Enable/disable org access control request has been submitted." * **Salesforce Operations** * "Salesforce org creation request has been submitted." * "Salesforce org update request has been submitted." * **Vault Connect** * "Sforg Odata Connector Config creation/update request has been submitted." **Backup** * "Backup configuration creation request has been submitted." * "Backup configuration update request has been submitted." * "Backup configuration delete request has been submitted." * "Backup download operation has been initiated." * "Backup has been downloaded." * "Object has been downloaded from backup." * "Backup has been initiated." * "Stop backup process has been initiated." **Restore** * "Restore operation has been initiated.” * "Restore deletion request has been submitted." * **Hierarchial** * "Hierarchical backup process has been initiated." * "Hierarchical backup configuration creation request has been submitted." * "Hierarchical backup configuration update request has been submitted." * "Hierarchical backup configuration delete request has been submitted.” * "Stop hierarchical process has been initiated.” * "Hierarchical backup download operation has been initiated." * **Archive** * "Archive process has been initiated." * "Archive backup configuration creation request has been submitted." * "Archive backup configuration update request has been submitted." * "Archive backup delete request has been submitted." * "Stop archive process has been initiated." * "Archive download operation has been initiated." * **Replication** * "Replicate operation has been initiated." * "Replicate configuration creation request has been submitted." * "Replicate configuration update request has been submitted." * "Replicate deletion request has been submitted." * **Alert rules** * "Create alert rule request has been submitted." * "Delete alert rule request has been submitted." * "Anomaly detection process has been initiated." * "Object has been downloaded for anomaly detection." * "All records have been downloaded for anomaly detection." * **GDPR** * "Create GDPR request has been submitted." * "Delete GDPR request has been submitted." * "Object has been downloaded from GDPR." * "Upload search file for GDPR request has been initiated." --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledgebase.autorabit.com/product-guides/vault/vault-features/siem-logging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.