SIEM Logs
Last updated
Last updated
Security Information and Event Management (SIEM) system logs allow you to record and transport event data.
Users have the option to download logs from the UI. Access logs using the steps below.
Click on "Profiles" to access the "Session Information."
Click on the “Session Information” tab to access the “Activity” button.
Click on the “Activity Log” to access user activity.
On “Activity Logs”, click on the “Download” dropdown to access the available options.
Click any of the options available to download the logs.
The following APIs are available for SIEM logs.
View or Download Event Logs as a Single File:
Use the API below to view or download event logs as a single file. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response per the requirement and increment the data accordingly to fetch the next set of records.
GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10
The from
and to
parameters are optional.
If the to
parameter is not provided, it downloads the logs up to the current date. If the from
parameter is not provided, it will download the logs from today up to the current time.
If the from
value is greater than the to
value, the API will consider the from
value as the to
value and vice versa.
If you request a file with the same from
and to
parameters, it will download the log file for that day.
The API will prepare a single user file for the given date range without loading the files into Java memory.
It will save the consolidated file in the file system.
If the user is an admin, it will consolidate all user logs for that organization within the date range.
To download the zip:
Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same from and to parameter validation and process.
It will prepare a consolidated zip file for the user.
File names are the user's email for that day, with special characters in the email replaced by '_'.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the zip file, and the token cannot be used again.
To download the consolidated file:
Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same validation and process.
It will prepare a consolidated file for the user. All validations are the same as the above API.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the consolidated log file.
The following is the structure of the log.
Date (ISO Format) SIEM:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension
Example: 2024-06-17T06:37:44.145Z CEF:0|AutoRabit|Vault|23.2|http-nio-8081-exec-1|ArchivalReport|Low|sessionId=<sessionid> username=example@example.com customerId=<customer id> action=<user loggedin> ip=0:0:0:0:0:0:0:1 userAgent=Chrome
The following table describes the fields of the SIEM log structure.
1
Date (ISO Format) SIEM
Date Time
This field describes the date on which the log is created.
2
CEF Version
Number
This defines the version of the SIEM log.
3
Device Vendor
Text
This field denotes the vendor providing the device.
4
Device Product
Text
This denotes which product of the SIEM logs.
5
Device Version
Number
This denotes the product version.
6
Thread Id
Text
This is the ID from the server for a request.
7
Name
Text
This denotes the module of the product being accessed.
8
Severity
Text
This denotes the severity of the event logged.
9
Extension
Text
This provides additional information on the event logged.
The custom keys or extensions will have the following tracked in the event logs.
SessionId
Custom
All
Text
32
Identifies the user login
User Name
Custom
All
Text
255
Identifies the Loggedin User
Action
Custom
All
Text
2048
Identifies the API call
IP
Custom
All
IP
39
Identifies the device address
User Agent
Custom
All
Text
32
Identifier the browser used by the customer
CustomerId
Custom
All
Text
255
Identifies the customer
Message
Custom
All
Text
2048
Audit Log message
1
AnamolyDetails
Setup > Alerts
Event type to track the configured triggers activity in Vault
2
Archival
Archive
Event type to track the activity on the Archival module
3
ArchivalReport
Archive Reports
Event type to track the user activity on the Archive Reports module
4
ArchivalReportDownload
Archive Reports
Event type to track the user download on the reports module
5
ArchivalReportItem
Archive Reports
Event type to track the user activity on the Archival Report Items
6
ArchivalReportItemQuery
Archive Reports
Event type to track the user activity on the Archival Report Item Queries
7
ArchivalReportQuery
Archive Reports
Event type to track the user activity on the Archival Report Queries
8
AwsEnviReg
Settings
Event type for tracking the AWS storage registration
9
BakupSchedulesManage
Config
Event type for tracking all the user actions on the schedules
10
BlackList
GDPR
Event type to track the user activity on GDPR module
11
Customer
User Management
Event type to track the activity every time the user details are fetched
12
DataMasking
Replicate
Event type to track activity every time the data masking is performed
13
EventLog
CEF Logs
Event type to track the user activity when the CEF logs are downloaded by the user either from API or UI
14
FileDownload
File Downloads
Event type to track the UI file downloads
15
MultiFactorAuth
User Management
Event type to track the login and access of the user(s)
16
Proxy
Vault Settings
Event type to track the activity on the proxy settings page
17
Restore
Replicate Restore
Event type to track the user activity on the Replicate & Restore modules
18
Role
User Management
Event type to track the user activity every time the user role details are fetched
19
SalesforceFeatures
Setup > Config
Event type to track the nCino Features accessed by the Vault application
20
SforgBakupCfg
Setup > BackupConfig
Event type to track the activities performed on the backup config
21
SforgBakupStatus
Backup Restore Replicate
Event type to track the user activity on the Backup Restore Replicate module
22
SfOrgConnectConfig
Setup > Config
Event type to track the Vault connect configuration
23
SfOrgConnectSync
Setup > Config
Event type to track the user activity on the Vault Connect ‘Sync With Salesforce’
24
SforgEnviReg
Settings
Event type to track the storage registration in Vault
25
SforgUniqueFiledsConfig
Unique Identifiers
Event type to track the user activity on the Unique Identifiers tabs
26
SFReader
All Modules
Event type to track the activity every time the SFORG details are read
27
StartBackup
Backup & Archive
Event type to track the activity every time the “Backup & Archive” are triggered
28
User
User Management
Event type to track the activity on the user management
29
Zoho
Zoho Integration
Event type to track the user activity when the user accesses “Zoho”
Following are the audit log messages
Storage
Storage configuration request has been submitted."
"Storage configuration update request has been submitted.”
User Management
"User addition request has been submitted."
"User activation request has been submitted."
"Create password request has been submitted."
"Reset password request has been submitted."
"Change password request has been submitted."
"Delete user request has been submitted."
"Deactivate user request has been submitted."
"Create user request has been submitted."
"Update user request has been submitted."
"User profile update request has been submitted."
"User logged in with details: "
"User logged out with details: "
"Session terminated by: "
"User got blocked with details: "
"MFA verification code validated successfully for user."
"MFA is enabled for user."
"MFA is disabled for user."
"MFA is reset for user."
"MFA device is successfully registered by user.”
Setup
"Backup schedule disable request has been submitted."
"Backup schedule enable request has been submitted.”
Customer Management
"Customer activation request has been submitted."
"Customer deactivation request has been submitted."
"Customer deletion request has been submitted.”
"Enable/disable org access control request has been submitted."
Salesforce Operations
"Salesforce org creation request has been submitted."
"Salesforce org update request has been submitted."
Vault Connect
"Sforg Odata Connector Config creation/update request has been submitted."
Backup
"Backup configuration creation request has been submitted."
"Backup configuration update request has been submitted."
"Backup configuration delete request has been submitted."
"Backup download operation has been initiated."
"Backup has been downloaded."
"Object has been downloaded from backup."
"Backup has been initiated."
"Stop backup process has been initiated."
Restore
"Restore operation has been initiated.”
"Restore deletion request has been submitted."
Hierarchial
"Hierarchical backup process has been initiated."
"Hierarchical backup configuration creation request has been submitted."
"Hierarchical backup configuration update request has been submitted."
"Hierarchical backup configuration delete request has been submitted.”
"Stop hierarchical process has been initiated.”
"Hierarchical backup download operation has been initiated."
Archive
"Archive process has been initiated."
"Archive backup configuration creation request has been submitted."
"Archive backup configuration update request has been submitted."
"Archive backup delete request has been submitted."
"Stop archive process has been initiated."
"Archive download operation has been initiated."
Replication
"Replicate operation has been initiated."
"Replicate configuration creation request has been submitted."
"Replicate configuration update request has been submitted."
"Replicate deletion request has been submitted."
Alert rules
"Create alert rule request has been submitted."
"Delete alert rule request has been submitted."
"Anomaly detection process has been initiated."
"Object has been downloaded for anomaly detection."
"All records have been downloaded for anomaly detection."
GDPR
"Create GDPR request has been submitted."
"Delete GDPR request has been submitted."
"Object has been downloaded from GDPR."
"Upload search file for GDPR request has been initiated."