SIEM Logs
SIEM Logging – Event Logs
Introduction
Security Information and Event Management (SIEM) system logs allow you to record and transport event data.
How to Access SIEM Logs
Users have the option to download logs from the UI. Access logs using the steps below.
Click on "Profiles" to access the "Session Information."
Click on the “Session Information” tab to access the “Activity” button.
Click on the “Activity Log” to access user activity.
On “Activity Logs”, click on the “Download” dropdown to access the available options.
Click any of the options available to download the logs.
APIs
The following APIs are available for SIEM logs.
View or Download Event Logs as a Single File:
Use the API below to view or download event logs as a single file. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response per the requirement and increment the data accordingly to fetch the next set of records.
GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10
The
from
andto
parameters are optional.If the
to
parameter is not provided, it downloads the logs up to the current date. If thefrom
parameter is not provided, it will download the logs from today up to the current time.If the
from
value is greater than theto
value, the API will consider thefrom
value as theto
value and vice versa.If you request a file with the same
from
andto
parameters, it will download the log file for that day.The API will prepare a single user file for the given date range without loading the files into Java memory.
It will save the consolidated file in the file system.
If the user is an admin, it will consolidate all user logs for that organization within the date range.
To download the zip:
Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same from and to parameter validation and process.
It will prepare a consolidated zip file for the user.
File names are the user's email for that day, with special characters in the email replaced by '_'.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the zip file, and the token cannot be used again.
To download the consolidated file:
Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same validation and process.
It will prepare a consolidated file for the user. All validations are the same as the above API.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the consolidated log file.
SIEM Log Structure
The following is the structure of the log.
Date (ISO Format) SIEM:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension
Example: 2024-06-17T06:37:44.145Z CEF:0|AutoRabit|Vault|23.2|http-nio-8081-exec-1|ArchivalReport|Low|sessionId=<sessionid> username=example@example.com customerId=<customer id> action=<user loggedin> ip=0:0:0:0:0:0:0:1 userAgent=Chrome
The following table describes the fields of the SIEM log structure.
SL.No | Field | Data Type | Length | Description |
---|---|---|---|---|
1 | Date (ISO Format) SIEM | Date Time | 24 | This field describes the date on which the log is created. |
2 | CEF Version | Number | 2 | This defines the version of the SIEM log. |
3 | Device Vendor | Text | 9 | This field denotes the vendor providing the device. |
4 | Device Product | Text | 5 | This denotes which product of the SIEM logs. |
5 | Device Version | Number | 10 | This denotes the product version. |
6 | Thread Id | Text | 32 | This is the ID from the server for a request. |
7 | Name | Text | 256 | This denotes the module of the product being accessed. |
8 | Severity | Text | 10 | This denotes the severity of the event logged. |
9 | Extension | Text | 5120 | This provides additional information on the event logged. |
Custom Keys
The custom keys or extensions will have the following tracked in the event logs.
Key Name | Key Type | Module | Data Type | Length | Description |
---|---|---|---|---|---|
SessionId | Custom | All | Text | 32 | Identifies the user login |
User Name | Custom | All | Text | 255 | Identifies the Loggedin User |
Action | Custom | All | Text | 2048 | Identifies the API call |
IP | Custom | All | IP | 39 | Identifies the device address |
User Agent | Custom | All | Text | 32 | Identifier the browser used by the customer |
CustomerId | Custom | All | Text | 255 | Identifies the customer |
Message | Custom | All | Text | 2048 | Audit Log message |
Vault Event Type
SI No | Event Type | Module | Description |
---|---|---|---|
1 | AnamolyDetails | Setup > Alerts | Event type to track the configured triggers activity in Vault |
2 | Archival | Archive | Event type to track the activity on the Archival module |
3 | ArchivalReport | Archive Reports | Event type to track the user activity on the Archive Reports module |
4 | ArchivalReportDownload | Archive Reports | Event type to track the user download on the reports module |
5 | ArchivalReportItem | Archive Reports | Event type to track the user activity on the Archival Report Items |
6 | ArchivalReportItemQuery | Archive Reports | Event type to track the user activity on the Archival Report Item Queries |
7 | ArchivalReportQuery | Archive Reports | Event type to track the user activity on the Archival Report Queries |
8 | AwsEnviReg | Settings | Event type for tracking the AWS storage registration |
9 | BakupSchedulesManage | Config | Event type for tracking all the user actions on the schedules |
10 | BlackList | GDPR | Event type to track the user activity on GDPR module |
11 | Customer | User Management | Event type to track the activity every time the user details are fetched |
12 | DataMasking | Replicate | Event type to track activity every time the data masking is performed |
13 | EventLog | CEF Logs | Event type to track the user activity when the CEF logs are downloaded by the user either from API or UI |
14 | FileDownload | File Downloads | Event type to track the UI file downloads |
15 | MultiFactorAuth | User Management | Event type to track the login and access of the user(s) |
16 | Proxy | Vault Settings | Event type to track the activity on the proxy settings page |
17 | Restore | Replicate Restore | Event type to track the user activity on the Replicate & Restore modules |
18 | Role | User Management | Event type to track the user activity every time the user role details are fetched |
19 | SalesforceFeatures | Setup > Config | Event type to track the nCino Features accessed by the Vault application |
20 | SforgBakupCfg | Setup > BackupConfig | Event type to track the activities performed on the backup config |
21 | SforgBakupStatus | Backup Restore Replicate | Event type to track the user activity on the Backup Restore Replicate module |
22 | SfOrgConnectConfig | Setup > Config | Event type to track the Vault connect configuration |
23 | SfOrgConnectSync | Setup > Config | Event type to track the user activity on the Vault Connect ‘Sync With Salesforce’ |
24 | SforgEnviReg | Settings | Event type to track the storage registration in Vault |
25 | SforgUniqueFiledsConfig | Unique Identifiers | Event type to track the user activity on the Unique Identifiers tabs |
26 | SFReader | All Modules | Event type to track the activity every time the SFORG details are read |
27 | StartBackup | Backup & Archive | Event type to track the activity every time the “Backup & Archive” are triggered |
28 | User | User Management | Event type to track the activity on the user management |
29 | Zoho | Zoho Integration | Event type to track the user activity when the user accesses “Zoho” |
Messages
Following are the audit log messages
Storage
Storage configuration request has been submitted."
"Storage configuration update request has been submitted.”
User Management
"User addition request has been submitted."
"User activation request has been submitted."
"Create password request has been submitted."
"Reset password request has been submitted."
"Change password request has been submitted."
"Delete user request has been submitted."
"Deactivate user request has been submitted."
"Create user request has been submitted."
"Update user request has been submitted."
"User profile update request has been submitted."
"User logged in with details: "
"User logged out with details: "
"Session terminated by: "
"User got blocked with details: "
"MFA verification code validated successfully for user."
"MFA is enabled for user."
"MFA is disabled for user."
"MFA is reset for user."
"MFA device is successfully registered by user.”
Setup
"Backup schedule disable request has been submitted."
"Backup schedule enable request has been submitted.”
Customer Management
"Customer activation request has been submitted."
"Customer deactivation request has been submitted."
"Customer deletion request has been submitted.”
"Enable/disable org access control request has been submitted."
Salesforce Operations
"Salesforce org creation request has been submitted."
"Salesforce org update request has been submitted."
Vault Connect
"Sforg Odata Connector Config creation/update request has been submitted."
Backup
"Backup configuration creation request has been submitted."
"Backup configuration update request has been submitted."
"Backup configuration delete request has been submitted."
"Backup download operation has been initiated."
"Backup has been downloaded."
"Object has been downloaded from backup."
"Backup has been initiated."
"Stop backup process has been initiated."
Restore
"Restore operation has been initiated.”
"Restore deletion request has been submitted."
Hierarchial
"Hierarchical backup process has been initiated."
"Hierarchical backup configuration creation request has been submitted."
"Hierarchical backup configuration update request has been submitted."
"Hierarchical backup configuration delete request has been submitted.”
"Stop hierarchical process has been initiated.”
"Hierarchical backup download operation has been initiated."
Archive
"Archive process has been initiated."
"Archive backup configuration creation request has been submitted."
"Archive backup configuration update request has been submitted."
"Archive backup delete request has been submitted."
"Stop archive process has been initiated."
"Archive download operation has been initiated."
Replication
"Replicate operation has been initiated."
"Replicate configuration creation request has been submitted."
"Replicate configuration update request has been submitted."
"Replicate deletion request has been submitted."
Alert rules
"Create alert rule request has been submitted."
"Delete alert rule request has been submitted."
"Anomaly detection process has been initiated."
"Object has been downloaded for anomaly detection."
"All records have been downloaded for anomaly detection."
GDPR
"Create GDPR request has been submitted."
"Delete GDPR request has been submitted."
"Object has been downloaded from GDPR."
"Upload search file for GDPR request has been initiated."
Last updated