SIEM Logs
SIEM Logging â Event Logs
Introduction
SIEM is a standardized log management system developed to record and transport event data.
How to Access SIEM Logs
An option is provided to download logs from the UI.
Users can access the logs from the following path:
Click on Profiles to access the Session Information.
Click on the âSession Informationâ tab to access the âActivityâ button.
Click on the âActivity Logâ to access the user activity.
On landing on the âActivity Logsâ, click on the âDownloadâ drop-down to access the available options
APIs
The following are the APIs available for the SIEM logs.
To View or Download Event Logs as a Single File:
To view or download event logs as a single file, use the API below. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response as per the requirement and increment the data accordingly to fetch the next set of records.
GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10
Headers:
Authorization: Bearer <AccessToken>
Cookies: ARVault=<ARVault>
The values for <AccessToken> and <ARVault> can be retrieved from the login API response:
<AccessToken> is found in the response body of the login API.
<ARVault> is found in the response headers of the login API.
The
from
andto
parameters are optional.If the
to
parameter is not provided, it downloads the logs up to the current date. If thefrom
parameter is not provided, it will download the logs from today up to the current time.If the
from
value is greater than theto
value, the API will consider thefrom
value as theto
value and vice versa.If you request a file with the same
from
andto
parameters, it will download the log file for that day.The API will prepare a single file for the user for the given date range without loading the files into Java memory.
It will save the consolidated file in the file system.
If the user is an admin, it will consolidate all user logs for that organization within the date range.
To download the zip:
Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10
Headers:
Authorization: Bearer <AccessToken>
Cookies: ARVault=<ARVault>
The values for <AccessToken> and <ARVault> can be retrieved from the login API response:
<AccessToken> is found in the response body of the login API. <ARVault> is found in the response headers of the login API.
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same
from
andto
parameter validation and process.It will prepare a consolidated zip file for the user.
Files will be named by the user's email for that day, with special characters in the email replaced by '_'.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the zip file, and the token cannot be used again.
To download the consolidated file:
Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below:
GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10
Headers:
Authorization: Bearer <AccessToken>
Cookies: ARVault=<ARVault>
The values for <AccessToken> and <ARVault> can be retrieved from the login API response:
<AccessToken> is found in the response body of the login API.
<ARVault> is found in the response headers of the login API.
Output: A temporary token for the file, which is valid for a minute.
The API works in the same manner as described above, with the same validation and process.
It will prepare a consolidated file for the user. All validations are the same as the above API.
It returns a temporary token cached for the file for a minute.
GET: {{url}}/ARVault/eventlogs/download/code/{token}
The token is mandatory and should be sent as input to the API.
If the token is invalid/expired, the API will respond with a forbidden message.
If the token is valid, it will download the consolidated log file.
CEF Log Structure
The following is the structure of the log.
Date (ISO Format) CEF:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension
Example: 2024-06-17T06:37:44.145Z CEF:0|AutoRabit|Vault|23.2|http-nio-8081-exec-1|ArchivalReport|Low|sessionId=<sessionid> username=example@example.com customerId=<customer id> action=<user loggedin> ip=0:0:0:0:0:0:0:1 userAgent=Chrome
The following table describes the fields of the CEF log structure.
Last updated