Working with Discover

View the logs that are stored in the Audit Store using Discover. The basics of the Discover and an overview of running queries on the Discover screen is provided here.

For more information about Discover, refer to https://opensearch.org/docs/latest/dashboards/.

Viewing logs

The logs aggregated and collected are sent to Insight. Insight stores the logs in the Audit Store. The logs from the Audit Store are displayed on the Audit Store Dashboards. Here, the different fields and the data logged is visible. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security.

View the logs by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, from the menu, select Discover, and select a time period such as Last 30 days.

Use the default index pty_insight_*audit* to view the log data. This default index pattern uses wildcard charaters for referencing all indexes. Alternatively, select an index pattern or alias for the entries to view the data from a different index. For more information about the indexes available, refer to Understanding the Insight indexes.

You can create and delete indexes. Before deleting an index, it is highly recommended to back it up first. After an index is deleted, the data associated with it is permanently removed, and without a backup, there is no way to recover it. For more information about indexes, refer to https://opensearch.org/docs/latest/im-plugin/ and https://opensearch.org/docs/latest/dashboards/. For more information about managing indexes in ESA, refer to Index lifecycle management (ILM).

Saved queries

Run a query and customize the log details displayed. Save the query and the settings for running a query, such as, the columns, row count, tail, and indexes for the query. The saved queries created are user-specific.

From Discover, click Open to use the following saved queries to view information:

  • Policy: This query is available to view policy logs. A policy log is a created during the the policy creation, policy deployment, policy enforcement, and during the collection, storage, forwarding, and analysis of logs.
  • Security: This query is available to view security operation logs. A security log is created during various security operations performed by protectors, such as, performing protect, unprotect, and reprotect operations.
  • Unsuccessful Security Operations: This query is available to view unsuccessful security operation-related logs. Unsuccessful Security Operations logs are created when security operations fail due to errors, warnings, or exceptions.

  1. In ESA, navigate to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and optionally select a time period such as Last 30 days..

    The viewer role user or a user with the viewer role can only view and run saved queries. Admin rights are required to create or modify query filters.

  2. Select the index for running the query.

  3. Enter the query in the Search field.

  4. Optionally, select the required fields.

  5. Click the See saved queries () icon to save the query.

    The Saved Queries list appears.

  6. Click Save current query.

    The Save query dialog box appears.

  7. Specify a name for the query.

  8. Click Save to save the query information, including the configurations specified, such as, the columns, row count, tail, indexes, and query.

    The query is saved.

  9. Click the See saved queries () icon to view the saved queries.

Last modified : May 01, 2025