Working with Insight on

Understanding the Audit Store node status

Mon, 01 Jan 0001 00:00:00 +0000

Viewing cluster status

The Overview screen shows information about the Audit Store cluster. Use this information to understand the health of the Audit Store cluster. Access the Overview screen by navigating to Audit Store > Cluster Management > Overview. The Overview screen is shown in the following figure.

The following information is shown on the Overview screen:

Join Custer: Click to add a node to the Audit Store cluster. The node can be added to only one Audit Store cluster. On a multi-node cluster, this button is disabled after the node is added to the Audit Store cluster.
Leave Cluster: Click to remove a node from the Audit Store cluster. This button is disabled after the node is removed from an Audit Store cluster.
Cluster Name: The name displays the Audit Store cluster name.
Cluster Status: The cluster status displays the index status of the worst shard in the Audit Store cluster. Accordingly, the following status information appears:
- Red status indicates that the specific shard is not allocated in the Audit Store cluster.
- Yellow status indicates that the primary shard is allocated but replicas are not allocated.
- Green status indicates that all shards are allocated.
Number of Nodes: The count of active nodes in the Audit Store cluster.
Number of Data Nodes: The count of nodes that have a data role.
Active Primary Shards: The count of active primary shards in the Audit Store cluster.
Active Shards: The total of active primary and replica shards.
Relocating Shards: The count of shards that are being relocated.
Initializing Shards: The count of shards that are under initialization.
Unassigned Shards: The count of shards that are not allocated. The Audit Store will process and dynamically allocate these shards.
OS Version: The version number of the OpenSearch used for the Audit Store.
Current Master: The IP address of the current Audit Store node that is elected as master.
Indices Count: The count of indices in the Audit Store cluster.
Total Docs: The document count of all indices in the Audit Store cluster, excluding security index docs.
Number of Master Nodes: The count of nodes that have the master-eligible role.
Number of Ingest Nodes: The count of nodes that have the ingest role.

For more information about clusters, shards, docs, and other terms, refer to the OpenSearch documentation.

Working with Audit Store nodes

Mon, 01 Jan 0001 00:00:00 +0000

Registering a node

When a node that was a part of the Audit Store cluster was down or unregistered is started again, then it would already have the Audit Store configurations. Similarly, due to issues during an upgrade, a node might not complete the Audit Store cluster registration process. In this case, the node appears with an orange icon (). Register the node using the Register button to add the node to the Audit Store cluster.

Working with Audit Store roles

Mon, 01 Jan 0001 00:00:00 +0000

A node can have one role or multiple roles. A cluster needs at least one node with each role. Hence, roles of the node in a single-node cluster cannot be removed. Similarly, if the node is the last node in the cluster with a particular role, then the role cannot be removed. By default, all the nodes must have the master-eligible, data, and ingest roles:

Master-eligible: This is the master-eligible node. It is eligible to be elected as the master node that controls the Audit Store cluster. A minimum of 3 nodes with the master-eligible role are required in the cluster to make the Audit Store cluster stable and resilient. For mor iformation about the architecture, refer to the Logging architecture.
Data: This node holds data and can perform data-related operations. A minimum of 2 nodes with the data role are required in the Audit Store cluster to provide redundancy of data. Redundancy reduces data loss when a node goes down.
Ingest: This node processes logs received before the log is indexed for further storage and processing. A minimum of 2 nodes with the ingest role are required in the Audit Store cluster.

The Audit Store uses the following formula to determine the minimum number of nodes with the Master-eligible role that should be running in the cluster:

Working with Discover

Mon, 01 Jan 0001 00:00:00 +0000

For more information about Discover, refer to https://opensearch.org/docs/2.18/dashboards/.

Viewing logs

The logs aggregated and collected are sent to Insight. Insight stores the logs in the Audit Store. The logs from the Audit Store are displayed on the Audit Store Dashboards. Here, the different fields and the data logged is visible. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security.

Overview of the dashboards

Mon, 01 Jan 0001 00:00:00 +0000

Viewing the graphs provides an easier and faster method for reading the log information. This helps understand the working of the system and also take decisions faster, such as, understanding the processing load on the ESAs and accordingly expanding the cluster by adding nodes, if required.

For more information about the dashboards, navigate to https://opensearch.org/docs/2.18/dashboards/.

Accessing the Insight Dashboards

The Insight Dashboards appears on a separate tab from the ESA Web UI. However, it uses the same session as the ESA Web UI. Signing out from the ESA Web UI also signs out from the Insight Dashboards. Complete the steps provided here to view the Insight Dashboards.

Viewing the dashboards

Mon, 01 Jan 0001 00:00:00 +0000

The configuration of dashboards created in the earlier versions of Insight Dashboards are retained after the ESA is upgraded. Protegrity provides default dashboards with version 10.1.0. If the title of an existing dashboard matches the new dashboard provided by Protegrity, then a duplicate entry is visible. Use the date and time stamp to identify and rename the earlier dashboards. The Protector status interval is used for presenting the data on some dashboards. The information presented on the dashboard might not have the correct values if the interval is updated.

Viewing visualizations

Mon, 01 Jan 0001 00:00:00 +0000

The configuration of visualizations created in the earlier versions of the Audit Store Dashboards are retained after the ESA is upgraded. Protegrity provides default visualizations with version 10.1.0. If the title of an existing visualization matches the new visualization provided by Protegrity, then a duplicate entry is visible. Use the date and time stamp to identify and rename the existing visualizations.

Do not delete or modify the configuration or details of the visualizations provided by Protegrity. To customize the visualization, create a copy of the visualization and perform the customization on the copy of the visualization.

Viewing visualization templates

Mon, 01 Jan 0001 00:00:00 +0000

Do not delete or modify the configuration or details of the new visualizations provided by Protegrity. To customize the visualization, create a copy of the visualization and perform the customization on the copy of the visualization.