This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Working with Discover

View the logs that are stored in the Audit Store using Discover. The basics of the Discover and an overview of running queries on the Discover screen is provided here.

1: Understanding the Insight indexes
2: Understanding the index field values
3: Index entries
4: Log return codes
5: Protectors security log codes
6: Additional log information

For more information about Discover, refer to OpenSearch Dashboards.

Viewing logs

The logs aggregated and collected are sent to Insight. Insight stores the logs in the Audit Store. The logs from the Audit Store are displayed on the Insight Dashboard. Here, the different fields and the data logged is visible. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security.

View the logs by logging into the system and from the menu, select Discover, and select a time period such as Last 30 days.

Use the default index pty_insight_analytics*audits_* to view the log data. This default index pattern uses wildcard charaters for referencing all indexes. Alternatively, select an index pattern or alias for the entries to view the data from a different index.

After an index is deleted, the data associated with it is permanently removed, and without a backup, there is no way to recover it. For more information about indexes, refer to Managing indexes and OpenSearch Dashboards. For more information about managing Audit Store indexes, refer to Index state management (ISM).

Saved queries

Run a query and customize the log details displayed. Save the query and the settings for running a query, such as, the columns, row count, tail, and indexes for the query. The saved queries created are user-specific.

From Discover, click Open to use the following saved queries to view information:

Policy search: This query is available to view policy logs. A policy log is a created during the the policy creation, policy deployment, policy enforcement, and during the collection, storage, forwarding, and analysis of logs.
Security search: This query is available to view security operation logs. A security log is created during various security operations performed by protectors, such as, performing protect, unprotect, and reprotect operations.
Signature Verification Search: This query is available to view signature verification information.
Unsuccessful Security Operations: This query is available to view unsuccessful security operation-related logs. Unsuccessful Security Operations logs are created when security operations fail due to errors, warnings, or exceptions.

Log in to the Insight Dashboard using a web browser.
Select Discover from the menu, and optionally select a time period such as Last 30 days..
Select the index for running the query.
Enter the query in the Search field.
Optionally, select the required fields.
Click the See saved queries icon to save the query.
The Saved Queries list appears.
Click Save current query.
The Save query dialog box appears.
Specify a name for the query.
Click Save to save the query information, including the configurations specified, such as, the columns, row count, tail, indexes, and query.
The query is saved.
Click the See saved queries icon to view the saved queries.

1 - Understanding the Insight indexes

The contents of the various logs that are generated by the Protegrity products describe the working of the system. It helps understand the health of the system, identify issues, and help in troubleshooting.

All the features and Protectors send logs to Insight. The logs from the Audit Store are displayed on the Discover screen of the Insight Dashboard. Here, you can view the different fields logged. In addition to viewing the data, these logs serve as input for Insight to analyze the health of the system and to monitor the system for providing security. These logs are stored in the Audit index with the name, such as, pty_insight_analytics_audits_1.0*.

You can view the Discover screen by logging into the Insight Dashboard, selecting Discover from the menu, and selecting a time period such as Last 30 days.

The following table lists the various indexes and information about the data contained in the index. You can view the index list for PPC, by logging into the Insight Dashboard, and navigating to Index Management > State management policies. To view all the indexes, select Indexes. Indexes can be created or deleted. However, deleting an index will lead to a permanent loss of data in the index. If the index was not backed up earlier, then the logs from the index deleted cannot be recreated or retrieved.

Index Name	Description
.kibana_1	This is a system index created by the Audit Store. This hold information about the dashboards.
.opendistro-job-scheduler-lock	This is a system index created by the Audit Store. This hold information about the security, roles, mapping, and so on.
.opendistro_security	This is a system index created by the Audit Store. It contains information about the security configurations, users, roles, and permissions.
.plugins-ml-config	This is a system index created by the Audit Store
.ql-datasources	This is a system index created by the Audit Store.
pty_insight_analytics_anonymization_dashboard_1.0--000001	This index logs Data Anonymization dashboard and process tracking information.
pty_insight_analytics_audits_1.0--000001	This index logs the audit data for all the URP operations and the cluster logs. It also captures all logs with the log type protection, metering, audit, and security.
pty_insight_analytics_crons_1.0	This index logs information about the cron scheduler jobs.
pty_insight_analytics_crons_logs_1.0	This index logs for the cron scheduler when the jobs are executed.
pty_insight_analytics_discovery_dashboard_1.0--000001	This index logs Data Discovery dashboard and metadata information.
pty_insight_analytics_encryption_store_1.0	This index encrypts and stores the password specified for the jobs.
pty_insight_analytics_kvs_1.0	This is an internal index for storing the key-value type information.
pty_insight_analytics_miscellaneous_1.0--000001	This index logs entries that are not categorized in the other index files.
pty_insight_analytics_policy_1.0	This index logs information about the PPC policy. It is a system index created by the PPC.
pty_insight_analytics_policy_log_1.0--000001	This index logs for the PPC policy when the jobs are executed.
pty_insight_analytics_policy_status_dashboard_1.0-index	The index holds information about the policy of the protectors for the dashboard.
pty_insight_analytics_protector_status_dashboard_1.0-index	This index holds information about protectors for the dashboard.
pty_insight_analytics_protectors_status_1.0--000001	This index holds the status logs of protectors.
pty_insight_analytics_report_1.0	This index holds information for the reports created.
pty_insight_analytics_signature_verification_jobs_1.0	This index logs information about the signature verification jobs.
pty_insight_analytics_signature_verification_running_jobs_1.0	This index logs information about the signature verification jobs that are currently running.
pty_insight_analytics_troubleshooting_1.0--000001	This index logs the log type application, kernel, system, and verification.
top_queries-	This index logs the top and most frequent search queries and query analytics data.

2 - Understanding the index field values

This section lists information about the various fields logged for the Protection, Policy, Application, Audit, Kernel, Security, and Verification logs. It helps you understand the information that is contained in the logs and is useful for troubleshooting the system.

Common Logging Information

These logging fields are common with the different log types generated by Protegrity products.

Note: These common fields are used across all log types.

Field	Data Type	Description	Source	Example
cnt	Integer	The aggregated count for a specific log.	Protector	5
logtype	String	The type of log. For example, Protection, Policy, Application, Audit, Kernel, System, or Verification. For more examples about the log types, refer here.	Protector	Protection
level	String	The level of severity. For example, SUCCESS, WARNING, ERROR, or INFO. These are the results of the logging operation. For more information about the log levels, refer here.	Protector	SUCCESS
starttime	Date	This is an unused field.	Protector
endtime	Date	This is an unused field.	Protector
index_time_utc	Date	The time the log was inserted into the Audit Store.	Audit Store	Mar 8, 2025 @ 12:55:24.733
ingest_time_utc	Date	The time the Log Forwarder processed the logs.	Log Forwarder	Mar 8, 2025 @ 12:56:22.027
uri	String	The URI for the log. This is an unused field.
correlationid	String	A unique ID that is generated when the policy is deployed.	Hubcontroller	clo5nyx470bi59p22fdrsr7k3
filetype	String	This is the file type, such as, regular file, directory, or device, when operations are performed on the file. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.	File Protector	ISDIR
index_node	String	The index node that ingested the log.	Audit Store	protegrity-ppc746/192.168.2.20
operation	String	This is an unused field.
path	String	This field is provided for Protector-related data.	File Protector	/hmount/source_dir/postmark_dir/postmark/1
system_nano_time	Long	This displays the time in nano seconds for the Signature Verification job.	Signature Verification	255073580723571
tiebreaker	Long	This is an internal field that is used with the index time to make a record unique across nodes for sorting.	Protector, Signature Verification	2590230
_id	String	This is the entry id for the record stored in the Audit Store.	Log Forwarder, td-agent	NDgyNzAwMDItZDI5Yi00NjU1LWJhN2UtNzJhNWRkOWYwOGY3
_index	String	This is the index name of the Audit Store where the log is stored.	Log Forwarder, td-agent	pty_insight_analytics_audits_10.0-2026.08.30-000001

Additional_Info

These descriptions are used for all types of logs.

Field	Data Type	Description	Source	Example
description	String	Description about the log generated.	All modules	Data protect operation was successful, Executing attempt_rollover for , and so on.
module	String	The module that generated the log.	All modules	.signature.job_runner
procedure	String	The method in the module that generated the log.	All modules	create_job
title	String	The title for the audit log.	Feature

Process

This section describes the properties of the process that created the log. For example, the protector or the rputils.

Field	Data Type	Description	Source	Example
thread_id	String	The thread_id of the process that generated the log.	PEP Server	3382487360
id	String	The id of the process that generated the log.	PEP Server	41710
user	String	The user that runs the program that generated the log.	All modules	service_admin
version	String	The version of the program or Protector that generated the log.	All modules	1.2.2+49.g126b2.1.2
platform	String	The platform that the program that generated the log is running on.	PEP Server	Linux_x64
module	String	The module that generated the log.	PPC, Protector	rpstatus
name	String	The name of the process that generated the log.	All modules	Protegrity PEP Server
pcc_version	String	The core pcc version.	PEP Server	3.4.0.20

Origin

This section describes the origin of the log, that is, from where the log came from and when it was generated.

Field	Data Type	Description	Source	Example
time_utc	Date	The time in the Coordinated Universal Time (UTC) format when the log was generated.	All modules	Mar 8, 2026 @ 12:56:29.000
hostname	String	The hostname of the machine where the log was generated.	All modules	ip-192-16-1-20.protegrity.com
ip	IP	The IP of the machine where the log was generated.	All modules	192.168.1.20

Protector

This section describes the Protector that generated the log. For example, the vendor and the version of the Protector.

Note: For more information about the Protector vendor, family, and version, refer here.

Field	Data Type	Description	Source	Example
vendor	String	The vendor of the Protector that generated the log. This is specified by the Protector.	Protector
family	String	The Protector family of the Protector that generated the logs. This is specified by the Protector. For more information about the family, refer here.	Protector	gwp
version	String	The version of the Protector that generated the logs. This is specified by the Protector.	Protector	1.2.2+49.g126b2.1.2
core_version	String	This is the Core component version of the product.	Protector	1.2.2+49.g126b2.1.2
pcc_version	String	This is the PCC version.	Protector	3.4.0.20

Protection

This section describes the protection that was done, what was done, the result of the operation, where it was done, and so on.

Field	Data Type	Description	Source	Example
policy	String	The name of the policy. This is only used in File Protector.	Protector	aes1-rcwd
role	String	This field is not used and will be deprecated.	Protector
datastore	String	The name of the datastore used for the security operation.	Protector	Testdatastore
audit_code	Integer	The return code for the operation. For more information about the return codes, refer to Log return codes.	Protector	6
session_id	String	The identifier for the session.	Protector
request_id	String	The ID of the request that generated the log.	Protector
old_dataelement	String	The old dataelement value before the reprotect to a new dataelement.	Protector	AES128
mask_setting	String	The mask setting used to protect data.	Protector	Mask Left:4 Mask Right:4 Mark Character:
dataelement	String	The dataelement used when protecting or unprotecting data. This is passed by the Protector performing the operation.	Protector	PTY_DE_CCN
operation	String	The operation, for example Protect, Unprotect, or Reprotect. This is passed in by the Protector performing the operation.	Protector	Protect
policy_user	String	The policy user for which the operation is being performed. This is passed in by the Protector performing the operation.	Protector	exampleuser1
devicepath	String	The path to the device. This is only used in File Protector.	Protector	/hmount/fuse_mount
filetype	String	The type of file that was protected or unprotected. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.	Protector	ISREG
path	String	The path to the file protected or unprotected by the File Protector. This is only used in File Protector.	Protector	/testdata/src/ez/audit_log(13).csv

Client

This section describes from where the log came from.

Field	Data Type	Description	Source	Example
ip	String	The IP of the client that generated the log.	Protector	192.168.2.10
username	String	The username that ran the Protector or Server on the client that created the log.	Hubcontroller	johndoe

Policy

This section describes the information about the policy.

Field	Data Type	Description	Source	Example
audit_code	Integer	This is the policy audit code for the policy log.	PEP Server	198
policy_name	String	This is the policy name for the policy log.	PEP Server	AutomationPolicy
severity	String	This is the severity level for the policy log entry.	PEP Server	Low
username	String	This is the user who modified the policy.	PEP Server	johndoe

Signature

This section handles the signing of the log. The key that was used to sign the log and the actual checksum that was generated.

Field	Data Type	Description	Source	Example
key_id	String	The key ID of the signingkey that signed the log record.	Protector	cc93c930-2ba5-47e1-9341-56a8d67d55d4
checksum	String	The checksum that was the result of signing the log.	Protector	438FE13078719ACD4B8853AE215488ACF701ECDA2882A043791CDF99576DC0A0
counter	Double	This is the chain of custody value. It helps maintain the integrity of the log data.	Protector	50321

Verification

This section describes the log information generated for a failed signature verification job.

Field	Data Type	Description	Source	Example
doc_id	String	This is the document ID for the audit log where the signature verification failed.	Signature Verification	N2U2N2JkM2QtMDhmYy00OGJmLTkyOGYtNmRhYzhhMGExMTFh
index_name	String	This is the index name where the log signature verification failed.	Signature Verification	pty_insight_analytics_audits_10.0-2026.08.30-000001
job_id	String	This is the job ID of the signature verification job.	Signature Verification	1T2RaosBEEC_iPz-zPjl
job_name	String	This is the job name of the signature verification job.	Signature Verification	System Job
reason	String	This is the audit log specifying the reason of the signature verification failure.	Signature Verification	INVALID_CHECKSUM \| INVALID_KEY_ID \| NO_KEY_AND_DOC_UPDATED

3 - Index entries

The index configuration, samples, and entry descriptions describe help identify and analyze the log entries in the indexes.

Audit index

The log types of protection, metering, audit, and security are stored in the audit index. These log are generated during security operations. The logs generated by protectors are stored in the pty_insight_analytics_*audits* audit index.

Protection logs

These logs are generated by protectors during protecting, unprotecting, and reprotecting data operations. These logs are generated by protectors.

Use the following query in Discover to view these logs.

logtype:protection

A sample log is shown here:

 {
    "process": {
      "thread_id": "1227749696",
      "module": "coreprovider",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "4190",
      "user": "user4",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "level": "SUCCESS",
    "signature": {
      "key_id": "11a8b7d9-1621-4711-ace7-7d71e8adaf7c",
      "checksum": "43B6A4684810383C9EC1C01FF2C5CED570863A7DE609AE5A78C729A2EF7AB93A"
    },
    "origin": {
      "time_utc": "2024-09-02T13:55:17.000Z",
      "hostname": "hostname1234",
      "ip": "10.39.3.156"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "pcc_version": "3.6.0.1",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1"
    },
    "protection": {
      "dataelement": "TE_A_S13_L1R2_Y",
      "datastore": "DataStore",
      "audit_code": 6,
      "operation": "Protect",
      "policy_user": "user1"
    },
    "index_node": "protegrity-ppc399/10.39.1.23",
    "tiebreaker": 210,
    "logtype": "Protection",
    "additional_info": {
      "description": "Data protect operation was successful"
    },
    "index_time_utc": "2024-09-02T13:55:24.766355224Z",
    "ingest_time_utc": "2024-09-02T13:55:17.678Z",
    "client": {},
    "correlationid": "cm0f1jlq700gbzb19cq65miqt"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-02T13:55:17.000Z"
    ],
    "index_time_utc": [
      "2024-09-02T13:55:24.766Z"
    ],
    "ingest_time_utc": [
      "2024-09-02T13:55:17.678Z"
    ]
  },
  "sort": [
    1725285317000
  ]

The above example contains the following information:

additional_info
origin
protector
protection
process
client
protector
signature

For more information about the various fields, refer here.

Metering logs

These logs are generated by protectors of prior to 8.0.0.0. These logs are not generated by latest protectors.

Use the following query in Discover to view these logs.

logtype:metering

For more information about the various fields, refer here.

Audit logs

These logs are generated when the rule set of the protector gets updated.

Use the following query in Discover to view these logs.

logtype:audit

A sample log is shown here:

 {
   "additional_info.description": "User admin modified default_80 tunnel successfully ",
   "additional_info.title": "Gateway : Tunnels : Tunnel 'default_80' Modified",
   "client.ip": "192.168.2.20",
   "cnt": 1,
   "index_node": "protegrity-ppc746/192.168.1.10",
   "index_time_utc": "2024-01-24T13:30:17.171646Z",
   "ingest_time_utc": "2024-01-24T13:29:35.000000000Z",
   "level": "Normal",
   "logtype": "Audit",
   "origin.hostname": "protegrity-cg406",
   "origin.ip": "192.168.2.20",
   "origin.time_utc": "2024-01-24T13:29:35.000Z",
   "process.name": "CGP",
   "process.user": "admin",
   "tiebreaker": 2260067,
   "_id": "ZTdhNzFmMTUtMWZlOC00MmY4LWJmYTItMjcwZjMwMmY4OGZh",
   "_index": "pty_insight_audit_v9.1-2024.01.23-000006"
 }

This example includes data from each of the following groups defined in the index:

additional_info
client
origin
process

For more information about the various fields, refer here.

Security logs

These logs are generated by security events of the system.

Use the following query in Discover to view these logs.

logtype:security

For more information about the various fields, refer here.

Troubleshooting index

The log types of application, kernel, system, and verification logs are stored in the troubleshooting index. These logs helps you understand the working of the system. The logs stored in this index are essential when the system is down or has issues. This is the pty_insight_analytics_troubleshooting index. The index pattern for viewing these logs in Discover is pty_insight_analytics_*troubleshooting_*.

Application Logs

These logs are generated by Protegrity servers and Protegrity applications.

Use the following query in Discover to view these logs.

logtype:application

A sample log is shown here:

{
    "process": {
      "name": "hubcontroller"
    },
    "level": "INFO",
    "origin": {
      "time_utc": "2024-09-03T10:02:34.597000000Z",
      "hostname": "protegrity-ppc503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-ppc503/10.37.4.12",
    "tiebreaker": 16916,
    "logtype": "Application",
    "additional_info": {
      "description": "GET /dps/v1/deployment/datastores | 304 | 127.0.0.1 | Protegrity Client | 8ms | "
    },
    "index_time_utc": "2024-09-03T10:02:37.314521452Z",
    "ingest_time_utc": "2024-09-03T10:02:36.262628342Z",
    "correlationid": "cm0m9gjq500ig1h03zwdv6kok"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:02:34.597Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:02:37.314Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:02:36.262Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Application@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357754597
  ]

The above example contains the following information:

additional_info
origin
process

For more information about the various fields, refer here.

Kernel logs

These logs are generated by the kernel and help you analyze the working of the internal system. Some of the modules that generate these logs are CRED_DISP, KERNEL, USER_CMD, and so on.

Use the following query in Discover to view these logs.

logtype:Kernel

For more information and description about the components that can generate kernel logs, refer here.

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "CRED_DISP"
    },
    "origin": {
      "time_utc": "2024-09-03T10:02:55.059999942Z",
      "hostname": "protegrity-ppc503",
      "ip": "10.37.4.12"
    },
    "cnt": "1",
    "index_node": "protegrity-ppc503/10.37.4.12",
    "tiebreaker": 16964,
    "logtype": "Kernel",
    "additional_info": {
      "module": "pid=38236",
      "description": "auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_rootok acct=\"rabbitmq\" exe=\"/usr/sbin/runuser\" hostname=? addr=? terminal=? res=success'\u001dUID=\"root\" AUID=\"unset\"",
      "procedure": "uid=0"
    },
    "index_time_utc": "2024-09-03T10:02:59.315734771Z",
    "ingest_time_utc": "2024-09-03T10:02:55.062254541Z"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:02:55.059Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:02:59.315Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:02:55.062Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Kernel@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357775059
  ]

This example includes data from each of the following groups defined in the index:

additional_info
origin
process

For more information about the various fields, refer here.

System logs

These logs are generated by the operating system and help you analyze and troubleshoot the system when errors are found.

Use the following query in Discover to view these logs.

logtype:System

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

 {
    "process": {
      "name": "PPCPAP",
      "version": "10.0.0+2412",
      "user": "admin"
    },
    "level": "Low",
    "origin": {
      "time_utc": "2024-09-03T10:00:34.000Z",
      "hostname": "protegrity-ppc503",
      "ip": "10.37.4.12"
    },
    "cnt": "1",
    "index_node": "protegrity-ppc503/10.37.4.12",
    "tiebreaker": 16860,
    "logtype": "System",
    "additional_info": {
      "description": "License is due to expire in 30 days. The validity of license has been acknowledged by the user. (web-user 'admin' , IP: '10.87.2.32')",
      "title": "Appliance Info : License is due to expire in 30 days. The validity of license has been acknowledged by the user. (web-user 'admin' , IP: '10.87.2.32')"
    },
    "index_time_utc": "2024-09-03T10:01:10.113708469Z",
    "client": {
      "ip": "10.37.4.12"
    },
    "ingest_time_utc": "2024-09-03T10:00:34.000000000Z"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:00:34.000Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:01:10.113Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:00:34.000Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@System@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357634000
  ]

This example includes data from each of the following groups defined in the index:

additional_info
origin
process

For more information about the various fields, refer here.

Verification logs

These log are generated by Insight on when a signature verification fails.

Use the following query in Discover to view these logs.

logtype:Verification

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "insight.pyc",
      "id": 45277
    },
    "level": "Info",
    "origin": {
      "time_utc": "2024-09-03T10:14:03.120342Z",
      "hostname": "protegrity-ppc503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-ppc503/10.37.4.12",
    "tiebreaker": 17774,
    "logtype": "Verification",
    "additional_info": {
      "module": ".signature.job_executor",
      "description": "",
      "procedure": "__log_failure"
    },
    "index_time_utc": "2024-09-03T10:14:03.128435514Z",
    "ingest_time_utc": "2024-09-03T10:14:03.120376Z",
    "verification": {
      "reason": "SV_VERIFY_RESPONSES.INVALID_CHECKSUM",
      "job_name": "System Job",
      "job_id": "9Vq1opEBYpV14mHXU9hW",
      "index_name": "pty_insight_analytics_audits_10.0-2024.08.30-000001",
      "doc_id": "JI5bt5EBMqY4Eog-YY7C"
    }
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:14:03.120Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:14:03.128Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:14:03.120Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Verification@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725358443120
  ]

This example includes data from each of the following groups defined in the index:

additional_info
process
origin
verification

For more information about the various fields, refer here.

Policy log index

The log type of policy is stored in the policy log index. They include logs for the policy-related operations, such as, when the policy is updated. The index pattern for viewing these logs in Discover is pty_insight_analytics_*policy_log_*.

Use the following query in Discover to view these logs.

logtype:policyLog

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "hubcontroller",
      "user": "service_admin",
      "version": "1.8.0+6.g5e62d8.1.8"
    },
    "level": "Low",
    "origin": {
      "time_utc": "2024-09-03T08:29:14.000000000Z",
      "hostname": "protegrity-ppc503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-ppc503/10.37.4.12",
    "tiebreaker": 10703,
    "logtype": "Policy",
    "additional_info": {
      "description": "Data element created. (Data Element 'TE_LASCII_L2R1_Y' created)"
    },
    "index_time_utc": "2024-09-03T08:30:31.358367506Z",
    "client": {
      "ip": "10.87.2.32",
      "username": "admin"
    },
    "ingest_time_utc": "2024-09-03T08:29:30.017906235Z",
    "correlationid": "cm0m64iap009r1h0399ey6rl8",
    "policy": {
      "severity": "Low",
      "audit_code": 150
    }
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T08:29:14.000Z"
    ],
    "index_time_utc": [
      "2024-09-03T08:30:31.358Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T08:29:30.017Z"
    ]
  },
  "highlight": {
    "additional_info.description": [
      "(Data Element '@opensearch-dashboards-highlighted-field@DE@/opensearch-dashboards-highlighted-field@' created)"
    ]
  },
  "sort": [
    1725352154000
  ]

The example contains the following information:

additional_info
origin
policy
process

For more information about the various fields, refer here.

Policy Status Dashboard index

The policy status dashboard index contains information for the Policy Status Dashboard. It holds the policy and trusted application deployment status information. The index pattern for viewing these logs in Discover is pty_insight_analytics*policy_status_dashboard_*.

{
    "logtype": "Status",
    "process": {
      "thread_id": "2458884416",
      "module": "rpstatus",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "2852",
      "user": "root",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "origin": {
      "time_utc": "2024-09-03T10:24:19.000Z",
      "hostname": "ip-10-49-2-49.ec2.internal",
      "ip": "10.49.2.49"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "datastore": "DataStore",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0"
    },
    "ingest_time_utc": "2024-09-03T10:24:19.510Z",
    "status": {
      "core_correlationid": "cm0f1jlq700gbzb19cq65miqt",
      "package_correlationid": "cm0m1tv5k0019te89e48tgdug"
    },
    "policystatus": {
      "type": "TRUSTED_APP",
      "application_name": "APJava_sample",
      "deployment_or_auth_time": "2024-09-03T10:24:19.000Z",
      "status": "WARNING"
    }
  },
  "fields": {
    "policystatus.deployment_or_auth_time": [
      "2024-09-03T10:24:19.000Z"
    ],
    "origin.time_utc": [
      "2024-09-03T10:24:19.000Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:24:19.510Z"
    ]
  },
  "sort": [
    1725359059000
  ]

The example contains the following information:

additional_info
origin
protector
policystatus
policy
process

Protectors status index

The protector status logs generated by protectors are stored in this index. The index pattern for viewing these logs in Discover is pty_insight_analytics_protectors_status_*.

Use the following query in Discover to view these logs.

logtype:status

A sample log is shown here:

{
   "logtype":"Status",
   "process":{
      "thread_id":"2559813952",
      "module":"rpstatus",
      "name":"java",
      "pcc_version":"3.6.0.1",
      "id":"1991",
      "user":"root",
      "version":"10.0.0.2.91.5ec4b8b",
      "core_version":"2.1.0-alpha+24.g7fc71.2.1",
      "platform":"Linux_x64"
   },
   "origin":{
      "time_utc":"2024-07-30T07:22:41.000Z",
      "hostname":"ip-10-39-3-218.ec2.internal",
      "ip":"10.39.3.218"
   },
   "cnt":1,
   "protector":{
      "vendor":"Java",
      "datastore":"PPC-10.39.2.7",
      "family":"sdk",
      "version":"10.0.0.2.91.5ec4b8b"
   },
   "ingest_time_utc":"2024-07-30T07:22:41.745Z",
   "status":{
      "core_correlationid":"clz79lc2o004jmb29neneto8k",
      "package_correlationid":"clz82ijw00037k790oxlnjalu"
   }
}

The example contains the following information:

additional_info
origin
policy
protector

Protector Status Dashboard index

The protector status dashboard index contains information for the Protector Status Dashboard. It holds the protector status information. The index pattern for viewing these logs in Discover is pty_insight_analytics*protector_status_dashboard_.

A sample log is shown here:

{
    "logtype": "Status",
    "process": {
      "thread_id": "2458884416",
      "module": "rpstatus",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "2852",
      "user": "root",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "origin": {
      "time_utc": "2024-09-03T10:24:19.000Z",
      "hostname": "ip-10-49-2-49.ec2.internal",
      "ip": "10.49.2.49"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "datastore": "DataStore",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0"
    },
    "ingest_time_utc": "2024-09-03T10:24:19.510Z",
    "status": {
      "core_correlationid": "cm0f1jlq700gbzb19cq65miqt",
      "package_correlationid": "cm0m1tv5k0019te89e48tgdug"
    },
    "protector_status": "Warning"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:24:19.000Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:24:19.510Z"
    ]
  },
  "sort": [
    1725359059000
  ]

The example contains the following information:

additional_info
origin
protector
process

Miscellaneous index

The logs that are not added to the other indexes are captured and stored in the miscellaneous index. The index pattern for viewing these logs in Discover is pty_insight_analytics_miscellaneous_*.

This index should not contain any logs. If any logs are visible in this index, then kindly contact Protegrity support.

Use the following query in Discover to view these logs.

logtype:miscellaneous;

4 - Log return codes

The log codes and the descriptions help you understand the reason for the code and is useful during troubleshooting.

Return Code	Description
0	Error code for no logging
1	The username could not be found in the policy
2	The data element could not be found in the policy
3	The user does not have the appropriate permissions to perform the requested operation
4	Tweak is null
5	Integrity check failed
6	Data protect operation was successful
7	Data protect operation failed
8	Data unprotect operation was successful
9	Data unprotect operation failed
10	The user has appropriate permissions to perform the requested operation but no data has been protected/unprotected
11	Data unprotect operation was successful with use of an inactive keyid
12	Input is null or not within allowed limits
13	Internal error occurring in a function call after the provider has been opened
14	Failed to load data encryption key
15	Tweak input is too long
16	The user does not have the appropriate permissions to perform the unprotect operation
17	Failed to initialize the PEP: this is a fatal error
19	Unsupported tweak action for the specified fpe data element
20	Failed to allocate memory
21	Input or output buffer is too small
22	Data is too short to be protected/unprotected
23	Data is too long to be protected/unprotected
24	The user does not have the appropriate permissions to perform the protect operation
25	Username too long
26	Unsupported algorithm or unsupported action for the specific data element
27	Application has been authorized
28	Application has not been authorized
29	The user does not have the appropriate permissions to perform the reprotect operation
30	Not used
31	Policy not available
32	Delete operation was successful
33	Delete operation failed
34	Create operation was successful
35	Create operation failed
36	Manage protection operation was successful
37	Manage protection operation failed
38	Not used
39	Not used
40	No valid license or current date is beyond the license expiration date
41	The use of the protection method is restricted by license
42	Invalid license or time is before license start
43	Not used
44	The content of the input data is not valid
45	Not used
46	Used for z/OS query default data element when policy name is not found
47	Access key security groups not found
48	Not used
49	Unsupported input encoding for the specific data element
50	Data reprotect operation was successful
51	Failed to send logs, connection refused
52	Return code used by bulkhandling in pepproviderauditor

5 - Protectors security log codes

The log codes and the descriptions for all protectors. This log information helps analyze the results of the protection operations.

The security logging level can be configured when a data security policy is created in the Policy management in PPC. If logging level is set to audit successful and audit failed, then both successful and failed Unprotect/Protect/Reprotect/Delete operations will be logged.

You can define the server where these security audit logs will be sent to. You can do that by modifying the Log Server configuration section in pepserver.cfg file.

If you configure to send protector security logs to the PPC, you will be able view them in Discover, by logging into the Insight Dashboard, selecting Discover from the menu, and selecting a time period such as Last 30 days. The following table displays the logs sent by protectors.

Log Code	Severity	Description	Error Message	DB / AP Operations	MSSQL	Teradata	Oracle	DB2	XC API Definitions	Recovery Actions
0	S	Internal ID when audit record should not be generated.	-	-	-	-	-	-	XC_LOG_NONE	No action is required.
1	W	The username could not be found in the policy in shared memory.	No such user	URPD	1	01H01 or U0001	20101	38821	XC_LOG_USER_NOT_FOUND	Verify that the user that calls a PTY function is in the policy. Ensure that your policy is synchronized across all Teradata nodes. Make sure that the PPC connectivity information is correct in the pepserver.cfg file.
2	W	The data element could not be found in the policy in shared memory.	No such data element	URPD	2	U0002	20102	38822	XC_LOG_DATA_ELEMENT_NOT_FOUND	Verify that you are calling a PTY function with data element that exists in the policy.
3	W	The data element was found, but the user does not have the appropriate permissions to perform the requested operation.	Permission denied	URPD	3	01H03 or U0003	20103	38823	XC_LOG_PERMISSION_DENIED	Verify that you are calling a PTY function with a user having access permissions to perform this operation according to the policy.
4	E	Tweak is null.	Tweak null	URPD	4	01H04 or U0004	20104	38824	XC_LOG_TWEAK_NULL	Ensure that the tweak is not a null value.
5	W	The data integrity check failed when decrypting using a Data Element with CRC enabled.	Integrity check failed	U—	5	U0005	20105	38825	XC_LOG_INTEGRITY_CHECK_FAILED	Check that you use the correct data element to decrypt. Check that your data was not corrupted, restore data from the backup.
6	S	The data element was found, and the user has the appropriate permissions for the operation. Data protection was successful.		-RP-	6	U0006	20106	38826	XC_LOG_PROTECT_SUCCESS	No action is required.
7	W	The data element was found, and the user has the appropriate permissions for the operation. Data protection was NOT successful.		-RP-	7	U0007	20107	38827	XC_LOG_PROTECT_FAILED	Failed to create Key ID crypto context. Verify that your data is not corrupted and you use valid combination of input data and data element to encrypt.
8	S	The data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was successful. If mask was applied to the DE, then the appropriate record is added to the audit log description.		U—	8	U0008	20108	38828	XC_LOG_UNPROTECT_SUCCESS	No action is required.
9	W	The data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was NOT successful.		U—	9	U0009	20109	38829	XC_LOG_UNPROTECT_FAILED	Failure to decrypt data with Key ID by data element without Key ID. Verify that your data is not corrupted and you use valid combination of input data and data element to decrypt.
10	S	Policy check OK. The data element was found, and the user has the appropriate permissions for the operation. NO protection operation is done.		—D	10	U0010	20110	38830	XC_LOG_OK_ACCESS	No action is required. Successful DELETE operation was performed.
11	W	The data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was successful with use of an inactive key ID.		U—	11	U0011	20111	38831	XC_LOG_INACTIVE_KEYID_USED	No action is required. Successful UNPROTECT operation was performed.
12	E	Input parameters are either NULL or not within allowed limits.		URPD	12	U0012	20112	38832	XC_LOG_INVALID_PARAM	Verify the input parameters are correct.
13	E	Internal error occurring in a function call after the PEP Provider has been opened. For instance: - failed to get mutex/semaphore, - unexpected null parameter in internal (private) functions, - uninitialized provider, etc.		URPD	13	U0013	20113	38833	XC_LOG_INTERNAL_ERROR	Restart PEP Server and re-deploy the policy.
14	W	A key for a data element could not be loaded from shared memory into the crypto engine.	Failed to load data encryption key - Cache is full, or Failed to load data encryption key - No such key, or Failed to load data encryption key - Internal error.	URP-	14	U0014	20114	38834	XC_LOG_LOAD_KEY_FAILED	If return message is ‘Cache is full’, then logoff and logon again, clear the session and cache. For all other return messages restart PEP Server and re-deploy the policy.
15		Tweak input is too long.
16		The user does not have the appropriate permissions to perform the unprotect operation.
17	E	A fatal error was encountered when initializing the PEP.		URPD	17	U0017	20117	38837	XC_LOG_INIT_FAILED	Re-install the protector, re-deploy policy.
19		Unsupported tweak action for the specified fpe data element.
20	E	Failed to allocate memory.		URPD	20	U0020	20120	38840	XC_LOG_OUT_OF_MEMORY	Check what uses the memory on the server.
21	W	Supplied input or output buffer is too small.	Buffer too small	URPD	21	U0021	20121	38841	XC_LOG_BUFFER_TOO_SMALL	Token specific error about supplied buffers. Data expands too much, using non-length preserving Token element. Check return message for specific error, and verify you use correct combination of data type (encoding), and token element. Verify supported data types according to Protegrity Protection Methods Reference 7.2.1.
22	W	Data is too short to be protected or unprotected. E.g. Too few characters were provided when tokenizing with a length-preserving token element.	Input too short	URPD	22	U0022	20122	38842	XC_LOG_INPUT_TOO_SHORT	Provide the longer input data.
23	W	Data is too long to be protected or unprotected. E.g. Too many characters were provided.	Input too long	URPD	23	U0023	20123	38843	XC_LOG_INPUT_TOO_LONG	Provide the shorter input data.
24		The user does not have the appropriate permissions to perform the protect operation.
25	W	Unauthorized Username too long.	Username too long.	UPRD	-	U0025	-	-		Run query by user with Username up to 255 characters long.
26	E	Unsupported algorithm or unsupported action for the specific data element or unsupported policy version. For example, unprotect using HMAC data element.		URPD	26	U0026	20126	38846	XC_LOG_UNSUPPORTED	Check the data elements used for the crypto operation. Note that HMAC data elements cannot be used for decrypt and re-encrypt operations.
27		Application has been authorized.
28		Application has not been authorized.
29		The JSON type is not serializable.
30	W	Failed to save audit record in shared memory.	Failed to save audit record	URPD	30	U0030	20130	38850	XC_LOG_AUDITING_FAILED	Check if PEP Server is started.
31	E	The policy shared memory is empty.	Policy not available	URPD	31	U0031	20131	38851	XC_LOG_EMPTY_POLICY	No policy is deployed on PEP Server.
32		Delete operation was successful.
33		Delete operation failed.
34		Create operation was successful.
35		Create operation failed.
36		Manage protection operation was successful.
37		Manage protection operation failed.
39	E	The policy in shared memory is locked. This is the result of a disk full alert.	Policy locked	URPD	39	U0039	20139	38859	XC_LOG_POLICY_LOCKED	Fix the disk space and restart the PEP Server.
40	E	No valid license or current date is beyond the license expiration date.	License expired	-RP-	40	U0040	20140	38860	XC_LOG_LICENSE_EXPIRED	PPC System Administrator should request and obtain a new license. Re-deploy policy with renewed license.
41	E	The use of the protection method is restricted by the license.	Protection method restricted by license.	URPD	41	U0041	20141	38861	XC_LOG_METHOD_RESTRICTED	Perform the protection operation with the protection method that is not restricted by the license. Request license with desired protection method enabled.
42	E	Invalid license or time is before license start time.	License is invalid.	URPD	42	U0042	20142	38862	XC_LOG_LICENSE_INVALID	PPC System Administrator should request and obtain a new license. Re-deploy policy with renewed license.
44	W	Content of the input data to protect is not valid (e.g. for Tokenization). E.g. Input is alphabetic when it is supposed to be numeric.	Invalid format	-RP-	44	U0044	20144	38864	XC_LOG_INVALID_FORMAT	Verify the input data is of the supported alphabet for specified type of token element.
46	E	Used for z/OS Query Default Data element when policy name is not found.	No policy. Cannot Continue.		46	n/a	n/a	n/a	XC_LOG_INVALID_POLICY	Specify the valid policy. Policy name is case sensitive.
47		Access Key security groups not found.
48		Rule Set not found.
49		Unsupported input encoding for the specific data element.
50	S	The data element was found, and the user has the appropriate permissions for the operation. The data Reprotect operation is successful.		-R-	n/a	n/a	n/a	n/a		No action is required. Successful REPROTECT operation was performed.
51		Failed to send logs, connection refused!

6 - Additional log information

The descriptions for the details diaplayed in logs helps identify the type and reason for raising the log entry.

These are values for understanding the values that are displayed in the log records.

Log levels

Most events on the system generate logs. The level of the log helps you understand whether the log is just an information message or denotes some issue with the system. The log message and the log level allows you to understand more about the working of the system and also helps you identify and troubleshoot any system issues.

Protection logs: These logs are generated for Unprotect, Reprotect, and Protect (URP) operations.

SUCCESS: This log is generated for a successful URP operation.
WARNING: This log is generated if a user does not have access and the operation is unprotect.
EXCEPTION: This log is generated if a user does not have access, the operation is unprotect, and the return exception property is set.
ERROR: This log is generated for all other issues.

Application logs: These logs are generated by the application. The log level denotes the severity level of the log, however, levels 1 and 6 are used for the log configuration.

1: OFF. This level is used to turn logging off.
2: SEVERE. This level indicates a serious failure that prevents normal program execution.
3: WARNING. This level indicates a potential problem or an issue with the system.
4: INFO. This level is used to display information messages about the application.
5: CONFIG. This level is used to display static configuration information that is useful during debugging.
6: ALL. This level is used to log all messages.

Policy logs: These logs are used for the policy logs.

LOWEST
LOW
NORMAL
HIGH
CRITICAL
N/A

Protector information

The information displayed in the Protector-related fields of the audit log are listed in the table.

protector.family	protector.vendor	protector.version

APPLICATION PROTECTORS
sdk	C	9.1.0.0.x
sdk	Java	10.0.0+x, 9.1.0.0.x
sdk	Python	9.1.0.0.x
sdk	Go	9.1.0.0.x
sdk	NodeJS	9.1.0.0.x
sdk	DotNet	9.1.0.0.x

TRUSTED APPLICATION LOGS IN APPLICATION PROTECTORS
<process.name>	C	9.1.0.0.x
<process.name>	Java	9.1.0.0.x
<process.name>	Python	9.1.0.0.x
<process.name>	Go	9.1.0.0.x
<process.name>	NodeJS	9.1.0.0.x
<process.name>	DotNet	9.1.0.0.x

DATABASE PROTECTOR
dbp	SqlServer	9.1.0.0.x
dbp	Oracle	9.1.0.0.x
dbp	Db2	9.1.0.0.x
dwp	Teradata	10.0.0+x, 9.1.0.0.x
dwp	Exadata	9.1.0.0.x

BIG DATA PROTECTOR
bdp	Impala	9.2.0.0.x, 9.1.0.0.x
bdp	Mapreduce	9.2.0.0.x, 9.1.0.0.x
bdp	Pig	9.2.0.0.x, 9.1.0.0.x
bdp	HBase	9.2.0.0.x, 9.1.0.0.x
bdp	Hive	9.2.0.0.x, 9.1.0.0.x
bdp	Spark	9.2.0.0.x, 9.1.0.0.x
bdp	SparkSQL	9.2.0.0.x, 9.1.0.0.x

All Protectors displayed here may not be compatible with this release. Refer to your contract for compatible products.

Modules and components and the log type

Some of the components and modules and the logtype that they generate are provided in the following table.

Module / Component	Application	System
as_image_management.pyc	✓
as_memory_management.pyc	✓
asmanagement.pyc	✓
buffer_watch.pyc	✓
devops	✓
PPCPAP		✓
fluentbit	✓
hubcontroller	✓
imps	✓
insight.pyc	✓
insight_cron_executor.pyc	✓
insight_cron_job_method_executor.pyc	✓
kmgw_external	✓
kmgw_internal	✓
logfacade	✓
membersource	✓
meteringfacade	✓
PIM_Cluster	✓
Protegrity PEP Server	✓
TRIGGERING_AGENT_policy_deploy.pyc	✓

For more information and description about the components that can generate kernel logs, refer here.

Kernel logs

This section lists the various kernel logs that are generated.

Note: This list is compiled using information from https://pmhahn.github.io/audit/.

User and group account management:

ADD_USER: A user-space user account is added.
USER_MGMT: The user-space management data.
USER_CHAUTHTOK: A user account attribute is modified.
DEL_USER: A user-space user is deleted.
ADD_GROUP: A user-space group is added.
GRP_MGMT: The user-space group management data.
GRP_CHAUTHTOK: A group account attribute is modified.
DEL_GROUP: A user-space group is deleted.

User login live cycle events:

CRYPTO_KEY_USER: The cryptographic key identifier used for cryptographic purposes.
CRYPTO_SESSION: The parameters set during a TLS session establishment.
USER_AUTH: A user-space authentication attempt is detected.
LOGIN: The user log in to access the system.
USER_CMD: A user-space shell command is executed.
GRP_AUTH: The group password is used to authenticate against a user-space group.
CHUSER_ID: A user-space user ID is changed.
CHGRP_ID: A user-space group ID is changed.
Pluggable Authentication Modules (PAM) Authentication:
- USER_LOGIN: A user logs in.
- USER_LOGOUT: A user logs out.
PAM account:
- USER_ERR: A user account state error is detected.
- USER_ACCT: A user-space user account is modified.
- ACCT_LOCK: A user-space user account is locked by the administrator.
- ACCT_UNLOCK: A user-space user account is unlocked by the administrator.
PAM session:
- USER_START: A user-space session is started.
- USER_END: A user-space session is terminated.
Credentials:
- CRED_ACQ: A user acquires user-space credentials.
- CRED_REFR: A user refreshes their user-space credentials.
- CRED_DISP: A user disposes of user-space credentials.

Linux Security Model events:

DAC_CHECK: The record discretionary access control (DAC) check results.
MAC_CHECK: The user space Mandatory Access Control (MAC) decision is made.
USER_AVC: A user-space AVC message is generated.
USER_MAC_CONFIG_CHANGE:
SELinux Mandatory Access Control:
- AVC_PATH: dentry and vfsmount pair when an SELinux permission check.
- AVC: SELinux permission check.
- FS_RELABEL: file system relabel operation is detected.
- LABEL_LEVEL_CHANGE: object’s level label is modified.
- LABEL_OVERRIDE: administrator overrides an object’s level label.
- MAC_CONFIG_CHANGE: SELinux Boolean value is changed.
- MAC_STATUS: SELinux mode (enforcing, permissive, off) is changed.
- MAC_POLICY_LOAD: SELinux policy file is loaded.
- ROLE_ASSIGN: administrator assigns a user to an SELinux role.
- ROLE_MODIFY: administrator modifies an SELinux role.
- ROLE_REMOVE: administrator removes a user from an SELinux role.
- SELINUX_ERR: internal SELinux error is detected.
- USER_LABELED_EXPORT: object is exported with an SELinux label.
- USER_MAC_POLICY_LOAD: user-space daemon loads an SELinux policy.
- USER_ROLE_CHANGE: user’s SELinux role is changed.
- USER_SELINUX_ERR: user-space SELinux error is detected.
- USER_UNLABELED_EXPORT: object is exported without SELinux label.
- AppArmor Mandatory Access Control:
  - APPARMOR_ALLOWED
  - APPARMOR_AUDIT
  - APPARMOR_DENIED
  - APPARMOR_ERROR
  - APPARMOR_HINT
  - APPARMOR_STATUS APPARMOR

Audit framework events:

KERNEL: Record the initialization of the Audit system.
CONFIG_CHANGE: The Audit system configuration is modified.
DAEMON_ABORT: An Audit daemon is stopped due to an error.
DAEMON_ACCEPT: The auditd daemon accepts a remote connection.
DAEMON_CLOSE: The auditd daemon closes a remote connection.
DAEMON_CONFIG: An Audit daemon configuration change is detected.
DAEMON_END: The Audit daemon is successfully stopped.
DAEMON_ERR: An auditd daemon internal error is detected.
DAEMON_RESUME: The auditd daemon resumes logging.
DAEMON_ROTATE: The auditd daemon rotates the Audit log files.
DAEMON_START: The auditd daemon is started.
FEATURE_CHANGE: An Audit feature changed value.

Networking related:

IPSec:
- MAC_IPSEC_ADDSA
- MAC_IPSEC_ADDSPD
- MAC_IPSEC_DELSA
- MAC_IPSEC_DELSPD
- MAC_IPSEC_EVENT: The IPSec event, when one is detected, or when the IPSec configuration changes.
NetLabel:
- MAC_CALIPSO_ADD: The NetLabel CALIPSO DoI entry is added.
- MAC_CALIPSO_DEL: The NetLabel CALIPSO DoI entry is deleted.
- MAC_MAP_ADD: A new Linux Security Module (LSM) domain mapping is added.
- MAC_MAP_DEL: An existing LSM domain mapping is added.
- MAC_UNLBL_ALLOW: An unlabeled traffic is allowed.
- MAC_UNLBL_STCADD: A static label is added.
- MAC_UNLBL_STCDEL: A static label is deleted.
Message Queue:
- MQ_GETSETATTR: The mq_getattr and mq_setattr message queue attributes.
- MQ_NOTIFY: The arguments of the mq_notify system call.
- MQ_OPEN: The arguments of the mq_open system call.
- MQ_SENDRECV: The arguments of the mq_send and mq_receive system calls.
Netfilter firewall:
- NETFILTER_CFG: The Netfilter chain modifications are detected.
- NETFILTER_PKT: The packets traversing Netfilter chains.
Commercial Internet Protocol Security Option:
- MAC_CIPSOV4_ADD: A user adds a new Domain of Interpretation (DoI).
- MAC_CIPSOV4_DEL: A user deletes an existing DoI.

Linux Cryptography:

CRYPTO_FAILURE_USER: A decrypt, encrypt, or randomize cryptographic operation fails.
CRYPTO_IKE_SA: The Internet Key Exchange Security Association is established.
CRYPTO_IPSEC_SA: The Internet Protocol Security Association is established.
CRYPTO_LOGIN: A cryptographic officer login attempt is detected.
CRYPTO_LOGOUT: A cryptographic officer logout attempt is detected.
CRYPTO_PARAM_CHANGE_USER: A change in a cryptographic parameter is detected.
CRYPTO_REPLAY_USER: A replay attack is detected.
CRYPTO_TEST_USER: The cryptographic test results as required by the FIPS-140 standard.

Process:

BPRM_FCAPS: A user executes a program with a file system capability.
CAPSET: Any changes in process-based capabilities.
CWD: The current working directory.
EXECVE; The arguments of the execve system call.
OBJ_PID: The information about a process to which a signal is sent.
PATH: The file name path information.
PROCTITLE: The full command-line of the command that was used to invoke the analyzed process.
SECCOMP: A Secure Computing event is detected.
SYSCALL: A system call to the kernel.

Special system calls:

FD_PAIR: The use of the pipe and socketpair system calls.
IPC_SET_PERM: The information about new values set by an IPC_SET control operation on an Inter-Process Communication (IPC) object.
IPC: The information about a IPC object referenced by a system call.
MMAP: The file descriptor and flags of the mmap system call.
SOCKADDR: Record a socket address.
SOCKETCALL: Record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).

Systemd:

SERVICE_START: A service is started.
SERVICE_STOP: A service is stopped.
SYSTEM_BOOT: The system is booted up.
SYSTEM_RUNLEVEL: The system’s run level is changed.
SYSTEM_SHUTDOWN: The system is shut down.

Virtual Machines and Container:

VIRT_CONTROL: The virtual machine is started, paused, or stopped.
VIRT_MACHINE_ID: The binding of a label to a virtual machine.
VIRT_RESOURCE: The resource assignment of a virtual machine.

Device management:

DEV_ALLOC: A device is allocated.
DEV_DEALLOC: A device is deallocated.

Trusted Computing Integrity Measurement Architecture:

INTEGRITY_DATA: The data integrity verification event run by the kernel.
INTEGRITY_EVM_XATTR: The EVM-covered extended attribute is modified.
INTEGRITY_HASH: The hash type integrity verification event run by the kernel.
INTEGRITY_METADATA: The metadata integrity verification event run by the kernel.
INTEGRITY_PCR: The Platform Configuration Register (PCR) invalidation messages.
INTEGRITY_RULE: A policy rule.
INTEGRITY_STATUS: The status of integrity verification.

Intrusion Prevention System:

Anomaly detected:
- ANOM_ABEND
- ANOM_ACCESS_FS
- ANOM_ADD_ACCT
- ANOM_AMTU_FAIL
- ANOM_CRYPTO_FAIL
- ANOM_DEL_ACCT
- ANOM_EXEC
- ANOM_LINK
- ANOM_LOGIN_ACCT
- ANOM_LOGIN_FAILURES
- ANOM_LOGIN_LOCATION
- ANOM_LOGIN_SESSIONS
- ANOM_LOGIN_TIME
- ANOM_MAX_DAC
- ANOM_MAX_MAC
- ANOM_MK_EXEC
- ANOM_MOD_ACCT
- ANOM_PROMISCUOUS
- ANOM_RBAC_FAIL
- ANOM_RBAC_INTEGRITY_FAIL
- ANOM_ROOT_TRANS
Responses:
- RESP_ACCT_LOCK_TIMED
- RESP_ACCT_LOCK
- RESP_ACCT_REMOTE
- RESP_ACCT_UNLOCK_TIMED
- RESP_ALERT
- RESP_ANOMALY
- RESP_EXEC
- RESP_HALT
- RESP_KILL_PROC
- RESP_SEBOOL
- RESP_SINGLE
- RESP_TERM_ACCESS
- RESP_TERM_LOCK

Miscellaneous:

ALL: Matches all types.
KERNEL_OTHER: The record information from third-party kernel modules.
EOE: An end of a multi-record event.
TEST: The success value of a test message.
TRUSTED_APP: The record of this type can be used by third-party application that require auditing.
TTY: The TTY input that was sent to an administrative process.
USER_TTY: An explanatory message about TTY input to an administrative process that is sent from the user-space.
USER: The user details.
USYS_CONFIG: A user-space system configuration change is detected.
TIME_ADJNTPVAL: The system clock is modified.
TIME_INJOFFSET: A Timekeeping offset is injected to the system clock.