Working with Discover on

Understanding the Insight indexes

Mon, 01 Jan 0001 00:00:00 +0000

All the features and Protectors send logs to Insight. The logs from the Audit Store are displayed on the Discover screen of the Insight Dashboard. Here, you can view the different fields logged. In addition to viewing the data, these logs serve as input for Insight to analyze the health of the system and to monitor the system for providing security. These logs are stored in the Audit index with the name, such as, pty_insight_analytics_audits_1.0*.

Understanding the index field values

Mon, 01 Jan 0001 00:00:00 +0000

Common Logging Information

These logging fields are common with the different log types generated by Protegrity products.

Note: These common fields are used across all log types.

Field	Data Type	Description	Source	Example
cnt	Integer	The aggregated count for a specific log.	Protector	5
logtype	String	The type of log. For example, Protection, Policy, Application, Audit, Kernel, System, or Verification. For more examples about the log types, refer here.	Protector	Protection
level	String	The level of severity. For example, SUCCESS, WARNING, ERROR, or INFO. These are the results of the logging operation. For more information about the log levels, refer here.	Protector	SUCCESS
starttime	Date	This is an unused field.	Protector
endtime	Date	This is an unused field.	Protector
index_time_utc	Date	The time the log was inserted into the Audit Store.	Audit Store	Mar 8, 2025 @ 12:55:24.733
ingest_time_utc	Date	The time the Log Forwarder processed the logs.	Log Forwarder	Mar 8, 2025 @ 12:56:22.027
uri	String	The URI for the log. This is an unused field.
correlationid	String	A unique ID that is generated when the policy is deployed.	Hubcontroller	clo5nyx470bi59p22fdrsr7k3
filetype	String	This is the file type, such as, regular file, directory, or device, when operations are performed on the file. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.	File Protector	ISDIR
index_node	String	The index node that ingested the log.	Audit Store	protegrity-ppc746/192.168.2.20
operation	String	This is an unused field.
path	String	This field is provided for Protector-related data.	File Protector	/hmount/source_dir/postmark_dir/postmark/1
system_nano_time	Long	This displays the time in nano seconds for the Signature Verification job.	Signature Verification	255073580723571
tiebreaker	Long	This is an internal field that is used with the index time to make a record unique across nodes for sorting.	Protector, Signature Verification	2590230
_id	String	This is the entry id for the record stored in the Audit Store.	Log Forwarder, td-agent	NDgyNzAwMDItZDI5Yi00NjU1LWJhN2UtNzJhNWRkOWYwOGY3
_index	String	This is the index name of the Audit Store where the log is stored.	Log Forwarder, td-agent	pty_insight_analytics_audits_10.0-2026.08.30-000001

Additional_Info

These descriptions are used for all types of logs.

Index entries

Mon, 01 Jan 0001 00:00:00 +0000

Audit index

The log types of protection, metering, audit, and security are stored in the audit index. These log are generated during security operations. The logs generated by protectors are stored in the pty_insight_analytics_*audits* audit index.

Protection logs

These logs are generated by protectors during protecting, unprotecting, and reprotecting data operations. These logs are generated by protectors.

Use the following query in Discover to view these logs.

logtype:protection

A sample log is shown here:

Log return codes

Mon, 01 Jan 0001 00:00:00 +0000

Return Code	Description
0	Error code for no logging
1	The username could not be found in the policy
2	The data element could not be found in the policy
3	The user does not have the appropriate permissions to perform the requested operation
4	Tweak is null
5	Integrity check failed
6	Data protect operation was successful
7	Data protect operation failed
8	Data unprotect operation was successful
9	Data unprotect operation failed
10	The user has appropriate permissions to perform the requested operation but no data has been protected/unprotected
11	Data unprotect operation was successful with use of an inactive keyid
12	Input is null or not within allowed limits
13	Internal error occurring in a function call after the provider has been opened
14	Failed to load data encryption key
15	Tweak input is too long
16	The user does not have the appropriate permissions to perform the unprotect operation
17	Failed to initialize the PEP: this is a fatal error
19	Unsupported tweak action for the specified fpe data element
20	Failed to allocate memory
21	Input or output buffer is too small
22	Data is too short to be protected/unprotected
23	Data is too long to be protected/unprotected
24	The user does not have the appropriate permissions to perform the protect operation
25	Username too long
26	Unsupported algorithm or unsupported action for the specific data element
27	Application has been authorized
28	Application has not been authorized
29	The user does not have the appropriate permissions to perform the reprotect operation
30	Not used
31	Policy not available
32	Delete operation was successful
33	Delete operation failed
34	Create operation was successful
35	Create operation failed
36	Manage protection operation was successful
37	Manage protection operation failed
38	Not used
39	Not used
40	No valid license or current date is beyond the license expiration date
41	The use of the protection method is restricted by license
42	Invalid license or time is before license start
43	Not used
44	The content of the input data is not valid
45	Not used
46	Used for z/OS query default data element when policy name is not found
47	Access key security groups not found
48	Not used
49	Unsupported input encoding for the specific data element
50	Data reprotect operation was successful
51	Failed to send logs, connection refused
52	Return code used by bulkhandling in pepproviderauditor

Protectors security log codes

Mon, 01 Jan 0001 00:00:00 +0000

The security logging level can be configured when a data security policy is created in the Policy management in PPC. If logging level is set to audit successful and audit failed, then both successful and failed Unprotect/Protect/Reprotect/Delete operations will be logged.

You can define the server where these security audit logs will be sent to. You can do that by modifying the Log Server configuration section in pepserver.cfg file.

If you configure to send protector security logs to the PPC, you will be able view them in Discover, by logging into the Insight Dashboard, selecting Discover from the menu, and selecting a time period such as Last 30 days. The following table displays the logs sent by protectors.

Additional log information

Mon, 01 Jan 0001 00:00:00 +0000

These are values for understanding the values that are displayed in the log records.

Log levels

Most events on the system generate logs. The level of the log helps you understand whether the log is just an information message or denotes some issue with the system. The log message and the log level allows you to understand more about the working of the system and also helps you identify and troubleshoot any system issues.