This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

ESA Error Handling

The common errors encountered while working with ESA.

ESA appliance collects all logs that come from different Protegrity Servers. The following section explains the logs that you may find and the errors that you may encounter on the ESA.

1 - Common ESA Logs

A list common logs found while working with the ESA.
Log typeDetailsLogs Description
Appliance logs
ESA Web Interface,
System InformationAppliance Logs
Here you can view appliance system logs. These logs are saved for two weeks, and then they are automatically deleted.The ESA appliance logs the appliance-specific system events:
  • Users logging into/out of Web Interface and the IP from which the users logged
  • Users logging into/out of CLI Manager
  • License status warnings
  • Operations in the internal LDAP: users/groups adding/editing/removing, password changes
  • System Data and Time changes
  • System Configuration (OS level, disk space problem) logs
  • Network configuration changes
  • Starting/stopping of the services.
Data Management Server (DMS) logs ESA Web Interface, Logging & ReportingLogsHere you can view DMS system related logs:
  • Startup
  • WatchDog
  • Database Access layer
  • Database Engine
System logs related to monitoring and maintenance of the Logging Repository (DMS).

2 - Common ESA Errors

A list common error found while working with the ESA.

Patch Signing

From v10.0.0, all the packages, including the Protegrity developed packages, are signed by Protegrity. This ensures the integrity of the software being installed.

The following errors may occur while uploading the patch using Web UI or CLI Manager.

#The patch is signed by Protegrity signing key and the verification key is expired

Issue: This issue occurs if the verification key is expired, the following error message appears:
Error: Patch signature(s) expired. Would you like to continue installation?

Workaround:

  • Click Yes to install the patch. The patch gets installed successfully.
  • Click No. The patch installation gets terminated.

For more information about the Protegrity signed patch, contact Protegrity Support.

#The patch is not signed by Protegrity signing key

Issue: This issue occurs if the patch is not signed by Protegrity signing key.
Error: Signatures not found. Aborting

Workaround: Click Exit to terminate the installation process.
It is recommended to use a Protegrity signed patch.

For more information about the Protegrity signed patch, contact Protegrity Support.

Disk Space

#Insufficient disk space in the /var/log directory

Issue: This issue occurs if the disk space in the /var/log directory is insufficient.
Error: Unable to install the patch. The required disk space is insufficient for the following partition: /var/log/

Workaround: Ensure that at least 20% disk space in the /var/log directory is available to install the patch successfully.

#Insufficient disk space in the /opt/ directory

Issue: This issue occurs if the disk space in the /opt directory is insufficient.
Error: Unable to install the patch. The required disk space is insufficient for the following partition: /opt/

Workaround: Ensure that the available disk space in the /opt/tmp directory is at least twice the patch size.

#Insufficient disk space in the /OS directory

Issue: This issue occurs if the disk space in the /OS directory is insufficient.

Workaround: Ensure that at least 40% disk space in the /OS directory is available to install the patch successfully.

The space used in the OS(/) partition should not be more than 60%. If the space used is more than 60%, then you must clean up the OS(/) partition before proceeding with the patch installation process. For more information about cleaning up the OS(/) partition, refer to the documentation available at the following link.
https://my.protegrity.com/knowledge/ka04W000000nSxJQAU/

Miscellaneous

Unable to export the information while executing the cluster task using the IP address of the node.

Issue: This might occur if the task is executed using the IP address of the cluster task instead of the Hostname.

Workaround: To resolve this issue, ensure that the IP address of the cluster node is replaced with the Hostname in the task.

For more information about executing the cluster task, refer Scheduling Configuration Export to Cluster Tasks.

Basic Authentication

If you try to perform operations, such as, joining a cluster, exporting data/ configuration to a remote appliance, and so on , the operation fails with the following error:
Errorcode: 403

Issue: This issue occurs if the Basic Authentication is disabled, and you try to perform any of the following operations.

  • Joining an existing cluster
  • Establishing set ESA Communication
  • Exporting data/configuration to a remote appliance
  • Work with RADIUS authentication

Workaround: Ensure that the Can Create JWT Token permission is assigned to the role. If the Can Create JWT Token permission is not assigned to the role of the required user, then the operation fails.

To verify the Can Create JWT Token permission, from the ESA Web UI navigate to Settings > Users > Roles.

3 - Understanding the Insight indexes

The contents of the various logs that are generated by the Protegrity products describe the working of the system. It helps understand the health of the system, identify issues, and help in troubleshooting.

All the Appliances and Protectors send logs to Insight. The logs from the Audit Store are displayed on the Discover screen of the Audit Store Dashboards. Here, you can view the different fields logged. In addition to viewing the data, these logs serve as input for Insight to analyze the health of the system and to monitor the system for providing security. These logs are stored in the Audit index with the name, such as, pty_insight_analytics_audit_9.2-*. To refer to old and new audit indexes, the alias pty_insight_*audit_* is used.

The /var/log/asdashboards.log file is empty. The init.d logs for the Audit Store Dashboards are available in /var/log/syslog. The container-related logs are available in /var/log/docker/auditstore_dashboards.log.

You can view the Discover screen by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and select a time period such as Last 30 days. The Discover screen appears.

The following table lists the various indexes and information about the data contained in the index. You can view the index list by logging into the ESA, and navigating to Audit Store > Cluster Management > Overview > Indices. Indexes can be created or deleted. However, deleting an index will lead to a permanent loss of data in the index. If the index was not backed up earlier, then the logs from the index deleted cannot be recreated or retrieved.

Index NameOriginDescription
.kibana_1Audit StoreThis is a system index created by the Audit Store. This hold information about the dashboards.
.opendistro_securityAudit StoreThis is a system index created by the Audit Store. This hold information about the security, roles, mapping, and so on.
.opendistro-job-scheduler-lockAudit StoreThis is a system index created by the Audit Store.
.opensearch-notifications-configAudit StoreThis is a system index created by the Audit Store.
.opensearch-observabilityAudit StoreThis is a system index created by the Audit Store.
.plugins-ml-configAudit StoreThis is a system index created by the Audit Store.
.ql-datasourcesAudit StoreThis is a system index created by the Audit Store.
pty_auditstore_cluster_configESAThis index logs logs information about the Audit Store cluster.
pty_insight_analytics_auditESAThis index logs the audit data for all the URP operations and the DSG appliance logs. It also captures all logs with the log type protection, metering, audit, and security.
pty_insight_analytics_autosuggestionESAThis index holds the autocomplete information for querying logs in Insight. The index was used in earlier versions of ESA.
pty_insight_analytics_cronsESAThis index logs information about the cron scheduler jobs.
pty_insight_analytics_crons_logsESAThis index logs for the cron scheduler when the jobs are executed.
pty_insight_analytics_dsg_error_metricsDSGThis index logs the DSG error information.
pty_insight_analytics_dsg_transaction_metricsDSGThis index logs the DSG transaction information.
pty_insight_analytics_dsg_usage_metricsDSGThis index logs the DSG usage information.
pty_insight_analytics_encryption_storeESAThis index encrypts and stores the password specified for the jobs.
pty_insight_analytics_forensics_custom_queriesESAThis index stores the custom queries created for forensics. The index was used in earlier versions of ESA.
pty_insight_analytics_ilm_export_jobsESAThis index logs information about the running ILM export jobs.
pty_insight_analytics_ilm_statusESAThis index logs the information about the running ILM import and delete jobs.
pty_insight_analytics_kvsESAThis is an internal index for storing the key-value type information.
pty_insight_analytics_miscellaneousESAThis index logs entries that are not categorized in the other index files.
pty_insight_analytics_policyESAThis index logs information about the ESA policy. It is a system index created by the ESA.
pty_insight_analytics_policy_logESAThis index logs for the ESA policy when the jobs are executed.
pty_insight_analytics_policy_status_dashboardESAThe index holds information about the policy of the protectors for the dashboard.
pty_insight_analytics_protector_status_dashboardESAThis index holds information about the 10.0.0 protectors for the dashboard.
pty_insight_analytics_protectors_statusProtectorsThis index holds the status logs of version 10.0.0 protectors.
pty_insight_analytics_reportESAThis index holds information for the reports created. The index was used in earlier version of ESA.
pty_insight_analytics_signature_verification_jobsESAThis index logs information about the signature verification jobs.
pty_insight_analytics_signature_verification_running_jobsESAThis index logs information about the signature verification jobs that are currently running.
pty_insight_analytics_troubleshootingESAThis index logs the log type application, kernel, system, and verification.

4 - Understanding the index field values

This section lists information about the various fields logged for the Protection, Policy, Application, Audit, Kernel, Security, and Verification logs. It helps you understand the information that is contained in the logs and is useful for troubleshooting the system.

Common Logging Information

These logging fields are common with the different log types generated by Protegrity products.

Note: These common fields are used across all log types.

FieldData TypeDescriptionSourceExample
cntIntegerThe aggregated count for a specific log.Protector5
logtypeStringThe type of log. For example, Protection, Policy, Application, Audit, Kernel, System, or Verification.For more examples about the log types, refer here.ProtectorProtection
levelStringThe level of severity. For example, SUCCESS, WARNING, ERROR, or INFO. These are the results of the logging operation.For more information about the log levels, refer here.ProtectorSUCCESS
starttimeDateThis is an unused field.Protector 
endtimeDateThis is an unused field.Protector 
index_time_utcDateThe time the Log Forwarder processed the logs.Audit StoreSep 8, 2024 @ 12:55:24.733
ingest_time_utcDateThe time the log was inserted into the Audit Store.Log ForwarderSep 8, 2024 @ 12:56:22.027
uriStringThe URI for the log. This is an unused field.  
correlationidStringA unique ID that is generated when the policy is deployed.Hubcontrollerclo5nyx470bi59p22fdrsr7k3
filetypeStringThis is the file type, such as, regular file, directory, or device, when operations are performed on the file. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.File ProtectorISDIR
index_nodeStringThe index node that ingested the log.Audit Storeprotegrity-esa746/192.168.2.20
operationStringThis is an unused field.  
pathStringThis field is provided for Protector-related data.File Protector/hmount/source_dir/postmark_dir/postmark/1
system_nano_timeLongThis displays the time in nano seconds for the Signature Verification job.Signature Verification255073580723571
tiebreakerLongThis is an internal field that is used with the index time to make a record unique across nodes for sorting.Protector, Signature Verification2590230
_idStringThis is the entry id for the record stored in the Audit Store.Log Forwarder, td-agentNDgyNzAwMDItZDI5Yi00NjU1LWJhN2UtNzJhNWRkOWYwOGY3
_indexStringThis is the index name of the Audit Store where the log is stored.Log Forwarder, td-agentpty_insight_analytics_audits_10.0-2024.08.30-000001

Additional_Info

These descriptions are used for all types of logs.

FieldData TypeDescriptionSourceExample
descriptionStringDescription about the log generated.All modulesData protect operation was successful, Executing attempt_rollover for , and so on.
moduleStringThe module that generated the log.All modules.signature.job_runner
procedureStringThe method in the module that generated the log.All modulescreate_job
titleStringThe title for the audit log.DSGDSG’s Rule Name INFO : DSG Patch Installation - User has chosen to reboot system later., Cloud Gateway service restart, and so on.#

Process

This section describes the properties of the process that created the log. For example, the protector or the rputils.

FieldData TypeDescriptionSourceExample
thread_idStringThe thread_id of the process that generated the log.PEP Server3382487360
idStringThe id of the process that generated the log.PEP Server41710
userStringThe user that runs the program that generated the log.All modulesservice_admin
versionStringThe version of the program or Protector that generated the log.All modules1.2.2+49.g126b2.1.2
platformStringThe platform that the program that generated the log is running on.PEP ServerLinux_x64
moduleStringThe module that generated the log.ESA, Protectorrpstatus
nameStringThe name of the process that generated the log.All modulesProtegrity PEP Server
pcc_versionStringThe core pcc version.PEP Server3.4.0.20

Origin

This section describes the origin of the log, that is, from where the log came from and when it was generated.

FieldData TypeDescriptionSourceExample
time_utcDateThe time in the Coordinated Universal Time (UTC) format when the log was generated.All modulesSep 8, 2024 @ 12:56:29.000
hostnameStringThe hostname of the machine where the log was generated.All modulesip-192-16-1-20.protegrity.com
ipIPThe IP of the machine where the log was generated.All modules192.168.1.20

Protector

This section describes the Protector that generated the log. For example, the vendor and the version of the Protector.

Note: For more information about the Protector vendor, family, and version, refer here.

FieldData TypeDescriptionSourceExample
vendorStringThe vendor of the Protector that generated the log. This is specified by the Protector.ProtectorDSG
familyStringThe Protector family of the Protector that generated the logs. This is specified by the Protector. For more information about the family, refer here.Protectorgwp
versionStringThe version of the Protector that generated the logs. This is specified by the Protector.Protector1.2.2+49.g126b2.1.2
core_versionStringThis is the Core component version of the product.Protector1.2.2+49.g126b2.1.2
pcc_versionStringThis is the PCC version.Protector3.4.0.20

Protection

This section describes the protection that was done, what was done, the result of the operation, where it was done, and so on.

FieldData TypeDescriptionSourceExample
policyStringThe name of the policy. This is only used in File Protector.Protectoraes1-rcwd
roleStringThis field is not used and will be deprecated.Protector 
datastoreStringThe name of the datastore used for the security operation.ProtectorTestdatastore
audit_codeIntegerThe return code for the operation. For more information about the return codes, refer here.Protector6
session_idStringThe identifier for the session.Protector 
request_idStringThe ID of the request that generated the log.Protector 
old_dataelementStringThe old dataelement value before the reprotect to a new dataelement.ProtectorAES128
mask_settingStringThe mask setting used to protect data.ProtectorMask Left:4 Mask Right:4 Mark Character:
dataelementStringThe dataelement used when protecting or unprotecting data. This is passed by the Protector performing the operation.ProtectorPTY_DE_CCN
operationStringThe operation, for example Protect, Unprotect, or Reprotect. This is passed in by the Protector performing the operation.ProtectorProtect
policy_userStringThe policy user for which the operation is being performed. This is passed in by the Protector performing the operation.Protectorexampleuser1
devicepathStringThe path to the device. This is only used in File Protector.Protector/hmount/fuse_mount
filetypeStringThe type of file that was protected or unprotected. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.ProtectorISREG
pathStringThe path to the file protected or unprotected by the File Protector. This is only used in File Protector.Protector/testdata/src/ez/audit_log(13).csv

Client

This section describes from where the log came from.

FieldData TypeDescriptionSourceExample
ipStringThe IP of the client that generated the log.DSG192.168.2.10
usernameStringThe username that ran the Protector or Server on the client that created the log.Hubcontrollerjohndoe

Policy

This section describes the information about the policy.

FieldData TypeDescriptionSourceExample
audit_codeIntegerThis is the policy audit code for the policy log.PEP Server198
policy_nameStringThis is the policy name for the policy log.PEP ServerAutomationPolicy
severityStringThis is the severity level for the policy log entry.PEP ServerLow
usernameStringThis is the user who modified the policy.PEP Serverjohndoe

Metering

This section describes the metering log information.

Note: These fields are applicable for Protectors up to v7.2.1. If you upgraded your ESA from v7.2.1 to v9.1.0.0 and migrated the metering audits, then these fields contain data.

Metering is not supported for Protectors v8.0.0.0 and above and these are fields will be blank.

FieldData TypeDescriptionSourceExample
meteringmodeStringThis is the mode for metering logs, such as, delta or total.PEP Servertotal
originStringThis is the IP from where metering data originated.PEP Server192.168.0.10
protection_countDoubleThis is the number of protect operations metered.PEP Server10
reprotection_countDoubleThis is the number of reprotect operations metered.PEP Server5
timestampDateThis is the UTC timestamp when the metering log entry was generated.PEP ServerSep 8, 2020 @ 12:56:29.000
uidStringThis is the unique ID of the metering source that generated the log.PEP ServerQ2XJPGHZZIYKBPDX5K0KEISIV9AX9V
unprotection_countDoubleThis is the number of unprotect operations metered.PEP Server10

Signature

This section handles the signing of the log. The key that was used to sign the log and the actual checksum that was generated.

FieldData TypeDescriptionSourceExample
key_idStringThe key ID of the signingkey that signed the log record.Protectorcc93c930-2ba5-47e1-9341-56a8d67d55d4
checksumStringThe checksum that was the result of signing the log.Protector438FE13078719ACD4B8853AE215488ACF701ECDA2882A043791CDF99576DC0A0
counterDoubleThis is the chain of custody value. It helps maintain the integrity of the log data.Protector50321

Verification

This section describes the log information generated for a failed signature verification job.

FieldData TypeDescriptionSourceExample
doc_idStringThis is the document ID for the audit log where the signature verification failed.Signature VerificationN2U2N2JkM2QtMDhmYy00OGJmLTkyOGYtNmRhYzhhMGExMTFh
index_nameStringThis is the index name where the log signature verification failed.Signature Verificationpty_insight_analytics_audits_10.0-2024.08.30-000001
job_idStringThis is the job ID of the signature verification job.Signature Verification1T2RaosBEEC_iPz-zPjl
job_nameStringThis is the job name of the signature verification job.Signature VerificationSystem Job
reasonStringThis is the audit log specifying the reason of the signature verification failure.Signature VerificationINVALID_CHECKSUM | INVALID_KEY_ID | NO_KEY_AND_DOC_UPDATED

5 - Index entries

The index configuration, samples, and entry descriptions describe help identify and analyze the log entries in the indexes.

Audit index

The log types of protection, metering, audit, and security are stored in the audit index. These log are generated during security operations. The logs generated by protectors are stored in the audit index with the name as shown in the following table for the respective version.

ESA versionIndex patternDescriptionExample
ESA v10.0.0pty_insight_analytics_*audits*Use in the Audit Store Dashboards for viewing v10.0.0 logs on the dashboard.pty_insight_analytics_audits_10.0-2024.08.30-000001
v9.2.0.0 and earlierpty_insight_*audit_*Use in the Audit Store Dashboards for viewing older release logs on the dashboard.pty_insight_analytics_audit_9.2-2024.08.07-000001, pty_insight_audit_v9.1-2028.02.10-000019, pty_insight_audit_v2.0-2022.02.19-000006, pty_insight_audit_v1.1-2021.02.17-000001, pty_insight_audit_v1-2020.12.21-000001
v8.0.0.0 and abovepty_insight_*audit*Use in the Audit Store Dashboards for viewing all logs.pty_insight_analytics_audits_10.0-2024.08.30-000001, pty_insight_analytics_audit_9.2-2024.08.07-000001, pty_insight_audit_v9.1-2028.02.10-000019, pty_insight_audit_v2.0-2022.02.19-000006, pty_insight_audit_v1.1-2021.02.17-000001, pty_insight_audit_v1-2020.12.21-000001

The following parameters are configured for the index rollover in v10.0.0:

  • Index age: 30 days
  • Document count: 200,000,000
  • Index size: 5 GB

Protection logs

These logs are generated by protectors during protecting, unprotecting, and reprotecting data operations. These logs are generated by protectors, such as, DSG.

Use the following query in Discover to view these logs.

logtype:protection

A sample log is shown here:

 {
    "process": {
      "thread_id": "1227749696",
      "module": "coreprovider",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "4190",
      "user": "user4",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "level": "SUCCESS",
    "signature": {
      "key_id": "11a8b7d9-1621-4711-ace7-7d71e8adaf7c",
      "checksum": "43B6A4684810383C9EC1C01FF2C5CED570863A7DE609AE5A78C729A2EF7AB93A"
    },
    "origin": {
      "time_utc": "2024-09-02T13:55:17.000Z",
      "hostname": "hostname1234",
      "ip": "10.39.3.156"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "pcc_version": "3.6.0.1",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1"
    },
    "protection": {
      "dataelement": "TE_A_S13_L1R2_Y",
      "datastore": "DataStore",
      "audit_code": 6,
      "operation": "Protect",
      "policy_user": "user1"
    },
    "index_node": "protegrity-esa399/10.39.1.23",
    "tiebreaker": 210,
    "logtype": "Protection",
    "additional_info": {
      "description": "Data protect operation was successful"
    },
    "index_time_utc": "2024-09-02T13:55:24.766355224Z",
    "ingest_time_utc": "2024-09-02T13:55:17.678Z",
    "client": {},
    "correlationid": "cm0f1jlq700gbzb19cq65miqt"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-02T13:55:17.000Z"
    ],
    "index_time_utc": [
      "2024-09-02T13:55:24.766Z"
    ],
    "ingest_time_utc": [
      "2024-09-02T13:55:17.678Z"
    ]
  },
  "sort": [
    1725285317000
  ]

The above example contains the following information:

  • additional_info
  • origin
  • protector
  • protection
  • process
  • client
  • protector
  • signature

For more information about the various fields, refer here.

Metering logs

These logs are generated by protectors of prior to 8.0.0.0. These logs are not generated by latest protectors.

Use the following query in Discover to view these logs.

logtype:metering

For more information about the various fields, refer here.

Audit logs

These logs are generated when the rule set of the DSG protector gets updated.

Use the following query in Discover to view these logs.

logtype:audit

A sample log is shown here:

 {
   "additional_info.description": "User admin modified default_80 tunnel successfully ",
   "additional_info.title": "Gateway : Tunnels : Tunnel 'default_80' Modified",
   "client.ip": "192.168.2.20",
   "cnt": 1,
   "index_node": "protegrity-esa746/192.168.1.10",
   "index_time_utc": "2024-01-24T13:30:17.171646Z",
   "ingest_time_utc": "2024-01-24T13:29:35.000000000Z",
   "level": "Normal",
   "logtype": "Audit",
   "origin.hostname": "protegrity-cg406",
   "origin.ip": "192.168.2.20",
   "origin.time_utc": "2024-01-24T13:29:35.000Z",
   "process.name": "CGP",
   "process.user": "admin",
   "tiebreaker": 2260067,
   "_id": "ZTdhNzFmMTUtMWZlOC00MmY4LWJmYTItMjcwZjMwMmY4OGZh",
   "_index": "pty_insight_audit_v9.1-2024.01.23-000006"
 }

This example includes data from each of the following groups defined in the index:

  • additional_info
  • client
  • origin
  • process

For more information about the various fields, refer here.

Security logs

These logs are generated by security events of the system.

Use the following query in Discover to view these logs.

logtype:security

For more information about the various fields, refer here.

Troubleshooting index

The log types of application, kernel, system, and verification logs are stored in the troubleshooting index. These logs helps you understand the working of the system. The logs stored in this index are essential when the system is down or has issues. This is the pty_insight_analytics_troubleshooting index. The index pattern for viewing these logs in Discover is pty_insight_*troubleshooting_*.

The following parameters are configured for the index rollover:

  • Index age: 30 days
  • Document count: 200,000,000
  • Index size: 5 GB

Application Logs

These logs are generated by Protegrity servers and Protegrity applications.

Use the following query in Discover to view these logs.

logtype:application

A sample log is shown here:

{
    "process": {
      "name": "hubcontroller"
    },
    "level": "INFO",
    "origin": {
      "time_utc": "2024-09-03T10:02:34.597000000Z",
      "hostname": "protegrity-esa503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-esa503/10.37.4.12",
    "tiebreaker": 16916,
    "logtype": "Application",
    "additional_info": {
      "description": "GET /dps/v1/deployment/datastores | 304 | 127.0.0.1 | Protegrity Client | 8ms | "
    },
    "index_time_utc": "2024-09-03T10:02:37.314521452Z",
    "ingest_time_utc": "2024-09-03T10:02:36.262628342Z",
    "correlationid": "cm0m9gjq500ig1h03zwdv6kok"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:02:34.597Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:02:37.314Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:02:36.262Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Application@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357754597
  ]

The above example contains the following information:

  • additional_info
  • origin
  • process

For more information about the various fields, refer here.

Kernel logs

These logs are generated by the kernel and help you analyze the working of the internal system. Some of the modules that generate these logs are CRED_DISP, KERNEL, USER_CMD, and so on.

Use the following query in Discover to view these logs.

logtype:Kernel

For more information and description about the components that can generate kernel logs, refer here.

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "CRED_DISP"
    },
    "origin": {
      "time_utc": "2024-09-03T10:02:55.059999942Z",
      "hostname": "protegrity-esa503",
      "ip": "10.37.4.12"
    },
    "cnt": "1",
    "index_node": "protegrity-esa503/10.37.4.12",
    "tiebreaker": 16964,
    "logtype": "Kernel",
    "additional_info": {
      "module": "pid=38236",
      "description": "auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_rootok acct=\"rabbitmq\" exe=\"/usr/sbin/runuser\" hostname=? addr=? terminal=? res=success'\u001dUID=\"root\" AUID=\"unset\"",
      "procedure": "uid=0"
    },
    "index_time_utc": "2024-09-03T10:02:59.315734771Z",
    "ingest_time_utc": "2024-09-03T10:02:55.062254541Z"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:02:55.059Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:02:59.315Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:02:55.062Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Kernel@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357775059
  ]

This example includes data from each of the following groups defined in the index:

  • additional_info
  • origin
  • process

For more information about the various fields, refer here.

System logs

These logs are generated by the operating system and help you analyze and troubleshoot the system when errors are found.

Use the following query in Discover to view these logs.

logtype:System

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

 {
    "process": {
      "name": "ESAPAP",
      "version": "10.0.0+2412",
      "user": "admin"
    },
    "level": "Low",
    "origin": {
      "time_utc": "2024-09-03T10:00:34.000Z",
      "hostname": "protegrity-esa503",
      "ip": "10.37.4.12"
    },
    "cnt": "1",
    "index_node": "protegrity-esa503/10.37.4.12",
    "tiebreaker": 16860,
    "logtype": "System",
    "additional_info": {
      "description": "License is due to expire in 30 days. The validity of license has been acknowledged by the user. (web-user 'admin' , IP: '10.87.2.32')",
      "title": "Appliance Info : License is due to expire in 30 days. The validity of license has been acknowledged by the user. (web-user 'admin' , IP: '10.87.2.32')"
    },
    "index_time_utc": "2024-09-03T10:01:10.113708469Z",
    "client": {
      "ip": "10.37.4.12"
    },
    "ingest_time_utc": "2024-09-03T10:00:34.000000000Z"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:00:34.000Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:01:10.113Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:00:34.000Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@System@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725357634000
  ]

This example includes data from each of the following groups defined in the index:

  • additional_info
  • origin
  • process

For more information about the various fields, refer here.

Verification logs

These log are generated by Insight on the ESA when a signature verification fails.

Use the following query in Discover to view these logs.

logtype:Verification

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "insight.pyc",
      "id": 45277
    },
    "level": "Info",
    "origin": {
      "time_utc": "2024-09-03T10:14:03.120342Z",
      "hostname": "protegrity-esa503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-esa503/10.37.4.12",
    "tiebreaker": 17774,
    "logtype": "Verification",
    "additional_info": {
      "module": ".signature.job_executor",
      "description": "",
      "procedure": "__log_failure"
    },
    "index_time_utc": "2024-09-03T10:14:03.128435514Z",
    "ingest_time_utc": "2024-09-03T10:14:03.120376Z",
    "verification": {
      "reason": "SV_VERIFY_RESPONSES.INVALID_CHECKSUM",
      "job_name": "System Job",
      "job_id": "9Vq1opEBYpV14mHXU9hW",
      "index_name": "pty_insight_analytics_audits_10.0-2024.08.30-000001",
      "doc_id": "JI5bt5EBMqY4Eog-YY7C"
    }
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:14:03.120Z"
    ],
    "index_time_utc": [
      "2024-09-03T10:14:03.128Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:14:03.120Z"
    ]
  },
  "highlight": {
    "logtype": [
      "@opensearch-dashboards-highlighted-field@Verification@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1725358443120
  ]

This example includes data from each of the following groups defined in the index:

  • additional_info
  • process
  • origin
  • verification

For more information about the various fields, refer here.

Policy log index

The log type of policy is stored in the policy log index. They include logs for the policy-related operations, such as, when the policy is updated. The index pattern for viewing these logs in Discover is pty_insight_*policy_log_*.

The following parameters are configured for the policy log index:

  • Index age: 30 days
  • Document count: 200,000,000
  • Index size: 5 GB

Use the following query in Discover to view these logs.

logtype:policyLog

For a list of components and modules and the type of logs they generate, refer here.

A sample log is shown here:

{
    "process": {
      "name": "hubcontroller",
      "user": "service_admin",
      "version": "1.8.0+6.g5e62d8.1.8"
    },
    "level": "Low",
    "origin": {
      "time_utc": "2024-09-03T08:29:14.000000000Z",
      "hostname": "protegrity-esa503",
      "ip": "10.37.4.12"
    },
    "cnt": 1,
    "index_node": "protegrity-esa503/10.37.4.12",
    "tiebreaker": 10703,
    "logtype": "Policy",
    "additional_info": {
      "description": "Data element created. (Data Element 'TE_LASCII_L2R1_Y' created)"
    },
    "index_time_utc": "2024-09-03T08:30:31.358367506Z",
    "client": {
      "ip": "10.87.2.32",
      "username": "admin"
    },
    "ingest_time_utc": "2024-09-03T08:29:30.017906235Z",
    "correlationid": "cm0m64iap009r1h0399ey6rl8",
    "policy": {
      "severity": "Low",
      "audit_code": 150
    }
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T08:29:14.000Z"
    ],
    "index_time_utc": [
      "2024-09-03T08:30:31.358Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T08:29:30.017Z"
    ]
  },
  "highlight": {
    "additional_info.description": [
      "(Data Element '@opensearch-dashboards-highlighted-field@DE@/opensearch-dashboards-highlighted-field@' created)"
    ]
  },
  "sort": [
    1725352154000
  ]

The example contains the following information:

  • additional_info
  • origin
  • policy
  • process

For more information about the various fields, refer here.

Policy Status Dashboard index

The policy status dashboard index contains information for the Policy Status Dashboard. It holds the policy and trusted application deployment status information. The index pattern for viewing these logs in Discover is pty_insight_analytics*policy_status_dashboard_.

{
    "logtype": "Status",
    "process": {
      "thread_id": "2458884416",
      "module": "rpstatus",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "2852",
      "user": "root",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "origin": {
      "time_utc": "2024-09-03T10:24:19.000Z",
      "hostname": "ip-10-49-2-49.ec2.internal",
      "ip": "10.49.2.49"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "datastore": "DataStore",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0"
    },
    "ingest_time_utc": "2024-09-03T10:24:19.510Z",
    "status": {
      "core_correlationid": "cm0f1jlq700gbzb19cq65miqt",
      "package_correlationid": "cm0m1tv5k0019te89e48tgdug"
    },
    "policystatus": {
      "type": "TRUSTED_APP",
      "application_name": "APJava_sample",
      "deployment_or_auth_time": "2024-09-03T10:24:19.000Z",
      "status": "WARNING"
    }
  },
  "fields": {
    "policystatus.deployment_or_auth_time": [
      "2024-09-03T10:24:19.000Z"
    ],
    "origin.time_utc": [
      "2024-09-03T10:24:19.000Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:24:19.510Z"
    ]
  },
  "sort": [
    1725359059000
  ]

The example contains the following information:

  • additional_info
  • origin
  • protector
  • policystatus
  • policy
  • process

Protectors status index

The protector status logs generated by protectors of v10.0.0 are stored in this index. The index pattern for viewing these logs in Discover is pty_insight_analytics_protectors_status_*.

The following parameters are configured for the index rollover:

  • Index age: 30 days
  • Document count: 200,000,000
  • Index size: 5 GB

Use the following query in Discover to view these logs.

logtype:status

A sample log is shown here:

{
   "logtype":"Status",
   "process":{
      "thread_id":"2559813952",
      "module":"rpstatus",
      "name":"java",
      "pcc_version":"3.6.0.1",
      "id":"1991",
      "user":"root",
      "version":"10.0.0.2.91.5ec4b8b",
      "core_version":"2.1.0-alpha+24.g7fc71.2.1",
      "platform":"Linux_x64"
   },
   "origin":{
      "time_utc":"2024-07-30T07:22:41.000Z",
      "hostname":"ip-10-39-3-218.ec2.internal",
      "ip":"10.39.3.218"
   },
   "cnt":1,
   "protector":{
      "vendor":"Java",
      "datastore":"ESA-10.39.2.7",
      "family":"sdk",
      "version":"10.0.0.2.91.5ec4b8b"
   },
   "ingest_time_utc":"2024-07-30T07:22:41.745Z",
   "status":{
      "core_correlationid":"clz79lc2o004jmb29neneto8k",
      "package_correlationid":"clz82ijw00037k790oxlnjalu"
   }
}

The example contains the following information:

  • additional_info
  • origin
  • policy
  • protector

Protector Status Dashboard index

The protector status dashboard index contains information for the Protector Status Dashboard. It holds the protector status information. The index pattern for viewing these logs in Discover is pty_insight_analytics*protector_status_dashboard_.

A sample log is shown here:

{
    "logtype": "Status",
    "process": {
      "thread_id": "2458884416",
      "module": "rpstatus",
      "name": "java",
      "pcc_version": "3.6.0.1",
      "id": "2852",
      "user": "root",
      "version": "10.0.0-alpha+13.gef09.10.0",
      "core_version": "2.1.0+17.gca723.2.1",
      "platform": "Linux_x64"
    },
    "origin": {
      "time_utc": "2024-09-03T10:24:19.000Z",
      "hostname": "ip-10-49-2-49.ec2.internal",
      "ip": "10.49.2.49"
    },
    "cnt": 1,
    "protector": {
      "vendor": "Java",
      "datastore": "DataStore",
      "family": "sdk",
      "version": "10.0.0-alpha+13.gef09.10.0"
    },
    "ingest_time_utc": "2024-09-03T10:24:19.510Z",
    "status": {
      "core_correlationid": "cm0f1jlq700gbzb19cq65miqt",
      "package_correlationid": "cm0m1tv5k0019te89e48tgdug"
    },
    "protector_status": "Warning"
  },
  "fields": {
    "origin.time_utc": [
      "2024-09-03T10:24:19.000Z"
    ],
    "ingest_time_utc": [
      "2024-09-03T10:24:19.510Z"
    ]
  },
  "sort": [
    1725359059000
  ]

The example contains the following information:

  • additional_info
  • origin
  • protector
  • process

DSG transaction metrics

The table in this section lists the details for the various parameters generated by DSG transactions. The DSG transaction logs are stored in the pty_insight_analytics_dsg_transaction_metrics_9.2 index file. The index pattern for viewing these logs in Discover is pty_insight_analytics_dsg_transaction_metrics_*. The following parameters are configured for the index rollover:

  • Index age: 1 day
  • Document count: 10,000,000
  • Index size: 1 GB

This index stores the following fields.

* -The origin_time_utc and logtype parameters will only be displayed on the Audit Store Dashboards.

For more information about the transaction metric logs, refer to the section Transaction Metrics Logging in the Protegrity Data Security Gateway User Guide 3.2.0.0.

Scheduled tasks are available for deleting this index. You can configure and enable the scheduled task to free up the space used by old index files that you do not require.

For more information about scheduled tasks, refer here.

DSG usage metrics

This section describes the codes associated with the following DSG usage metrics:

  • Tunnels usage data (Version 0)
  • Service usage data (Version 0)
  • Profile usage data (Version 0)
  • Rules usage data (Version 0)

The table in this sub sections lists the details for the various parameters generated while using the DSG. The DSG usage metrics logs are stored in the pty_insight_analytics_dsg_usage_metrics_9.2 index file. The index pattern for viewing these logs in Discover is pty_insight_analytics_dsg_usage_metrics_*. The following parameters are configured for the index rollover:

  • Index age: 1 day
  • Document count: 3,500,000
  • Index size: 1 GB

For more information about the usage metrics, refer to the Protegrity Data Security Gateway User Guide 3.2.0.0.

Scheduled tasks are available for deleting this index. You can configure and enable the scheduled task to free up the space used by old index files that you do not require.

For more information about scheduled tasks, refer here.

Tunnels usage data

The table in this section describes the usage metric for Tunnels.

PositionNameData TypeDescription
0metrics typeinteger0 for Tunnels
1metrics versioninteger0
2tunnel-typestringthe tunnel type CIFS, HTTP, NFS, S3, SFTP, SMTP
3timestampstringtime usage is reported
4tunnel-idstringaddress of tunnel instance will be unique id generated when tunnel is created.
5uptimefloattime in seconds since the tunnel loaded
6bytes-processedintegerfrontend and backend bytes the tunnel processed since the last time usage was reported
7frontend-bytes-processedintegerfrontend bytes the tunnel has processed since the last time usage was reported
8backend-bytes-processedintegerbackend bytes the tunnel has processed since the last time usage was reported
9total-bytes-processedintegertotal number of frontend and backend bytes the tunnel has processed during the time the tunnel has been loaded
10frontend-bytes-processedintegertotal number of frontend bytes the tunnel has processed during the time the tunnel has been loaded
11backend-bytes-processedintegertotal number of backend bytes the tunnel has processed during the time the tunnel has been loaded
12message-countintegernumber of requests the tunnel received since the last time usage was reported
13total-message-countintegertotal number of requests the tunnel received during the time the tunnel has been loaded
14ingest_time_utcstringTime in UTC at which this log is ingested
15logtypestringValue to identify type of metric –> dsg_metrics_usage_tunnel

A sample is provided here:

{"metrics_type":"Tunnel","version":0,"tunnel_type":"HTTP","cnt":1,"logtype":"Application","origin":{"time_utc":"2023-04-13T12:28:18Z"},"previous_timestamp":"2023-04-13T12:28:08Z","tunnel_id":"140361619513360","checksum":"4139677074","uptime":620.8048927783966,"bytes_processed":401,"frontend_bytes_processed":401,"backend_bytes_processed":0,"previous_bytes_processed":401,"previous_frontend_bytes_processed":401,"previous_backend_bytes_processed":0,"total_bytes_processed":1203,"total_frontend_bytes_processed":1203,"total_backend_bytes_processed":0,"message_count":1,"previouse_message_count":1,"total_message_count":3}

Services usage data

The table in this section describes the usage metric for Services.

PositionNameData TypeDescription
0metrics typeinteger1 for Services
1metrics versioninteger0
2service-typestringthe service type HTTP-GW, MOUNTED-OOB, REST-API, S3-OOB, SMTP-GW, SFTP-GW, WS-GW
3timestampstringtime usage is reported
4service-idstringUUID of service name
5tunnel-idstringUUID of tunnel name
6callsintegernumber of times service processed frontend and backend requests since the time usage was last reported
7frontend-callsintegernumber of times service processed frontend requests since the time usage was last reported
8backend-callsintegernumber of times service processed backend requests since the time usage was last reported
9total-callsintegertotal number number of times service processed frontend and backend requests since the service has been loaded
10total-frontend-callsintegertotal number number of times service processed frontend and backend requests since the service has been loaded
11total-backend-callsintegertotal number number of times service processed frontend and backend requests since the service has been loaded
12bytes-processedintegerfrontend and backend bytes the service processed since the last time usage was reported
13frontend-bytes-processedintegerfrontend bytes the tunnel processed since the last time usage was reported
14backend-bytes-processedintegerbackend bytes the tunnel processed since the last time usage was reported
15total-bytes-processedintegertotal number of frontend and backend bytes the service has processed during the time the service has been loaded
16total-frontend-bytes-processedintegertotal number of frontend bytes the tunnel has processed during the time the tunnel has been loaded
17total-backend-bytes-processedintegertotal number of backend bytes the tunnel has processed during the time the tunnel has been loaded
18ingest_time_utcstringTime in UTC at which this log is ingested
19logtypestringValue to identify type of metric –> dsg_metrics_usage_service

A sample is provided here:

{"metrics_type":"Service","version":0,"service_type":"REST-API","cnt":1,"logtype":"Application","origin":{"time_utc":"2023-04-13T12:28:18Z"}, "previous_timestamp":"2023-04-13T12:28:08Z", "service_id":"140361548704016","checksum":"3100121694","tunnel_checksum":"4139677074","calls":401,"frontend_calls":401,"backend_calls":0,"previous_calls":401,"previous_frontend_calls":401,"previous_backend_calls":0,"total_calls":1203,"total_frontend_calls":1203,"total_backend_calls":0,"bytes_processed":2,"frontend_bytes_processed":1,"backend_bytes_processed":1,"previous_bytes_processed":2,"previous_frontend_bytes_processed":1,"previous_backend_bytes_processed":1,"total_bytes_processed":6,"total_frontend_bytes_processed":3,"total_backend_bytes_processed":3}

Profile usage data

The table in this section describes the usage metric for Profile.

PositionNameData TypeDescription
0metrics typeinteger2 for Profile
1metrics versioninteger0
2timestampstringtime usage is reported
3prev-timestampstringthe previous time usage was reported
4profile-idstringaddress of profile instance will be unique id generated when profile is created
5parent-idstringchecksum of profile or service calling this profile
6callsintegernumber of times the profile processed a request since the time usage was last reported
7total-callsintegertotal number of times the profile processed a request since profile has been loaded
8profile-ref-countintegerthe number of times this profile has been called via a profile reference since the time usage was last reported
9prev-profile-ref-countintegerthe number of times this profile has been called via a profile reference the last time usage was last reported
10total-profile-ref-countintegertotal number of times this profile has been called via a profile reference since the profile has been loade
11bytes-processedintegerbytes the profile processed since the last time usage was reported
12total-bytes-processedintegertotal bytes the profile processed since the profile has been loaded
13elapsed-time-sample-countintegerthe number of times the profile was sampled since the last time usage was reported
14elapsed-time-meanintegerthe average amount of time in nano-seconds it took to process a request based on elapsed-time-sample-count
15total-elapsed-time-sample-countintegerthe number of times the profile was sampled since the profile has been loaded
16total-elapsed-time-sample-meanintegerthe average amount of time in nano-seconds it took to process a request based on total-elapsed-time-sample-count
17ingest_time_utcstringTime in UTC at which this log is ingested
18logtypestringValue to identify type of metric –> dsg_metrics_usage_profile

A sample is provided here:

{"metrics_type":"Profile","version":0,"cnt":1,"logtype":"Application","origin":{"time_utc":"2023-04-13T12:28:18Z"},"previous_timestamp":"2023-04-13T12:28:08Z","profile_id":"140361548999248","checksum":"3504922421","parent_checksum":"3100121694","calls":2,"previous_calls":2,"total_calls":6,"profile_reference_count":0,"previous_profile_reference_count":0,"total_profile_reference_count":0,"bytes_processed":802,"previous_bytes_processed":802,"total_bytes_processed":2406,"elapsed_time_sample_count":2,"elapsed_time_average":221078.5,"total_elapsed_time_sample_count":6,"total_elapsed_time_sample_average":245797.0}

Rules usage data

The table in this section describes the usage metric for Rules.

PositionNameData TypeDescription
0metrics typeinteger3 for Rules
1metrics versioninteger0
2rule-typestringrule is one of Dynamice Injection, Error, Exit, Extract, Log, Profile Reference, Set Context Variable, Set User Identity, Transform
3codecstringonly applies to Extract
4timestampstringtime usage is reported
5flagbooleanBroken rule or is domain name rewrite
6rule-idstringaddress of rule instance will be unique id generated when rule is created.
7parent-idstringchecksum of rule or profile calling this rule
8callsintegernumber of times the rule processed a request since the time usage was last reported
9total-callsintegertotal number of times the rule processed a request since rule has been loaded
10profile-ref-countintegerthe number of times this rule has been called via a profile reference since the time usage was last reported
11prev-profile-ref-countintegerthe number of times this rule has been called via a profile reference the last time usage was last reported
12total-profle-ref-countintegertotal number of times this rule has been called via a profile reference since the rule has been loaded
13bytes-processedintegerbytes the rule processed since the last time usage was reported
14total-bytes-processedintegertotal bytes the rule processed since the rule has been loaded
15elapsed-time-sample-countintegerthe number of times the rule was sampled since the last time usage was reported
16elapsed-time-sample-meanintegerthe average amount of time in nano-seconds it took to process a data based on elapsed-time-sample-count
17total-elapsed-time-sample-countintegerthe number of times the rule was sampled since the rule has been loaded
18total-elapsed-time-sample-meanintegerthe average amount of time in nano-seconds it took to process a data based on total-elapsed-time-sample-count
19ingest_time_utcstringTime in UTC at which this log is ingested
20logtypestringValue to identify type of metric –> dsg_metrics_usage_rule

A sample is provided here:

{"metric_type":"Rule","version":0,"rule_type":"Extract","codec":"Set User Identity","cnt":1,"logtype":"Application","origin":{"time_utc":"2023-04-13T12:28:18Z"},"previous_timestamp":"2023-04-13T12:28:08Z","broken":false,"domain_name_rewrite":false,"rule_id":"140361553016464","rule_checksum":"932129179","parent_checksum":"3504922421","calls":1,"previous_calls":1,"total_calls":3,"profile_reference_count":0,"previous_profile_reference_count":0,"total_profile_reference_count":0,"bytes_processed":1,"previous_bytes_processed":1,"total_bytes_processed":3,"elapsed_time_sample_count":1,"elapsed_time_sample_average":406842.0,"total_elapsed_time_sample_count":3,"total_elapsed_time_sample_average":451163.6666666667}

DSG error metrics

The table in this section lists the details for the various parameters generated for the DSG Error Metrics. The DSG Error Metrics logs are stored in the pty_insight_analytics_dsg_error_metrics_9.2 index file. The index pattern for viewing these logs in Discover is pty_insight_analytics_dsg_error_metrics_*. The following parameters are configured for the index rollover:

  • Index age: 1 day
  • Document count: 3,500,000
  • Index size: 1 GB

This index stores the following fields.

* -The origin_time_utc and logtype parameters will only be displayed on the Audit Store Dashboards.

For more information about the error metric logs, refer to the Protegrity Data Security Gateway User Guide 3.2.0.0.

Scheduled tasks are available for deleting this index. You can configure and enable the scheduled task to free up the space used by old index files that you do not require.

For more information about scheduled tasks, refer here.

Miscellaneous index

The logs that are not added to the other indexes are captured and stored in the miscellaneous index. The index pattern for viewing these logs in Discover is pty_insight_analytics_miscellaneous_*.

This index should not contain any logs. If any logs are visible in this index, then kindly contact Protegrity support.

The following parameters are configured for the index rollover:

  • Index age: 7 days
  • Document count: 3,500,000
  • Index size: 200 mb

Use the following query in Discover to view these logs.

logtype:miscellaneous;

Scheduled tasks are available for deleting this index. You can configure and enable the scheduled task to free up the space used by old index files that you do not require.

For more information about scheduled tasks, refer here.

6 - Log return codes

The log codes and the descriptions help you understand the reason for the code and is useful during troubleshooting.
Return CodeDescription
0Error code for no logging
1The username could not be found in the policy
2The data element could not be found in the policy
3The user does not have the appropriate permissions to perform the requested operation
4Tweak is null
5Integrity check failed
6Data protect operation was successful
7Data protect operation failed
8Data unprotect operation was successful
9Data unprotect operation failed
10The user has appropriate permissions to perform the requested operation but no data has been protected/unprotected
11Data unprotect operation was successful with use of an inactive keyid
12Input is null or not within allowed limits
13Internal error occurring in a function call after the provider has been opened
14Failed to load data encryption key
15Tweak input is too long
16The user does not have the appropriate permissions to perform the unprotect operation
17Failed to initialize the PEP: this is a fatal error
19Unsupported tweak action for the specified fpe data element
20Failed to allocate memory
21Input or output buffer is too small
22Data is too short to be protected/unprotected
23Data is too long to be protected/unprotected
24The user does not have the appropriate permissions to perform the protect operation
25Username too long
26Unsupported algorithm or unsupported action for the specific data element
27Application has been authorized
28Application has not been authorized
29The user does not have the appropriate permissions to perform the reprotect operation
30Not used
31Policy not available
32Delete operation was successful
33Delete operation failed
34Create operation was successful
35Create operation failed
36Manage protection operation was successful
37Manage protection operation failed
38Not used
39Not used
40No valid license or current date is beyond the license expiration date
41The use of the protection method is restricted by license
42Invalid license or time is before license start
43Not used
44The content of the input data is not valid
45Not used
46Used for z/OS query default data element when policy name is not found
47Access key security groups not found
48Not used
49Unsupported input encoding for the specific data element
50Data reprotect operation was successful
51Failed to send logs, connection refused
52Return code used by bulkhandling in pepproviderauditor

7 - Protectors security log codes

The log codes and the descriptions for all protectors. This log information helps analyze the results of the protection operations.

The security logging level can be configured when a data security policy is created in the Policy management in ESA. If logging level is set to audit successful and audit failed, then both successful and failed Unprotect/Protect/Reprotect/Delete operations will be logged.

You can define the server where these security audit logs will be sent to. You can do that by modifying the Log Server configuration section in pepserver.cfg file.

If you configure to send protector security logs to ESA, you will be able view them in Discover, by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and select a time period such as Last 30 days. The following table displays the logs sent by protectors.

Log CodeSeverityDescriptionError MessageDB / AP OperationsMSSQLTeradataOracleDB2XC API DefinitionsRecovery Actions
0SInternal ID when audit record should not be generated.------XC_LOG_NONENo action is required.
1WThe username could not be found in the policy in shared memory.No such userURPD101H01 or U00012010138821XC_LOG_USER_NOT_FOUNDVerify that the user that calls a PTY function is in the policy. Ensure that your policy is synchronized across all Teradata nodes. Make sure that the ESA connectivity information is correct in the pepserver.cfg file.
2WThe data element could not be found in the policy in shared memory.No such data elementURPD2U00022010238822XC_LOG_DATA_ELEMENT_NOT_FOUNDVerify that you are calling a PTY function with data element that exists in the policy.
3WThe data element was found, but the user does not have the appropriate permissions to perform the requested operation.Permission deniedURPD301H03 or U00032010338823XC_LOG_PERMISSION_DENIEDVerify that you are calling a PTY function with a user having access permissions to perform this operation according to the policy.
4ETweak is null.Tweak nullURPD401H04 or U00042010438824XC_LOG_TWEAK_NULLEnsure that the tweak is not a null value.
5WThe data integrity check failed when decrypting using a Data Element with CRC enabled.Integrity check failedU—5U00052010538825XC_LOG_INTEGRITY_CHECK_FAILEDCheck that you use the correct data element to decrypt. Check that your data was not corrupted, restore data from the backup.
6SThe data element was found, and the user has the appropriate permissions for the operation. Data protection was successful.-RP-6U00062010638826XC_LOG_PROTECT_SUCCESSNo action is required.
7WThe data element was found, and the user has the appropriate permissions for the operation. Data protection was NOT successful.-RP-7U00072010738827XC_LOG_PROTECT_FAILEDFailed to create Key ID crypto context. Verify that your data is not corrupted and you use valid combination of input data and data element to encrypt.
8SThe data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was successful. If mask was applied to the DE, then the appropriate record is added to the audit log description.U—8U00082010838828XC_LOG_UNPROTECT_SUCCESSNo action is required.
9WThe data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was NOT successful.U—9U00092010938829XC_LOG_UNPROTECT_FAILEDFailure to decrypt data with Key ID by data element without Key ID. Verify that your data is not corrupted and you use valid combination of input data and data element to decrypt.
10SPolicy check OK. The data element was found, and the user has the appropriate permissions for the operation. NO protection operation is done.—D10U00102011038830XC_LOG_OK_ACCESSNo action is required. Successful DELETE operation was performed.
11WThe data element was found, and the user has the appropriate permissions for the operation. Data unprotect operation was successful with use of an inactive key ID.U—11U00112011138831XC_LOG_INACTIVE_KEYID_USEDNo action is required. Successful UNPROTECT operation was performed.
12EInput parameters are either NULL or not within allowed limits.URPD12U00122011238832XC_LOG_INVALID_PARAMVerify the input parameters are correct.
13EInternal error occurring in a function call after the PEP Provider has been opened. For instance: - failed to get mutex/semaphore, - unexpected null parameter in internal (private) functions, - uninitialized provider, etc.URPD13U00132011338833XC_LOG_INTERNAL_ERRORRestart PEP Server and re-deploy the policy.
14WA key for a data element could not be loaded from shared memory into the crypto engine.Failed to load data encryption key - Cache is full, or Failed to load data encryption key - No such key, or Failed to load data encryption key - Internal error.URP-14U00142011438834XC_LOG_LOAD_KEY_FAILEDIf return message is ‘Cache is full’, then logoff and logon again, clear the session and cache. For all other return messages restart PEP Server and re-deploy the policy.
15 Tweak input is too long.        
16 The user does not have the appropriate permissions to perform the unprotect operation.        
17EA fatal error was encountered when initializing the PEP.URPD17U00172011738837XC_LOG_INIT_FAILEDRe-install the protector, re-deploy policy.
19 Unsupported tweak action for the specified fpe data element.        
20EFailed to allocate memory. URPD20U00202012038840XC_LOG_OUT_OF_MEMORYCheck what uses the memory on the server.
21WSupplied input or output buffer is too small.Buffer too smallURPD21U00212012138841XC_LOG_BUFFER_TOO_SMALLToken specific error about supplied buffers. Data expands too much, using non-length preserving Token element. Check return message for specific error, and verify you use correct combination of data type (encoding), and token element. Verify supported data types according to Protegrity Protection Methods Reference 7.2.1.
22WData is too short to be protected or unprotected. E.g. Too few characters were provided when tokenizing with a length-preserving token element.Input too shortURPD22U00222012238842XC_LOG_INPUT_TOO_SHORTProvide the longer input data.
23WData is too long to be protected or unprotected. E.g. Too many characters were provided.Input too longURPD23U00232012338843XC_LOG_INPUT_TOO_LONGProvide the shorter input data.
24 The user does not have the appropriate permissions to perform the protect operation.        
25WUnauthorized Username too long.Username too long.UPRD-U0025-- Run query by user with Username up to 255 characters long.
26EUnsupported algorithm or unsupported action for the specific data element or unsupported policy version. For example, unprotect using HMAC data element.URPD26U00262012638846XC_LOG_UNSUPPORTEDCheck the data elements used for the crypto operation. Note that HMAC data elements cannot be used for decrypt and re-encrypt operations.
27 Application has been authorized.        
28 Application has not been authorized.        
29 The JSON type is not serializable.        
30WFailed to save audit record in shared memory.Failed to save audit recordURPD30U00302013038850XC_LOG_AUDITING_FAILEDCheck if PEP Server is started.
31EThe policy shared memory is empty.Policy not availableURPD31U00312013138851XC_LOG_EMPTY_POLICYNo policy is deployed on PEP Server.
32 Delete operation was successful.        
33 Delete operation failed.        
34 Create operation was successful.        
35 Create operation failed.        
36 Manage protection operation was successful.        
37 Manage protection operation failed.        
39EThe policy in shared memory is locked. This is the result of a disk full alert.Policy lockedURPD39U00392013938859XC_LOG_POLICY_LOCKEDFix the disk space and restart the PEP Server.
40ENo valid license or current date is beyond the license expiration date.License expired-RP-40U00402014038860XC_LOG_LICENSE_EXPIREDESA System Administrator should request and obtain a new license. Re-deploy policy with renewed license.
41EThe use of the protection method is restricted by the license.Protection method restricted by license.URPD41U00412014138861XC_LOG_METHOD_RESTRICTEDPerform the protection operation with the protection method that is not restricted by the license. Request license with desired protection method enabled.
42EInvalid license or time is before license start time.License is invalid.URPD42U00422014238862XC_LOG_LICENSE_INVALIDESA System Administrator should request and obtain a new license. Re-deploy policy with renewed license.
44WContent of the input data to protect is not valid (e.g. for Tokenization). E.g. Input is alphabetic when it is supposed to be numeric.Invalid format-RP-44U00442014438864XC_LOG_INVALID_FORMATVerify the input data is of the supported alphabet for specified type of token element.
46EUsed for z/OS Query Default Data element when policy name is not found.No policy. Cannot Continue. 46n/an/an/aXC_LOG_INVALID_POLICYSpecify the valid policy. Policy name is case sensitive.
47 Access Key security groups not found.        
48 Rule Set not found.        
49 Unsupported input encoding for the specific data element.        
50SThe data element was found, and the user has the appropriate permissions for the operation. The data Reprotect operation is successful.-R-n/an/an/an/a No action is required. Successful REPROTECT operation was performed.
51 Failed to send logs, connection refused!        

8 - Policy audit codes

The following table explains the policy audit codes generated for policy-related operations. These logs are sent to ESA, and can be viewed in Discover, by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and select a time period such as Last 30 days.
Log CodeLog DescriptionDescription of the event
50Policy createdGenerated when a new policy was created in Policy management in ESA.
51Policy updatedGenerated when a new policy was updated in Policy management in ESA.
52Policy deletedGenerated when an existing policy was deleted from Policy management in ESA.
56Policy role createdGenerated when a new policy role was created in Policy management in ESA.
71Policy deployedGenerated when a policy was sent for deployment to a PEP Server.
75Policy data store addedGenerated when a new data store was added to a policy.
76Policy changed stateGenerated when a policy has changed its state to Ready to Deploy, or Deployed.
78Key createdGenerated when new key was created for the Data Element.
80Policy deploy failedGenerated when a policy failed to be deployed.
83Token deploy failedGenerated when the token failed to be deployed.
84Token deployed successfullyGenerated when the token deployed successfully.
85Data Element Key(s) exportedGenerated when export keys API executes successfully. Lists each Data Element that was successfully exported.
86Policy deploy warningGenerated when the Policy deploy operation fails.
100Password changedGenerated when the password of the admin user was changed.
101Data store createdGenerated when a new data store was created.
102Data store updatedGenerated when a new data store was updated.
103Data store deletedGenerated when a data store was deleted.
107Mask createdGenerated when a new mask was created.
108Mask deletedGenerated when any mask was deleted.
109Security coordinate deletedGenerated when an existing security coordinate was deleted.
110Security coordinate createdGenerated when a new security coordinate is created.
111Role createdGenerated when a new role is created in Policy management in ESA.
112Role deletedGenerated when any role was deleted from Policy management in ESA.
113Member source createdGenerated when a new external source is created in Policy management in ESA.
114Member source updatedGenerated when a new member source is updated in Policy management in ESA.
115Member source deletedGenerated when any external source was deleted from Policy management in ESA.
116All roles resolvedGenerated when the members in the automatic roles are synchronized.
117Role resolvedGenerated when it has fetched all members from a certain role into the policy.
118Role group member resolvedGenerated when it has fetched all group members from a role into the policy.
119Trusted application createdGenerated when a new trusted application is created in Policy management in ESA.
120Trusted application deletedGenerated when a new trusted application is deleted in Policy management in ESA.
121Trusted application updatedGenerated when a new trusted application is updated in Policy management in ESA.
126Mask updatedGenerated when a mask is updated in Policy management in ESA.
127Role updatedGenerated when a role is updated in Policy management in ESA.
129Node registeredGenerated when a node is registered with ESA.
130Node updatedGenerated when a node is updated.
131Node unregisteredGenerated when a node is not registered with ESA.
140Disk full alertGenerated when the disk is full.
141Disk full warningGenerated to warn the IT administrator that the disk is almost full.
144Login successGenerated when Security Officer logs into Policy management in ESA.
145Login failedGenerated when Security Officer failed to log into Policy management in ESA.
146Logout successGenerated when Security Officer logs out from Policy management in ESA.
149Data element key updatedGenerated when a data element with a key is updated in Policy management in ESA.
150Data element key createdGenerated when a new data element with a key is created in Policy management in ESA.
151Data element key deletedGenerated when a data element (and its key) was deleted from Policy management in ESA.
152Too many keys createdGenerated when the number of data element key IDs has reached its maximum.
153License expire warningGenerated once per day and upon HubController restart when less than 30 days are left before license expiration.
154License has expiredGenerated when the license becomes expired.
155License is invalidGenerated when the license becomes invalid.
156Policy is compromisedGenerated when integrity of pepserver.db has been compromised.
157Failed to import some usersGenerated when users having names longer than 255 characters were not fetched from an external source.
158Policy successfully importedGenerated when the policy is successfully retrieved from the pepserver.imp file (configured in pepserver.cfg), imported and decrypted.
159Failed to import policyGenerated when the policy fails to be imported from the pepserver.imp file (configured in pepserver.cfg).
170Data store key exportedGenerated when the Data store key is exported.
171Key updatedGenerated when the key rotation is successful.
172Key deletedGenerated when the key is deleted.
173Datastore key has expiredGenerated when the Data store key expires.
174Datastore key expire warningGenerated when the Data store key is about to expire.
176Datastore key rotatedGenerated when the Data store key is rotated.
177Master key has expiredGenerated when the Master key expires.
178Master key expire warningGenerated when the Master key is about to expire.
179Master key rotatedGenerated when the Master key is rotated.
180New HSM ConfiguredGenerated when a new HSM configuration is created.
181Repository key has expired.Generated when the Repository Key has expired.
182Repository key expiry warning.Generated when the Repository Key is on the verge of expiry. The warning message mentions the number of days left for the Repository Key expiry.
183Repository key rotated.Generated when the Repository Key has been rotated.
184Metering createdGenerated when metering data is created.
185Metering updatedGenerated when metering data is updated.
186Metering deletedGenerated when metering data is deleted.
187Integrity createdGenerated when an integrity check is created.
188Integrity updatedGenerated when the integrity check is updated.
189Integrity deletedGenerated when an integrity check is deleted.
195Signing key has expiredGenerated when the signing key has expired.
196Signing key expire warningGenerated for the signing key expiry warning.
197Signing key rotatedGenerated when the signing key is rotated.
198Signing key exportedGenerated when the signing key is exported.
199Case sensitive data element createdGenerated when a case sensitive data element is created.
210Data Element key has expiredGenerated when the data element key has expired.
211Data Element key expire warningGenerated for the data element key expiry warning.
212Conflicting policy users foundGenerated when conflicting policy users are found.
220Data Element deprecatedGenerated when the data element is deprecated.

9 - Additional log information

The descriptions for the details diaplayed in logs helps identify the type and reason for raising the log entry.

These are values for understanding the values that are displayed in the log records.

Log levels

Most events on the system generate logs. The level of the log helps you understand whether the log is just an information message or denotes some issue with the system. The log message and the log level allows you to understand more about the working of the system and also helps you identify and troubleshoot any system issues.

Protection logs: These logs are generated for Unprotect, Reprotect, and Protect (URP) operations.

  • SUCCESS: This log is generated for a successful URP operation.
  • WARNING: This log is generated if a user does not have access and the operation is unprotect.
  • EXCEPTION: This log is generated if a user does not have access, the operation is unprotect, and the return exception property is set.
  • ERROR: This log is generated for all other issues.

Application logs: These logs are generated by the application. The log level denotes the severity level of the log, however, levels 1 and 6 are used for the log configuration.

  • 1: OFF. This level is used to turn logging off.
  • 2: SEVERE. This level indicates a serious failure that prevents normal program execution.
  • 3: WARNING. This level indicates a potential problem or an issue with the system.
  • 4: INFO. This level is used to display information messages about the application.
  • 5: CONFIG. This level is used to display static configuration information that is useful during debugging.
  • 6: ALL. This level is used to log all messages.

Policy logs: These logs are used for the policy logs.

  • LOWEST
  • LOW
  • NORMAL
  • HIGH
  • CRITICAL
  • N/A

Protector information

The information displayed in the Protector-related fields of the audit log are listed in the table.

protector.familyprotector.vendorprotector.version
DATA SECURITY GATEWAY
gwpDSG3.3.0.0.x
APPLICATION PROTECTORS
sdkC9.1.0.0.x
sdkJava10.0.0+x, 9.1.0.0.x
sdkPython9.1.0.0.x
sdkGo9.1.0.0.x
sdkNodeJS9.1.0.0.x
sdkDotNet9.1.0.0.x
TRUSTED APPLICATION LOGS IN APPLICATION PROTECTORS
<process.name>C9.1.0.0.x
<process.name>Java9.1.0.0.x
<process.name>Python9.1.0.0.x
<process.name>Go9.1.0.0.x
<process.name>NodeJS9.1.0.0.x
<process.name>DotNet9.1.0.0.x
DATABASE PROTECTOR
dbpSqlServer9.1.0.0.x
dbpOracle9.1.0.0.x
dbpDb29.1.0.0.x
dwpTeradata10.0.0+x, 9.1.0.0.x
dwpExadata9.1.0.0.x
BIG DATA PROTECTOR
bdpImpala9.2.0.0.x, 9.1.0.0.x
bdpMapreduce9.2.0.0.x, 9.1.0.0.x
bdpPig9.2.0.0.x, 9.1.0.0.x
bdpHBase9.2.0.0.x, 9.1.0.0.x
bdpHive9.2.0.0.x, 9.1.0.0.x
bdpSpark9.2.0.0.x, 9.1.0.0.x
bdpSparkSQL9.2.0.0.x, 9.1.0.0.x

Protectors having CORE version 1.2.2+42.g01eb3.1.2 and higher are compatible with ESA v10.0.0. For more version-related information, refer to the Product Compatibility on My.Protegrity. The protector family might display the process.name for some protectors. This will be fixed in a later release.

Modules and components and the log type

Some of the components and modules and the logtype that they generate are provided in the following table.

Module / ComponentProtectionPolicyApplicationAuditKernelSystemVerification
as_image_management.pyc
as_memory_management.pyc
asmanagement.pyc
buffer_watch.pyc
devops
DSGPAP
ESAPAP
fluentbit
hubcontroller
imps
insight.pyc
insight_cron_executor.pyc
insight_cron_job_method_executor.pyc
kmgw_external
kmgw_internal
logfacade
membersource
meteringfacade
PIM_Cluster
Protegrity PEP Server
TRIGGERING_AGENT_policy_deploy.pyc

For more information and description about the components that can generate kernel logs, refer here.

Kernel logs

This section lists the various kernel logs that are generated.

Note: This list is compiled using information from https://pmhahn.github.io/audit/.

User and group account management:

  • ADD_USER: A user-space user account is added.
  • USER_MGMT: The user-space management data.
  • USER_CHAUTHTOK: A user account attribute is modified.
  • DEL_USER: A user-space user is deleted.
  • ADD_GROUP: A user-space group is added.
  • GRP_MGMT: The user-space group management data.
  • GRP_CHAUTHTOK: A group account attribute is modified.
  • DEL_GROUP: A user-space group is deleted.

User login live cycle events:

  • CRYPTO_KEY_USER: The cryptographic key identifier used for cryptographic purposes.
  • CRYPTO_SESSION: The parameters set during a TLS session establishment.
  • USER_AUTH: A user-space authentication attempt is detected.
  • LOGIN: The user log in to access the system.
  • USER_CMD: A user-space shell command is executed.
  • GRP_AUTH: The group password is used to authenticate against a user-space group.
  • CHUSER_ID: A user-space user ID is changed.
  • CHGRP_ID: A user-space group ID is changed.
  • Pluggable Authentication Modules (PAM) Authentication:
    • USER_LOGIN: A user logs in.
    • USER_LOGOUT: A user logs out.
  • PAM account:
    • USER_ERR: A user account state error is detected.
    • USER_ACCT: A user-space user account is modified.
    • ACCT_LOCK: A user-space user account is locked by the administrator.
    • ACCT_UNLOCK: A user-space user account is unlocked by the administrator.
  • PAM session:
    • USER_START: A user-space session is started.
    • USER_END: A user-space session is terminated.
  • Credentials:
    • CRED_ACQ: A user acquires user-space credentials.
    • CRED_REFR: A user refreshes their user-space credentials.
    • CRED_DISP: A user disposes of user-space credentials.

Linux Security Model events:

  • DAC_CHECK: The record discretionary access control (DAC) check results.
  • MAC_CHECK: The user space Mandatory Access Control (MAC) decision is made.
  • USER_AVC: A user-space AVC message is generated.
  • USER_MAC_CONFIG_CHANGE:
  • SELinux Mandatory Access Control:
    • AVC_PATH: dentry and vfsmount pair when an SELinux permission check.
    • AVC: SELinux permission check.
    • FS_RELABEL: file system relabel operation is detected.
    • LABEL_LEVEL_CHANGE: object’s level label is modified.
    • LABEL_OVERRIDE: administrator overrides an object’s level label.
    • MAC_CONFIG_CHANGE: SELinux Boolean value is changed.
    • MAC_STATUS: SELinux mode (enforcing, permissive, off) is changed.
    • MAC_POLICY_LOAD: SELinux policy file is loaded.
    • ROLE_ASSIGN: administrator assigns a user to an SELinux role.
    • ROLE_MODIFY: administrator modifies an SELinux role.
    • ROLE_REMOVE: administrator removes a user from an SELinux role.
    • SELINUX_ERR: internal SELinux error is detected.
    • USER_LABELED_EXPORT: object is exported with an SELinux label.
    • USER_MAC_POLICY_LOAD: user-space daemon loads an SELinux policy.
    • USER_ROLE_CHANGE: user’s SELinux role is changed.
    • USER_SELINUX_ERR: user-space SELinux error is detected.
    • USER_UNLABELED_EXPORT: object is exported without SELinux label.
    • AppArmor Mandatory Access Control:
      • APPARMOR_ALLOWED
      • APPARMOR_AUDIT
      • APPARMOR_DENIED
      • APPARMOR_ERROR
      • APPARMOR_HINT
      • APPARMOR_STATUS APPARMOR

Audit framework events:

  • KERNEL: Record the initialization of the Audit system.
  • CONFIG_CHANGE: The Audit system configuration is modified.
  • DAEMON_ABORT: An Audit daemon is stopped due to an error.
  • DAEMON_ACCEPT: The auditd daemon accepts a remote connection.
  • DAEMON_CLOSE: The auditd daemon closes a remote connection.
  • DAEMON_CONFIG: An Audit daemon configuration change is detected.
  • DAEMON_END: The Audit daemon is successfully stopped.
  • DAEMON_ERR: An auditd daemon internal error is detected.
  • DAEMON_RESUME: The auditd daemon resumes logging.
  • DAEMON_ROTATE: The auditd daemon rotates the Audit log files.
  • DAEMON_START: The auditd daemon is started.
  • FEATURE_CHANGE: An Audit feature changed value.

Networking related:

  • IPSec:
    • MAC_IPSEC_ADDSA
    • MAC_IPSEC_ADDSPD
    • MAC_IPSEC_DELSA
    • MAC_IPSEC_DELSPD
    • MAC_IPSEC_EVENT: The IPSec event, when one is detected, or when the IPSec configuration changes.
  • NetLabel:
    • MAC_CALIPSO_ADD: The NetLabel CALIPSO DoI entry is added.
    • MAC_CALIPSO_DEL: The NetLabel CALIPSO DoI entry is deleted.
    • MAC_MAP_ADD: A new Linux Security Module (LSM) domain mapping is added.
    • MAC_MAP_DEL: An existing LSM domain mapping is added.
    • MAC_UNLBL_ALLOW: An unlabeled traffic is allowed.
    • MAC_UNLBL_STCADD: A static label is added.
    • MAC_UNLBL_STCDEL: A static label is deleted.
  • Message Queue:
    • MQ_GETSETATTR: The mq_getattr and mq_setattr message queue attributes.
    • MQ_NOTIFY: The arguments of the mq_notify system call.
    • MQ_OPEN: The arguments of the mq_open system call.
    • MQ_SENDRECV: The arguments of the mq_send and mq_receive system calls.
  • Netfilter firewall:
    • NETFILTER_CFG: The Netfilter chain modifications are detected.
    • NETFILTER_PKT: The packets traversing Netfilter chains.
  • Commercial Internet Protocol Security Option:
    • MAC_CIPSOV4_ADD: A user adds a new Domain of Interpretation (DoI).
    • MAC_CIPSOV4_DEL: A user deletes an existing DoI.

Linux Cryptography:

  • CRYPTO_FAILURE_USER: A decrypt, encrypt, or randomize cryptographic operation fails.
  • CRYPTO_IKE_SA: The Internet Key Exchange Security Association is established.
  • CRYPTO_IPSEC_SA: The Internet Protocol Security Association is established.
  • CRYPTO_LOGIN: A cryptographic officer login attempt is detected.
  • CRYPTO_LOGOUT: A cryptographic officer logout attempt is detected.
  • CRYPTO_PARAM_CHANGE_USER: A change in a cryptographic parameter is detected.
  • CRYPTO_REPLAY_USER: A replay attack is detected.
  • CRYPTO_TEST_USER: The cryptographic test results as required by the FIPS-140 standard.

Process:

  • BPRM_FCAPS: A user executes a program with a file system capability.
  • CAPSET: Any changes in process-based capabilities.
  • CWD: The current working directory.
  • EXECVE; The arguments of the execve system call.
  • OBJ_PID: The information about a process to which a signal is sent.
  • PATH: The file name path information.
  • PROCTITLE: The full command-line of the command that was used to invoke the analyzed process.
  • SECCOMP: A Secure Computing event is detected.
  • SYSCALL: A system call to the kernel.

Special system calls:

  • FD_PAIR: The use of the pipe and socketpair system calls.
  • IPC_SET_PERM: The information about new values set by an IPC_SET control operation on an Inter-Process Communication (IPC) object.
  • IPC: The information about a IPC object referenced by a system call.
  • MMAP: The file descriptor and flags of the mmap system call.
  • SOCKADDR: Record a socket address.
  • SOCKETCALL: Record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).

Systemd:

  • SERVICE_START: A service is started.
  • SERVICE_STOP: A service is stopped.
  • SYSTEM_BOOT: The system is booted up.
  • SYSTEM_RUNLEVEL: The system’s run level is changed.
  • SYSTEM_SHUTDOWN: The system is shut down.

Virtual Machines and Container:

  • VIRT_CONTROL: The virtual machine is started, paused, or stopped.
  • VIRT_MACHINE_ID: The binding of a label to a virtual machine.
  • VIRT_RESOURCE: The resource assignment of a virtual machine.

Device management:

  • DEV_ALLOC: A device is allocated.
  • DEV_DEALLOC: A device is deallocated.

Trusted Computing Integrity Measurement Architecture:

  • INTEGRITY_DATA: The data integrity verification event run by the kernel.
  • INTEGRITY_EVM_XATTR: The EVM-covered extended attribute is modified.
  • INTEGRITY_HASH: The hash type integrity verification event run by the kernel.
  • INTEGRITY_METADATA: The metadata integrity verification event run by the kernel.
  • INTEGRITY_PCR: The Platform Configuration Register (PCR) invalidation messages.
  • INTEGRITY_RULE: A policy rule.
  • INTEGRITY_STATUS: The status of integrity verification.

Intrusion Prevention System:

  • Anomaly detected:
    • ANOM_ABEND
    • ANOM_ACCESS_FS
    • ANOM_ADD_ACCT
    • ANOM_AMTU_FAIL
    • ANOM_CRYPTO_FAIL
    • ANOM_DEL_ACCT
    • ANOM_EXEC
    • ANOM_LINK
    • ANOM_LOGIN_ACCT
    • ANOM_LOGIN_FAILURES
    • ANOM_LOGIN_LOCATION
    • ANOM_LOGIN_SESSIONS
    • ANOM_LOGIN_TIME
    • ANOM_MAX_DAC
    • ANOM_MAX_MAC
    • ANOM_MK_EXEC
    • ANOM_MOD_ACCT
    • ANOM_PROMISCUOUS
    • ANOM_RBAC_FAIL
    • ANOM_RBAC_INTEGRITY_FAIL
    • ANOM_ROOT_TRANS
  • Responses:
    • RESP_ACCT_LOCK_TIMED
    • RESP_ACCT_LOCK
    • RESP_ACCT_REMOTE
    • RESP_ACCT_UNLOCK_TIMED
    • RESP_ALERT
    • RESP_ANOMALY
    • RESP_EXEC
    • RESP_HALT
    • RESP_KILL_PROC
    • RESP_SEBOOL
    • RESP_SINGLE
    • RESP_TERM_ACCESS
    • RESP_TERM_LOCK

Miscellaneous:

  • ALL: Matches all types.
  • KERNEL_OTHER: The record information from third-party kernel modules.
  • EOE: An end of a multi-record event.
  • TEST: The success value of a test message.
  • TRUSTED_APP: The record of this type can be used by third-party application that require auditing.
  • TTY: The TTY input that was sent to an administrative process.
  • USER_TTY: An explanatory message about TTY input to an administrative process that is sent from the user-space.
  • USER: The user details.
  • USYS_CONFIG: A user-space system configuration change is detected.
  • TIME_ADJNTPVAL: The system clock is modified.
  • TIME_INJOFFSET: A Timekeeping offset is injected to the system clock.