Understanding the index field values

This section lists information about the various fields logged for the Protection, Policy, Application, Audit, Kernel, Security, and Verification logs. It helps you understand the information that is contained in the logs and is useful for troubleshooting the system.

Common Logging Information

These logging fields are common with the different log types generated by Protegrity products.

Note: These common fields are used across all log types.

FieldData TypeDescriptionSourceExample
cntIntegerThe aggregated count for a specific log.Protector5
logtypeStringThe type of log. For example, Protection, Policy, Application, Audit, Kernel, System, or Verification.For more examples about the log types, refer here.ProtectorProtection
levelStringThe level of severity. For example, SUCCESS, WARNING, ERROR, or INFO. These are the results of the logging operation.For more information about the log levels, refer here.ProtectorSUCCESS
starttimeDateThis is an unused field.Protector 
endtimeDateThis is an unused field.Protector 
index_time_utcDateThe time the Log Forwarder processed the logs.Audit StoreSep 8, 2024 @ 12:55:24.733
ingest_time_utcDateThe time the log was inserted into the Audit Store.Log ForwarderSep 8, 2024 @ 12:56:22.027
uriStringThe URI for the log. This is an unused field.  
correlationidStringA unique ID that is generated when the policy is deployed.Hubcontrollerclo5nyx470bi59p22fdrsr7k3
filetypeStringThis is the file type, such as, regular file, directory, or device, when operations are performed on the file. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.File ProtectorISDIR
index_nodeStringThe index node that ingested the log.Audit Storeprotegrity-esa746/192.168.2.20
operationStringThis is an unused field.  
pathStringThis field is provided for Protector-related data.File Protector/hmount/source_dir/postmark_dir/postmark/1
system_nano_timeLongThis displays the time in nano seconds for the Signature Verification job.Signature Verification255073580723571
tiebreakerLongThis is an internal field that is used with the index time to make a record unique across nodes for sorting.Protector, Signature Verification2590230
_idStringThis is the entry id for the record stored in the Audit Store.Log Forwarder, td-agentNDgyNzAwMDItZDI5Yi00NjU1LWJhN2UtNzJhNWRkOWYwOGY3
_indexStringThis is the index name of the Audit Store where the log is stored.Log Forwarder, td-agentpty_insight_analytics_audits_10.0-2024.08.30-000001

Additional_Info

These descriptions are used for all types of logs.

FieldData TypeDescriptionSourceExample
descriptionStringDescription about the log generated.All modulesData protect operation was successful, Executing attempt_rollover for , and so on.
moduleStringThe module that generated the log.All modules.signature.job_runner
procedureStringThe method in the module that generated the log.All modulescreate_job
titleStringThe title for the audit log.DSGDSG’s Rule Name INFO : DSG Patch Installation - User has chosen to reboot system later., Cloud Gateway service restart, and so on.#

Process

This section describes the properties of the process that created the log. For example, the protector or the rputils.

FieldData TypeDescriptionSourceExample
thread_idStringThe thread_id of the process that generated the log.PEP Server3382487360
idStringThe id of the process that generated the log.PEP Server41710
userStringThe user that runs the program that generated the log.All modulesservice_admin
versionStringThe version of the program or Protector that generated the log.All modules1.2.2+49.g126b2.1.2
platformStringThe platform that the program that generated the log is running on.PEP ServerLinux_x64
moduleStringThe module that generated the log.ESA, Protectorrpstatus
nameStringThe name of the process that generated the log.All modulesProtegrity PEP Server
pcc_versionStringThe core pcc version.PEP Server3.4.0.20

Origin

This section describes the origin of the log, that is, from where the log came from and when it was generated.

FieldData TypeDescriptionSourceExample
time_utcDateThe time in the Coordinated Universal Time (UTC) format when the log was generated.All modulesSep 8, 2024 @ 12:56:29.000
hostnameStringThe hostname of the machine where the log was generated.All modulesip-192-16-1-20.protegrity.com
ipIPThe IP of the machine where the log was generated.All modules192.168.1.20

Protector

This section describes the Protector that generated the log. For example, the vendor and the version of the Protector.

Note: For more information about the Protector vendor, family, and version, refer here.

FieldData TypeDescriptionSourceExample
vendorStringThe vendor of the Protector that generated the log. This is specified by the Protector.ProtectorDSG
familyStringThe Protector family of the Protector that generated the logs. This is specified by the Protector. For more information about the family, refer here.Protectorgwp
versionStringThe version of the Protector that generated the logs. This is specified by the Protector.Protector1.2.2+49.g126b2.1.2
core_versionStringThis is the Core component version of the product.Protector1.2.2+49.g126b2.1.2
pcc_versionStringThis is the PCC version.Protector3.4.0.20

Protection

This section describes the protection that was done, what was done, the result of the operation, where it was done, and so on.

FieldData TypeDescriptionSourceExample
policyStringThe name of the policy. This is only used in File Protector.Protectoraes1-rcwd
roleStringThis field is not used and will be deprecated.Protector 
datastoreStringThe name of the datastore used for the security operation.ProtectorTestdatastore
audit_codeIntegerThe return code for the operation. For more information about the return codes, refer here.Protector6
session_idStringThe identifier for the session.Protector 
request_idStringThe ID of the request that generated the log.Protector 
old_dataelementStringThe old dataelement value before the reprotect to a new dataelement.ProtectorAES128
mask_settingStringThe mask setting used to protect data.ProtectorMask Left:4 Mask Right:4 Mark Character:
dataelementStringThe dataelement used when protecting or unprotecting data. This is passed by the Protector performing the operation.ProtectorPTY_DE_CCN
operationStringThe operation, for example Protect, Unprotect, or Reprotect. This is passed in by the Protector performing the operation.ProtectorProtect
policy_userStringThe policy user for which the operation is being performed. This is passed in by the Protector performing the operation.Protectorexampleuser1
devicepathStringThe path to the device. This is only used in File Protector.Protector/hmount/fuse_mount
filetypeStringThe type of file that was protected or unprotected. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector.ProtectorISREG
pathStringThe path to the file protected or unprotected by the File Protector. This is only used in File Protector.Protector/testdata/src/ez/audit_log(13).csv

Client

This section describes from where the log came from.

FieldData TypeDescriptionSourceExample
ipStringThe IP of the client that generated the log.DSG192.168.2.10
usernameStringThe username that ran the Protector or Server on the client that created the log.Hubcontrollerjohndoe

Policy

This section describes the information about the policy.

FieldData TypeDescriptionSourceExample
audit_codeIntegerThis is the policy audit code for the policy log.PEP Server198
policy_nameStringThis is the policy name for the policy log.PEP ServerAutomationPolicy
severityStringThis is the severity level for the policy log entry.PEP ServerLow
usernameStringThis is the user who modified the policy.PEP Serverjohndoe

Metering

This section describes the metering log information.

Note: These fields are applicable for Protectors up to v7.2.1. If you upgraded your ESA from v7.2.1 to v9.1.0.0 and migrated the metering audits, then these fields contain data.

Metering is not supported for Protectors v8.0.0.0 and above and these are fields will be blank.

FieldData TypeDescriptionSourceExample
meteringmodeStringThis is the mode for metering logs, such as, delta or total.PEP Servertotal
originStringThis is the IP from where metering data originated.PEP Server192.168.0.10
protection_countDoubleThis is the number of protect operations metered.PEP Server10
reprotection_countDoubleThis is the number of reprotect operations metered.PEP Server5
timestampDateThis is the UTC timestamp when the metering log entry was generated.PEP ServerSep 8, 2020 @ 12:56:29.000
uidStringThis is the unique ID of the metering source that generated the log.PEP ServerQ2XJPGHZZIYKBPDX5K0KEISIV9AX9V
unprotection_countDoubleThis is the number of unprotect operations metered.PEP Server10

Signature

This section handles the signing of the log. The key that was used to sign the log and the actual checksum that was generated.

FieldData TypeDescriptionSourceExample
key_idStringThe key ID of the signingkey that signed the log record.Protectorcc93c930-2ba5-47e1-9341-56a8d67d55d4
checksumStringThe checksum that was the result of signing the log.Protector438FE13078719ACD4B8853AE215488ACF701ECDA2882A043791CDF99576DC0A0
counterDoubleThis is the chain of custody value. It helps maintain the integrity of the log data.Protector50321

Verification

This section describes the log information generated for a failed signature verification job.

FieldData TypeDescriptionSourceExample
doc_idStringThis is the document ID for the audit log where the signature verification failed.Signature VerificationN2U2N2JkM2QtMDhmYy00OGJmLTkyOGYtNmRhYzhhMGExMTFh
index_nameStringThis is the index name where the log signature verification failed.Signature Verificationpty_insight_analytics_audits_10.0-2024.08.30-000001
job_idStringThis is the job ID of the signature verification job.Signature Verification1T2RaosBEEC_iPz-zPjl
job_nameStringThis is the job name of the signature verification job.Signature VerificationSystem Job
reasonStringThis is the audit log specifying the reason of the signature verification failure.Signature VerificationINVALID_CHECKSUM | INVALID_KEY_ID | NO_KEY_AND_DOC_UPDATED