These logging fields are common with the different log types generated by Protegrity products.
Note: These common fields are used across all log types.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
cnt | Integer | The aggregated count for a specific log. | Protector | 5 |
logtype | String | The type of log. For example, Protection, Policy, Application, Audit, Kernel, System, or Verification.For more examples about the log types, refer here. | Protector | Protection |
level | String | The level of severity. For example, SUCCESS, WARNING, ERROR, or INFO. These are the results of the logging operation.For more information about the log levels, refer here. | Protector | SUCCESS |
starttime | Date | This is an unused field. | Protector | |
endtime | Date | This is an unused field. | Protector | |
index_time_utc | Date | The time the Log Forwarder processed the logs. | Audit Store | Sep 8, 2024 @ 12:55:24.733 |
ingest_time_utc | Date | The time the log was inserted into the Audit Store. | Log Forwarder | Sep 8, 2024 @ 12:56:22.027 |
uri | String | The URI for the log. This is an unused field. | ||
correlationid | String | A unique ID that is generated when the policy is deployed. | Hubcontroller | clo5nyx470bi59p22fdrsr7k3 |
filetype | String | This is the file type, such as, regular file, directory, or device, when operations are performed on the file. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector. | File Protector | ISDIR |
index_node | String | The index node that ingested the log. | Audit Store | protegrity-esa746/192.168.2.20 |
operation | String | This is an unused field. | ||
path | String | This field is provided for Protector-related data. | File Protector | /hmount/source_dir/postmark_dir/postmark/1 |
system_nano_time | Long | This displays the time in nano seconds for the Signature Verification job. | Signature Verification | 255073580723571 |
tiebreaker | Long | This is an internal field that is used with the index time to make a record unique across nodes for sorting. | Protector, Signature Verification | 2590230 |
_id | String | This is the entry id for the record stored in the Audit Store. | Log Forwarder, td-agent | NDgyNzAwMDItZDI5Yi00NjU1LWJhN2UtNzJhNWRkOWYwOGY3 |
_index | String | This is the index name of the Audit Store where the log is stored. | Log Forwarder, td-agent | pty_insight_analytics_audits_10.0-2024.08.30-000001 |
These descriptions are used for all types of logs.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
description | String | Description about the log generated. | All modules | Data protect operation was successful, Executing attempt_rollover for |
module | String | The module that generated the log. | All modules | .signature.job_runner |
procedure | String | The method in the module that generated the log. | All modules | create_job |
title | String | The title for the audit log. | DSG | DSG’s Rule Name INFO : DSG Patch Installation - User has chosen to reboot system later., Cloud Gateway service restart, and so on.# |
This section describes the properties of the process that created the log. For example, the protector or the rputils.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
thread_id | String | The thread_id of the process that generated the log. | PEP Server | 3382487360 |
id | String | The id of the process that generated the log. | PEP Server | 41710 |
user | String | The user that runs the program that generated the log. | All modules | service_admin |
version | String | The version of the program or Protector that generated the log. | All modules | 1.2.2+49.g126b2.1.2 |
platform | String | The platform that the program that generated the log is running on. | PEP Server | Linux_x64 |
module | String | The module that generated the log. | ESA, Protector | rpstatus |
name | String | The name of the process that generated the log. | All modules | Protegrity PEP Server |
pcc_version | String | The core pcc version. | PEP Server | 3.4.0.20 |
This section describes the origin of the log, that is, from where the log came from and when it was generated.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
time_utc | Date | The time in the Coordinated Universal Time (UTC) format when the log was generated. | All modules | Sep 8, 2024 @ 12:56:29.000 |
hostname | String | The hostname of the machine where the log was generated. | All modules | ip-192-16-1-20.protegrity.com |
ip | IP | The IP of the machine where the log was generated. | All modules | 192.168.1.20 |
This section describes the Protector that generated the log. For example, the vendor and the version of the Protector.
Note: For more information about the Protector vendor, family, and version, refer here.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
vendor | String | The vendor of the Protector that generated the log. This is specified by the Protector. | Protector | DSG |
family | String | The Protector family of the Protector that generated the logs. This is specified by the Protector. For more information about the family, refer here. | Protector | gwp |
version | String | The version of the Protector that generated the logs. This is specified by the Protector. | Protector | 1.2.2+49.g126b2.1.2 |
core_version | String | This is the Core component version of the product. | Protector | 1.2.2+49.g126b2.1.2 |
pcc_version | String | This is the PCC version. | Protector | 3.4.0.20 |
This section describes the protection that was done, what was done, the result of the operation, where it was done, and so on.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
policy | String | The name of the policy. This is only used in File Protector. | Protector | aes1-rcwd |
role | String | This field is not used and will be deprecated. | Protector | |
datastore | String | The name of the datastore used for the security operation. | Protector | Testdatastore |
audit_code | Integer | The return code for the operation. For more information about the return codes, refer here. | Protector | 6 |
session_id | String | The identifier for the session. | Protector | |
request_id | String | The ID of the request that generated the log. | Protector | |
old_dataelement | String | The old dataelement value before the reprotect to a new dataelement. | Protector | AES128 |
mask_setting | String | The mask setting used to protect data. | Protector | Mask Left:4 Mask Right:4 Mark Character: |
dataelement | String | The dataelement used when protecting or unprotecting data. This is passed by the Protector performing the operation. | Protector | PTY_DE_CCN |
operation | String | The operation, for example Protect, Unprotect, or Reprotect. This is passed in by the Protector performing the operation. | Protector | Protect |
policy_user | String | The policy user for which the operation is being performed. This is passed in by the Protector performing the operation. | Protector | exampleuser1 |
devicepath | String | The path to the device. This is only used in File Protector. | Protector | /hmount/fuse_mount |
filetype | String | The type of file that was protected or unprotected. This displays the value ISREG for files and ISDIR for directories. This is only used in File Protector. | Protector | ISREG |
path | String | The path to the file protected or unprotected by the File Protector. This is only used in File Protector. | Protector | /testdata/src/ez/audit_log(13).csv |
This section describes from where the log came from.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
ip | String | The IP of the client that generated the log. | DSG | 192.168.2.10 |
username | String | The username that ran the Protector or Server on the client that created the log. | Hubcontroller | johndoe |
This section describes the information about the policy.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
audit_code | Integer | This is the policy audit code for the policy log. | PEP Server | 198 |
policy_name | String | This is the policy name for the policy log. | PEP Server | AutomationPolicy |
severity | String | This is the severity level for the policy log entry. | PEP Server | Low |
username | String | This is the user who modified the policy. | PEP Server | johndoe |
This section describes the metering log information.
Note: These fields are applicable for Protectors up to v7.2.1. If you upgraded your ESA from v7.2.1 to v9.1.0.0 and migrated the metering audits, then these fields contain data.
Metering is not supported for Protectors v8.0.0.0 and above and these are fields will be blank.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
meteringmode | String | This is the mode for metering logs, such as, delta or total. | PEP Server | total |
origin | String | This is the IP from where metering data originated. | PEP Server | 192.168.0.10 |
protection_count | Double | This is the number of protect operations metered. | PEP Server | 10 |
reprotection_count | Double | This is the number of reprotect operations metered. | PEP Server | 5 |
timestamp | Date | This is the UTC timestamp when the metering log entry was generated. | PEP Server | Sep 8, 2020 @ 12:56:29.000 |
uid | String | This is the unique ID of the metering source that generated the log. | PEP Server | Q2XJPGHZZIYKBPDX5K0KEISIV9AX9V |
unprotection_count | Double | This is the number of unprotect operations metered. | PEP Server | 10 |
This section handles the signing of the log. The key that was used to sign the log and the actual checksum that was generated.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
key_id | String | The key ID of the signingkey that signed the log record. | Protector | cc93c930-2ba5-47e1-9341-56a8d67d55d4 |
checksum | String | The checksum that was the result of signing the log. | Protector | 438FE13078719ACD4B8853AE215488ACF701ECDA2882A043791CDF99576DC0A0 |
counter | Double | This is the chain of custody value. It helps maintain the integrity of the log data. | Protector | 50321 |
This section describes the log information generated for a failed signature verification job.
Field | Data Type | Description | Source | Example |
---|---|---|---|---|
doc_id | String | This is the document ID for the audit log where the signature verification failed. | Signature Verification | N2U2N2JkM2QtMDhmYy00OGJmLTkyOGYtNmRhYzhhMGExMTFh |
index_name | String | This is the index name where the log signature verification failed. | Signature Verification | pty_insight_analytics_audits_10.0-2024.08.30-000001 |
job_id | String | This is the job ID of the signature verification job. | Signature Verification | 1T2RaosBEEC_iPz-zPjl |
job_name | String | This is the job name of the signature verification job. | Signature Verification | System Job |
reason | String | This is the audit log specifying the reason of the signature verification failure. | Signature Verification | INVALID_CHECKSUM | INVALID_KEY_ID | NO_KEY_AND_DOC_UPDATED |