Understanding the Audit Store indexes

The contents of the various logs that are generated by the Protegrity products describe the working of the system. It helps understand the health of the system, identify issues, and help in troubleshooting.

All the Appliances and Protectors send logs to the Audit Store. The logs from the Audit Store are displayed on the Discover screen of the Audit Store Dashboards. Here, you can view the different fields logged. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security. These logs are stored in the Audit index with the name, such as, pty_insight_analytics_audit_9.2-*. To refer to old and new audit indexes, the alias pty_insight_*audit_* is used.

The /var/log/asdashboards.log file is empty. The init.d logs for the Audit Store Dashboards are available in /var/log/syslog. The container-related logs are available in /var/log/docker/auditstore_dashboards.log.

You can view the Discover screen by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and select a time period such as Last 30 days. The Discover screen appears.

The following table lists the various indexes and information about the data contained in the index. You can view the index list by logging into the ESA, and navigating to Audit Store > Cluster Management > Overview > Indices. Indexes can be created or deleted. However, deleting an index will lead to a permanent loss of data in the index. If the index was not backed up earlier, then the logs from the index deleted cannot be recreated or retrieved.

Index NameOriginDescription
.kibana_1OpenSearchThis is a system index created by OpenSearch. This hold information about the dashboards.
.opendistro_securityOpenSearchThis is a system index created by OpenSearch. This hold information about the security, roles, mapping, and so on.
.opendistro-job-scheduler-lockOpenSearchThis is a system index created by OpenSearch.
.opensearch-notifications-configOpenSearchThis is a system index created by OpenSearch.
.opensearch-observabilityOpenSearchThis is a system index created by OpenSearch.
.plugins-ml-configOpenSearchThis is a system index created by OpenSearch.
.ql-datasourcesOpenSearchThis is a system index created by OpenSearch.
pty_auditstore_cluster_configESAThis index logs logs information about the Audit Store cluster.
pty_insight_analytics_auditESAThis index logs the audit data for all the URP operations and the DSG appliance logs. It also captures all logs with the log type protection, metering, audit, and security.
pty_insight_analytics_autosuggestionESAThis index holds the autocomplete information for querying logs in Analytics. The index was used in earlier versions of ESA.
pty_insight_analytics_cronsESAThis index logs information about the cron scheduler jobs.
pty_insight_analytics_crons_logsESAThis index logs for the cron scheduler when the jobs are executed.
pty_insight_analytics_dsg_error_metricsDSGThis index logs the DSG error information.
pty_insight_analytics_dsg_transaction_metricsDSGThis index logs the DSG transaction information.
pty_insight_analytics_dsg_usage_metricsDSGThis index logs the DSG usage information.
pty_insight_analytics_encryption_storeESAThis index encrypts and stores the password specified for the jobs.
pty_insight_analytics_forensics_custom_queriesESAThis index stores the custom queries created for forensics. The index was used in earlier versions of ESA.
pty_insight_analytics_ilm_export_jobsESAThis index logs information about the running ILM export jobs.
pty_insight_analytics_ilm_statusESAThis index logs the information about the running ILM import and delete jobs.
pty_insight_analytics_kvsESAThis is an internal index for storing the key-value type information.
pty_insight_analytics_miscellaneousESAThis index logs entries that are not categorized in the other index files.
pty_insight_analytics_policyESAThis index logs information about the ESA policy. It is a system index created by the ESA.
pty_insight_analytics_policy_logESAThis index logs for the ESA policy when the jobs are executed.
pty_insight_analytics_policy_status_dashboardESAThe index holds information about the policy of the protectors for the dashboard.
pty_insight_analytics_protector_status_dashboardESAThis index holds information about the 10.0.0 protectors for the dashboard.
pty_insight_analytics_protectors_statusProtectorsThis index holds the status logs of version 10.0.0 protectors.
pty_insight_analytics_reportESAThis index holds information for the reports created. The index was used in earlier version of ESA.
pty_insight_analytics_signature_verification_jobsESAThis index logs information about the signature verification jobs.
pty_insight_analytics_signature_verification_running_jobsESAThis index logs information about the signature verification jobs that are currently running.
pty_insight_analytics_troubleshootingESAThis index logs the log type application, kernel, system, and verification.