All the Appliances and Protectors send logs to the Audit Store. The logs from the Audit Store are displayed on the Discover screen of the Audit Store Dashboards. Here, you can view the different fields logged. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security. These logs are stored in the Audit index with the name, such as, pty_insight_analytics_audit_9.2-*. To refer to old and new audit indexes, the alias pty_insight_*audit_* is used.
The /var/log/asdashboards.log file is empty. The init.d logs for the Audit Store Dashboards are available in /var/log/syslog. The container-related logs are available in /var/log/docker/auditstore_dashboards.log.
You can view the Discover screen by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu, and select a time period such as Last 30 days. The Discover screen appears.
The following table lists the various indexes and information about the data contained in the index. You can view the index list by logging into the ESA, and navigating to Audit Store > Cluster Management > Overview > Indices. Indexes can be created or deleted. However, deleting an index will lead to a permanent loss of data in the index. If the index was not backed up earlier, then the logs from the index deleted cannot be recreated or retrieved.
Index Name | Origin | Description |
---|---|---|
.kibana_1 | OpenSearch | This is a system index created by OpenSearch. This hold information about the dashboards. |
.opendistro_security | OpenSearch | This is a system index created by OpenSearch. This hold information about the security, roles, mapping, and so on. |
.opendistro-job-scheduler-lock | OpenSearch | This is a system index created by OpenSearch. |
.opensearch-notifications-config | OpenSearch | This is a system index created by OpenSearch. |
.opensearch-observability | OpenSearch | This is a system index created by OpenSearch. |
.plugins-ml-config | OpenSearch | This is a system index created by OpenSearch. |
.ql-datasources | OpenSearch | This is a system index created by OpenSearch. |
pty_auditstore_cluster_config | ESA | This index logs logs information about the Audit Store cluster. |
pty_insight_analytics_audit | ESA | This index logs the audit data for all the URP operations and the DSG appliance logs. It also captures all logs with the log type protection, metering, audit, and security. |
pty_insight_analytics_autosuggestion | ESA | This index holds the autocomplete information for querying logs in Analytics. The index was used in earlier versions of ESA. |
pty_insight_analytics_crons | ESA | This index logs information about the cron scheduler jobs. |
pty_insight_analytics_crons_logs | ESA | This index logs for the cron scheduler when the jobs are executed. |
pty_insight_analytics_dsg_error_metrics | DSG | This index logs the DSG error information. |
pty_insight_analytics_dsg_transaction_metrics | DSG | This index logs the DSG transaction information. |
pty_insight_analytics_dsg_usage_metrics | DSG | This index logs the DSG usage information. |
pty_insight_analytics_encryption_store | ESA | This index encrypts and stores the password specified for the jobs. |
pty_insight_analytics_forensics_custom_queries | ESA | This index stores the custom queries created for forensics. The index was used in earlier versions of ESA. |
pty_insight_analytics_ilm_export_jobs | ESA | This index logs information about the running ILM export jobs. |
pty_insight_analytics_ilm_status | ESA | This index logs the information about the running ILM import and delete jobs. |
pty_insight_analytics_kvs | ESA | This is an internal index for storing the key-value type information. |
pty_insight_analytics_miscellaneous | ESA | This index logs entries that are not categorized in the other index files. |
pty_insight_analytics_policy | ESA | This index logs information about the ESA policy. It is a system index created by the ESA. |
pty_insight_analytics_policy_log | ESA | This index logs for the ESA policy when the jobs are executed. |
pty_insight_analytics_policy_status_dashboard | ESA | The index holds information about the policy of the protectors for the dashboard. |
pty_insight_analytics_protector_status_dashboard | ESA | This index holds information about the 10.0.0 protectors for the dashboard. |
pty_insight_analytics_protectors_status | Protectors | This index holds the status logs of version 10.0.0 protectors. |
pty_insight_analytics_report | ESA | This index holds information for the reports created. The index was used in earlier version of ESA. |
pty_insight_analytics_signature_verification_jobs | ESA | This index logs information about the signature verification jobs. |
pty_insight_analytics_signature_verification_running_jobs | ESA | This index logs information about the signature verification jobs that are currently running. |
pty_insight_analytics_troubleshooting | ESA | This index logs the log type application, kernel, system, and verification. |