Understanding Logsign System Logs

Introduction

This article will provide information about Logsign system logs.

Logsign System Logs

There are two different types of logs in Logsign: Logsign audit and Logsign health check.

Logsign Health Check

Logsign has services for health checks, and Logsign health check logs are created when these services detect a critical condition.

Data.Type Event.Category Event.VendorID Event.Status Event.Action Event.Note
health_check




























EPS 100101 green status ok

"Check EPS Average" defined in log sources

EPS Average Checked. It reports that there is no problem in EPS Status.

1.png

EPS 100102 yellow increase

"Check EPS Average" defined in log sources

Reports an increase in EPS Average.

2.png

For the example above, the notification log will appear as follows.

Overall EPS average increased by more than 50% in 5 minutes. Last week's average is 12.

EPS 100103 yellow decrase

"Check EPS Average" defined in log sources

It informs us that there is a decrease in EPS Average.

3.png

For the example above, the notification log will appear as follows.

The overall EPS average fell more than 30% in 5 minutes. Last week's average is 12.

Disk State 100201 green size ok Disk Size indicates that there is no problem in the use case and the available disk size information.
Disk State 100202 red limit exceed

The disk space usage limit is exceeded. Exceeding this limit causes logging to stop.

4.png

Log Source 100301 green start

It is the status of successfully receiving logs at the source.

5.png

Log Source 100302 red stop

It is the case of not receiving any logs during the Health Check period.

6.png

Syslog Service 100401 green status ok It is the case that there is no problem in the syslog service. It is the status of logging with the syslog protocol.
Syslog Service 100402 red stop A situation where no logs are received from syslog resources within 5 minutes.
Index 100501 green start

It is the restart state of the ElasticSearch service.

Index   yellow  

It is the case of an incorrect log in the ElasticSearch service.

Index 100502 red stop

It is the case where the ElasticSearch service is stopped.

Persist 100601 green start

Persist service logs are written to disk.

Persist 100602 red stop

It is the case that there is no change in the logs written by the Persist service within 5 minutes.

Archived Data 100701 green status ok

Archive is the state of having no problem in the file, directory size and current state.

Archived Data 100702 red file error

The status of the archive file not being found.

Signed Data 100703 green status ok

There is no problem in the current state of the signed file and directory.

Signed Data 100704 yellow size error

Signed file size is a problem.

Signed Data 100705 red file error

Signed file and directory are not found.

Stored Data 100801 yellow file create

It is the new file state created in the archive or signed directory.

Stored Data 100802 red file modify

Archive or signed file update status.

Stored Data 100803 yellow file move

It is the archive or signed file transfer status.

Stored Data 100804 red file delete

Archive or signed file deletion status.

Stored Data 100901 yellow folder create

It is the case of creating a new folder in the archive or signed directory.

Stored Data 100902 yellow folder move

It is the case of moving a folder in an archive or signed directory.

Stored Data 100903 red folder delete

It is the case of deleting a folder in the archive or signed directory.

 

You can examine the above logs with the following query.

DataType:"health_check"

7.png

 

For Logsign Health Check notifications, you need to activate the following alarms and configure the action rule for notifications.

8.png

 

Logsign Audits

Audit logging is available for movements performed in the Logsign user interface. You can examine the contents of these audit logs in the table below.

DataType Event.Category Event.VendorID Event.SubCategory EventMap.SubType Event.Action Event.Note
Audit User 200101 User Login Operation Login login User has logged in
200102 User Login Operation Logout logout User logged out
200103 User Login Operation Deny login fail User has failed login
200201 User Profile Add create User profile created
200202 User Profile Change update User profile updated
200203 User Profile Delete delete User profile deleted
200301 System User Add create New system user created
200302 System User Change password change System user password changed
200303 System User Delete delete System user deleted
200401 GUI User Add create GUI user created
200402 GUI User Modify modify GUI user updated
200403 GUI User Delete delete GUI user deleted
Alert 200501 New Alert Info create New alert created
200502 Existing Alert Info update Existing alert updated
200503 Existing Alert Info delete Existing alert deleted
200504 Alert Block Info create New alert block created
200505 Alert Block Info update New alert block updated
200506 Alert Block Info delete Alert block deleted
Behaviour 200601 New Behaviour Add create New behaviour created
200602 Existing Behaviour Change update Existing behaviour updated
200603 Existing Behaviour Delete delete Existing behaviour deleted
Dashboard 200701 Welcome Dashboard Info set Welcome dashboard set
200702 New Dashboard Info create New dashboard added
200703 Existing Dashboard Info update Dashboard updated
200704 Existing Dashboard Info delete Dashboard deleted
200711 Dashboard Category Info create New dashboard category created
200712 Dashboard Category Info update Dashboard category updated
200713 Dashboard Category Info delete Dashboard category deleted
200721 Dashboard Widget Info create New dashboard widget created
200722 Dashboard Widget Info update Dashboard widget updated
200723 Dashboard Widget Info delete Dashboard widget deleted
Report 200801 Scheduled Report Add create New scheduled report created
200802 Scheduled Report Change update Scheduled report updated
200803 Scheduled Report Delete delete Scheduled report deleted
200811 Offline Report Add create Offline report created
200812 Offline Report Delete delete Offline report deleted
200821 Online Report Add create Online report created
200822 Online Report Change update Online report updated
200823 Online Report Delete delete Online report deleted
200831 Report Block Add create Report block created
200832 Report Block Delete delete Report block deleted
200833 Predefined Report Info install Report block installed from predefined reports
200841 Data Export Share create Data export created
200842 Data Export Delete delete Data export deleted
200843 Data Export Share send Send exported report
System 200901 Resource Info create New resource created
200902 Resource Change update Resource settings updated
200903 Resource Info delete Resource deleted
200904 Resource Info delete All resources deleted
200911 Resource Info enable Resource enabled
200912 Resource Info disable Resource disable
200913 Resource Info enable All resources enabled
200914 Resource Info disable All resources disabled
201001 Data Policy Create create Data Policy created
201002 Data Policy Change update Data Policy updated
201003 Data Policy Info delete Data Policy deleted
201004 Data Policy Info apply Data Policy applied
201101 Mini Query Info create Mini query created
201102 Mini Query Info update Mini query updated
201103 Mini Query Info delete Mini query deleted
201201 Sign Settings Change update System sign settings updated
201202 Sign Settings Info validate Signed log file validated
201301 Index Delete delete Index deleted
201302 Archive Log Delete delete Archive log file deleted
201303 Signed Log Delete delete Signed log file deleted
201401 Update Info check Update manager checked
201501 Remote Support Start start Remote support started
201502 Remote Support Stop stop Remote support stopped
201601 FieldSet Info apply Default fieldset applied
201602 FieldSet Info create Fieldset created
201603 FieldSet Info update Fieldset updated
201604 FieldSet Info delete Fieldset deleted
201701 License Info add License activate attempt
201702 License Info synchronize License synchronization
201801 Company Information Info update Company informations updated
201802 Company Information Info load Default logo loaded
201803 Company Information Info import New logo imported
202001 Action Rule Info create Action rule created
202002 Action Rule Add update Action rule updated
202003 Action Rule Change delete Action rule deleted
202101 Response Integration Delete create Response Integration configured
202102 Response Integration Info update Response Integration configuration updated
202103 Response Integration Change delete Response Integration configuration deleted
Network 201901 Interface Info update Update network settings

 

You can examine the above logs with the following query.

DataType:"audit"

9.png

Was this article helpful?
1 out of 2 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.