GuidesAPI ReferenceGitHub RepositoryPartner IntegrationsWhat's New
Product DocumentationSupport

Events API to export inSync events

Suggest Edits

About Events API

Using the Events API, you can export events from inSync. This API capability helps organizations to:

  • Get all the inSync events in a single API call
  • Monitor the reported failures and take corrective actions
  • Detect malicious activity through IP address logging
  • Integrate the exported events and alerts with the third-party SIEM tool

Workflow to export Endpoints and Data Governance events

  1. Enable the option to export events from the inSync Management Console. For more information, see Enable export of events in inSync.
  2. Configure the events that can be exported using Events API. For more information, see Configure inSync to export events.
  3. Generate token to access Event API. For more information, see Use EVENTAPI to export events from inSync.
  4. Access Event API through any REST Client to receive a response in JSON format.

Supported Endpoints and Data Governance events

The following table lists the Endpoints and Data Governance events that you can export by using the Events API:

Event CategoryEvent TypesEvent StateDescription
Alerts & NotificationsAlerts
Alert Resolution
 Alert Notification
* Alert 		Severity
High
 Critical
Warning
 Notification 		Events related to Endpoints and Data Governance alerts with varied level of severity.
Backup & RestoreBackup & Restore
Backup
 Restore
* Download 		Backup
Success
 Failed
Canceled
 Backed up with errors
Backup Paused
 Backup Resumed

Restore
Success
 Failed

Download
Success
 Failed 		Events generated for every Backup & Restore activity and event state type.
WebDAVWebDAV authentication Success
 Failed 		Events for each attempt to access WebDAV using Endpoints and Data Governance legal administrator credentials.
Admin EventAdmin events
Administrator authentication
 Administrator Audit Trail 		Administrator authentication
Success
 Failed
Administrator Audit Trail
* Admin event 		Events for actions like administrator authentication and Audit Trail for activities performed by Endpoints and Data Governance administrators.
APIAPI authentication Success
 Failed 		Events for each attempt to access API using Endpoints and Data Governance administrator credentials.
System EventSystem Events
AD Synchronization
 Data Source 		AD Synchronization
User imported
 User preserved
User re-enabled
 User information updated
_ User deleted

Data Source
_ Device deleted
* Device marked as inactive 		Events for AD synchronization and update in Data Source status.
Admin EventClient Upgrade Scheduled
 Failed
Canceled
 Successful 		Events for automatic and bulk device upgrade for inSync Client.
All EventsUser Event Success
 Failed 		Events for user login on inSync Client and Web.

Configure inSync to export events

Only an inSync Cloud administrator can enable the option to export events and define the Events API settings.

Procedure

  1. On the Endpoints Console go to Settings (wheel icon) > Settings.
  2. Navigate to Event API Settings and click edit. The Edit Events API Settings window appears.
  3. Select the Export Events check box.
  4. In the Categories to export box, select the events that you want to export.
  5. In the Syslog facility field, type a value between 1 and 23 to assign a Syslog facility ID for inSync events. The default value is 23.
  6. Click Save.

Generate a token to access Events API

To generate a token to access Events API, see Authentication.

Access Events API

Make API requests. For more information, see the Events API reference.

You can also get the Events API response in CEF and Syslog formats. For more information, see Integrate Events API with a SIEM tool.

About Events API Response

  • Each inSync Events API response contains a maximum of 500 inSync events.
  • Every Events API response contains a tracker cookie. A tracker cookie, which is valid for the next 48 hours, is an identifier that contains inSync database reference and identifies the next set of unique events when successive Events API call is made.
  • If there are more than 500 events in the inSync database while returning an Events API response, the response contains nextpage header attribute that contains the next page URL. Use the nextpage header attribute along-with the tracker cookie in your subsequent API call to get additional set of inSync events.
  • Events API response is in the UTC timezone.

Integrate Events API with a SIEM tool

You can configure Security Information and Event Management (SIEM) tools like Splunk, ArcSight, and so on to consume inSync events. Events API enables inSync administrators to export inSync events in the following formats:

  • Common Event Format (CEF)
  • Syslog format

Configure your SIEM tool to ingest inSync events exported in the CEF and Syslog formats for your further analysis.

960

Obtain Events API response in CEF format

To get events in CEF format, add the following parameter to the API request:

FieldValueDescription
formatCEFGets the Events API response in the CEF format.

CEF Response Output format

Following is a sample output of Events API in CEF format:

"Sep 21 2017 13:41:14 cloud.druva.com CEF:0|Druva|inSync|1||Admin Audit Trail|6|[email protected] dvchost=Admin’s Mac mini cs2Label=ClientVersion cs2=5.9.5r54841 deviceFacility=6 cs3Label=ClientOS cs3=Mac OS X duid=1 deviceExternalId=80 outcome=Admin Event cs1Label=EventDetails cs1=Device:[email protected] initiated backup for a device Admin’s Mac mini deviceTranslatedAddress=192.168.0.0 cn1Label=ProfileID cn1=1 cs5Label=ProfileName cs5=Default duser=Ernie",

CEF response output consists of header attributes and extension attributes.

Header attributes

CEF response consists of the following attributes in the Header part:

Attribute NameDescription
TimestampThe date and time when the event was generated.

Format: MMM DD YYYY HH:MM:SS
HostnameFully Qualified Domain Name (FQDN)of the originator that sent the
CEF message. The domain name of inSync Cloud or inSync GovCloud.
CEF VersionThe version is zero.
Value: 0
Device VendorThe name of the API vendor.
Value: Druva
Device ProductThe name of the API vendor's product.
Value: inSync
Event API VersionThe current version of inSync Events API.
Event Class IDThe identifier for the event.
NameThe exported inSync event type.
SeverityThe severity level of the event as defined in inSync.

inSync has defined the severity of events in accordance with RFC 3164. Refer Severity Level section for details.
Extension AttributesExtension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping for CEF Format.

Severity Level
Severity Level per RFC 3164.

Numerical CodeSeverity
0Emergency: system is unusable
1Alert: action must be taken immediately
2Critical: critical conditions
3Error: error conditions
4Warning: warning conditions
5Notice: normal but significant condition
6Informational: informational messages
7Debug: debug-level messages

Extension Attribute Field Mapping for CEF Format
The following table lists the mapping of attributes in CEF format with JSON format.

Attribute Name in JSON formatAttribute Name in CEF formatDescription
EventDetailscs1/cs1LabelAdditional details about the event occurred.

Example, if it is a backup event, details such as the number of files backed up, files missed, time for backup, and so on.
EventStateoutcomeThe state of the inSync event.

For example, event triggered by an administrator.
InitiatorsuserThe initiator of the event.

For example, manual backup triggered by a user named Ernie Carter.

In case of a system event, the initiator is the name of the system.
ErrorLogFullTracemsgError details
IPAddressdeviceTranslatedAddressThe IP address of the device on which the event occurred.

In case of an admin event, IP address of the device on which the administrator performed the inSync activity is displayed.
ProfileIDcn1/cn1LabelinSync assigned identifier of the inSync profile associated with the user, for whom the event occurred.
Profile Namecs5/cs5LabelThe name of the inSync profile associated with the user, for whom the event occurred.
inSyncUserIDduidinSync assigned identifier of the user associated with the event.
inSyncUserNameduserThe name of the inSync user associated with the event.
inSyncDataSourceIDdeviceExternalIdinSync assigned identifier of the user device on which the event occurred.
inSyncDataSourceNamedvchostThe data source name on which the event occurred.
ClientVersioncs2/cs2LabelThe inSync Client version on the user device.
ClientOScs3/cs3LabelThe OS on which the inSync Client is installed.
FacilitydeviceFacilityThe facility number as defined in inSync Management Console Events API settings. The default value is 23.

Obtain Events API response in Syslog format

To get events in Syslog format, add the following parameter to the API request:

FieldValueDescription
formatSyslogGets the Events API response in the Syslog format.

Syslog Response Output format
Following is a sample output of Events API in Syslog format:

"<54>1 2017-09-21T13:41:14Z cloud.druva.com Druva inSync - -  [email protected] inSyncDataSourceName=Admin’s Mac mini ClientVersion=5.9.5r54841 EventType=Admin Audit Trail ClientOS=Mac OS X inSyncUserID=1 inSyncDataSourceID=80 EventState=Admin Event EventDetails=Device:[email protected] initiated backup for a device Admin’s Mac mini IP=192.168.0.0 ProfileID=1 ProfileName=Default inSyncUserName=Ernie",

Syslog response output consists of header attributes and extension attributes.

Header attributes
Syslog response consists of the following attributes in the Header part:

Attribute NameDescription
PRIVALThe Priority value (PRIVAL), and represents both the Facility and Severity.

PRIVAL is derived using the following formula:

(Facility number x 8)+Severity
VERSIONThe current version of inSync Events API.
TIMESTAMPThe date and time when the event was generated.
Format: yyyy-mm-ddThh:mm:ssZ
HOSTNAMEFully Qualified Domain Name (FQDN)of the originator that sent the
syslog message. The domain name of inSync Cloud or inSync GovCloud.
APP-NAMEThe name of the Events API publisher.

Value: Druva inSync
PROCIDThe identifier for the event.
Extension AttributesExtension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping in Syslog format.

Extension Attribute Field Mapping in Syslog format
Syslog response consists of the following attributes in the Extension part. The response in Extension is similar to that received in the JSON format.

Extension Attribute NameDescription
EventTypeThe exported inSync event type.
EventStateThe state of the inSync event.

For example, event triggered by an administrator.
EventIDThe identifier to inter-relate multiple associated events.

Example, all events associated with a backup event like Backup initialized, Backup paused, and Backup Success.
InitiatorThe initiator of the event.

For example, Manual backup triggered by a user named Ernie Carter.

In case of System event, the initiator will always be the name of the system.
EventDetailsAdditional details about the event occurred.

Example, for a backup event, details such as the number of files backed up, files missed, time required for backup, and so on.
IPThe IP address of the device on which the event occurred.

In case of an admin event, IP address of the device from which the inSync administrator performed the inSync activity is displayed.
ProfileIDinSync assigned identifier of the inSync profile associated with the user, for whom the event occurred.
ProfileNameThe name of the inSync profile associated with the user, for whom the event occurred.
inSyncUserIDinSync assigned identifier of the user associated with the event.
inSyncUserNameThe name of the inSync user associated with the event.
inSyncDataSource IDinSync assigned identifier of the user device on which the event occurred.
inSyncDataSourceNameThe data source name on which the event occurred.
ClientVersionThe inSync Client version on the user device.
ClientOSThe OS on which the inSync Client is installed.

Updated about 1 month ago