Events API to export inSync events
About Events API
Using the Events API, you can export events from inSync. This API capability helps organizations to:
- Get all the inSync events in a single API call
- Monitor the reported failures and take corrective actions
- Detect malicious activity through IP address logging
- Integrate the exported events and alerts with the third-party SIEM tool
Workflow to export Endpoints and Data Governance events
- Enable the option to export events from the inSync Management Console. For more information, see Enable export of events in inSync.
- Configure the events that can be exported using Events API. For more information, see Configure inSync to export events.
- Generate token to access Event API. For more information, see List Events to export events from inSync.
- Access Event API through any REST Client to receive a response in JSON format.
Supported Endpoints and Data Governance events
The following table lists the Endpoints and Data Governance events that you can export by using the Events API:
Event Category | Event Types | Event State | Description |
|---|---|---|---|
Alerts & Notifications | Alerts
| Severity
| Events related to Endpoints and Data Governance alerts with varied level of severity. |
Backup & Restore | Backup & Restore
| Backup
Restore
Download
| Events generated for every Backup & Restore activity and event state type. |
WebDAV | WebDAV authentication |
| Events for each attempt to access WebDAV using Endpoints and Data Governance legal administrator credentials. |
Admin Event | Admin events
| Administrator authentication
| Events for actions like administrator authentication and Audit Trail for activities performed by Endpoints and Data Governance administrators. |
API | API authentication |
| Events for each attempt to access API using Endpoints and Data Governance administrator credentials. |
System Event | System Events
| AD Synchronization
Data Source
| Events for AD synchronization and update in Data Source status. |
Admin Event | Client Upgrade |
| Events for automatic and bulk device upgrade for inSync Client. |
All Events | User Event |
| Events for user login on inSync Client and Web. |
inSync SIEM events
From May 7, 2025, inSync started publishing SIEM events that you can extract using the Druva Cloud Platform events API .
For more information on these events, see inSync Events.
For information on a translation of the events described above to SIEM events, review the tables below:
Standard field definitions
| Standard Field | Existing Field / Possible Value |
|---|---|
| eventCategory | EVENT |
| uniqueID | d1d5c2cd-26bc-51b3-bd60-a2ad495eeff5 |
| publisherID | <cloudID>-<productID> |
| topicName | <cloudName>-<serviceName>-<area/feature> |
| timeStamp | 2019-11-03T23:28:01.631Z |
| eventType | Admin Login |
| tenantID | global_customer_id |
| severity | 6 |
| identityType | SERVICE/ADMIN/API/USER |
| identityID | None/System/<event initiator email> |
| eventDetails | "Restore, Download & Share:Ranveer Avhad restored Exchange Online data of <user>. Exchange Online data was restored to <user email>. |
| schemaVersion | 1.0 |
Mapping of old event type to SIEM event type with identity type
| Event Type In Old Event | Event Type In SIEM Event | Identity Type |
|---|---|---|
| Admin Audit Trail | Admin Audit Trail | ADMIN |
| Admin Login | Admin Login | ADMIN |
| User Event | User Event | USER |
| User Audit Trail | User Audit Trail | USER |
| API Login | API Login | ADMIN |
| WebDAV Login | WebDAV Login | API/ADMIN |
| Bulk Export WebDAV Login | Bulk Export WebDAV Login | API/ADMIN |
| PST Converter WebDAV Login | PST Converter WebDAV Login | ADMIN |
| Backup | Backup | SERVICE |
| Restore | Restore | SERVICE |
| Download | Download | SERVICE |
| AD Sync | AD Sync | SERVICE |
| Alert | Alert | SERVICE |
| Alert Resolution | Alert Resolution | SERVICE |
| Notification | Notification | SERVICE |
| Data Source | Data Source | SERVICE |
| Client Upgrade | Client Upgrade | ADMIN/USER |
| Additional Data Collection | Additional Data Collection | SERVICE |
| Device Replace | Device Replace | SERVICE |
Mapping of old event feature to SIEM event entity type
| Feature in Old Event | Entity Type in SIEM event |
|---|---|
| Alert & Notifications | Alerts And Notifications |
| Backup & Restore | Backup And Restore |
| WebDAV | WebDAV |
| Bulk Export WebDAV | Bulk Export WebDAV |
| Admin Event | Admin Event |
| API | API |
| System Event | System Event |
| All Events | User And Device |
Note
Highlighted fields in the table above indicate updated entity types.
Configure inSync to export events
Only an inSync Cloud administrator can enable the option to export events and define the Events API settings.
Procedure
- On the Endpoints Console go to Settings (wheel icon) > Settings.
- Navigate to Event API Settings and click edit. The Edit Events API Settings window appears.
- Select the Export Events check box.
- In the Categories to export box, select the events that you want to export.
- In the Syslog facility field, type a value between 1 and 23 to assign a Syslog facility ID for inSync events. The default value is 23.
- Click Save.
Generate a token to access Events API
To generate a token to access Events API, see Authentication.
Access Events API
Make API requests. For more information, see the Events API reference.
You can also get the Events API response in CEF and Syslog formats. For more information, see Integrate Events API with a SIEM tool.
About Events API Response
- Each inSync Events API response contains a maximum of 500 inSync events.
- Every Events API response contains a tracker cookie. A tracker cookie, which is valid for the next 48 hours, is an identifier that contains inSync database reference and identifies the next set of unique events when successive Events API call is made.
- If there are more than 500 events in the inSync database while returning an Events API response, the response contains nextpage header attribute that contains the next page URL. Use the nextpage header attribute along-with the tracker cookie in your subsequent API call to get additional set of inSync events.
- Events API response is in the UTC timezone.
Integrate Events API with a SIEM tool
You can configure Security Information and Event Management (SIEM) tools like Splunk, ArcSight, and so on to consume inSync events. Events API enables inSync administrators to export inSync events in the following formats:
- Common Event Format (CEF)
- Syslog format
Configure your SIEM tool to ingest inSync events exported in the CEF and Syslog formats for your further analysis.
Obtain Events API response in CEF format
To get events in CEF format, add the following parameter to the API request:
| Field | Value | Description |
|---|---|---|
| format | CEF | Gets the Events API response in the CEF format. |
CEF Response Output format
Following is a sample output of Events API in CEF format:
"Sep 21 2017 13:41:14 cloud.druva.com CEF:0|Druva|inSync|1||Admin Audit Trail|6|[email protected] dvchost=Admin’s Mac mini cs2Label=ClientVersion cs2=5.9.5r54841 deviceFacility=6 cs3Label=ClientOS cs3=Mac OS X duid=1 deviceExternalId=80 outcome=Admin Event cs1Label=EventDetails cs1=Device:[email protected] initiated backup for a device Admin’s Mac mini deviceTranslatedAddress=192.168.0.0 cn1Label=ProfileID cn1=1 cs5Label=ProfileName cs5=Default duser=Ernie",CEF response output consists of header attributes and extension attributes.
Header attributes
CEF response consists of the following attributes in the Header part:
Attribute Name | Description |
|---|---|
Timestamp | The date and time when the event was generated. Format: MMM DD YYYY HH:MM:SS |
Hostname | Fully Qualified Domain Name (FQDN)of the originator that sent the |
CEF Version | The version is zero. |
Device Vendor | The name of the API vendor. |
Device Product | The name of the API vendor's product. |
Event API Version | The current version of inSync Events API. |
Event Class ID | The identifier for the event. |
Name | The exported inSync event type. |
Severity | The severity level of the event as defined in inSync. inSync has defined the severity of events in accordance with RFC 3164. Refer Severity Level section for details. |
Extension Attributes | Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping for CEF Format. |
Severity Level
Severity Level per RFC 3164.
| Numerical Code | Severity |
|---|---|
| 0 | Emergency: system is unusable |
| 1 | Alert: action must be taken immediately |
| 2 | Critical: critical conditions |
| 3 | Error: error conditions |
| 4 | Warning: warning conditions |
| 5 | Notice: normal but significant condition |
| 6 | Informational: informational messages |
| 7 | Debug: debug-level messages |
Extension Attribute Field Mapping for CEF Format
The following table lists the mapping of attributes in CEF format with JSON format.
Attribute Name in JSON format | Attribute Name in CEF format | Description |
|---|---|---|
EventDetails | cs1/cs1Label | Additional details about the event occurred. Example, if it is a backup event, details such as the number of files backed up, files missed, time for backup, and so on. |
EventState | outcome | The state of the inSync event. For example, event triggered by an administrator. |
Initiator | suser | The initiator of the event. For example, manual backup triggered by a user named Ernie Carter. In case of a system event, the initiator is the name of the system. |
ErrorLogFullTrace | msg | Error details |
IPAddress | deviceTranslatedAddress | The IP address of the device on which the event occurred. In case of an admin event, IP address of the device on which the administrator performed the inSync activity is displayed. |
ProfileID | cn1/cn1Label | inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred. |
Profile Name | cs5/cs5Label | The name of the inSync profile associated with the user, for whom the event occurred. |
inSyncUserID | duid | inSync assigned identifier of the user associated with the event. |
inSyncUserName | duser | The name of the inSync user associated with the event. |
inSyncDataSourceID | deviceExternalId | inSync assigned identifier of the user device on which the event occurred. |
inSyncDataSourceName | dvchost | The data source name on which the event occurred. |
ClientVersion | cs2/cs2Label | The inSync Client version on the user device. |
ClientOS | cs3/cs3Label | The OS on which the inSync Client is installed. |
Facility | deviceFacility | The facility number as defined in inSync Management Console Events API settings. The default value is 23. |
Obtain Events API response in Syslog format
To get events in Syslog format, add the following parameter to the API request:
| Field | Value | Description |
|---|---|---|
| format | Syslog | Gets the Events API response in the Syslog format. |
Syslog Response Output format
Following is a sample output of Events API in Syslog format:
"<54>1 2017-09-21T13:41:14Z cloud.druva.com Druva inSync - - [email protected] inSyncDataSourceName=Admin’s Mac mini ClientVersion=5.9.5r54841 EventType=Admin Audit Trail ClientOS=Mac OS X inSyncUserID=1 inSyncDataSourceID=80 EventState=Admin Event EventDetails=Device:[email protected] initiated backup for a device Admin’s Mac mini IP=192.168.0.0 ProfileID=1 ProfileName=Default inSyncUserName=Ernie",Syslog response output consists of header attributes and extension attributes.
Header attributes
Syslog response consists of the following attributes in the Header part:
Attribute Name | Description |
|---|---|
PRIVAL | The Priority value (PRIVAL), and represents both the Facility and Severity. PRIVAL is derived using the following formula: (Facility number x 8)+Severity |
VERSION | The current version of inSync Events API. |
TIMESTAMP | The date and time when the event was generated. |
HOSTNAME | Fully Qualified Domain Name (FQDN)of the originator that sent the |
APP-NAME | The name of the Events API publisher. Value: Druva inSync |
PROCID | The identifier for the event. |
Extension Attributes | Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping in Syslog format. |
Extension Attribute Field Mapping in Syslog format
Syslog response consists of the following attributes in the Extension part. The response in Extension is similar to that received in the JSON format.
Extension Attribute Name | Description |
|---|---|
EventType | The exported inSync event type. |
EventState | The state of the inSync event. For example, event triggered by an administrator. |
EventID | The identifier to inter-relate multiple associated events. Example, all events associated with a backup event like Backup initialized, Backup paused, and Backup Success. |
Initiator | The initiator of the event. For example, Manual backup triggered by a user named Ernie Carter. In case of System event, the initiator will always be the name of the system. |
EventDetails | Additional details about the event occurred. Example, for a backup event, details such as the number of files backed up, files missed, time required for backup, and so on. |
IP | The IP address of the device on which the event occurred. In case of an admin event, IP address of the device from which the inSync administrator performed the inSync activity is displayed. |
ProfileID | inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred. |
ProfileName | The name of the inSync profile associated with the user, for whom the event occurred. |
inSyncUserID | inSync assigned identifier of the user associated with the event. |
inSyncUserName | The name of the inSync user associated with the event. |
inSyncDataSource ID | inSync assigned identifier of the user device on which the event occurred. |
inSyncDataSourceName | The data source name on which the event occurred. |
ClientVersion | The inSync Client version on the user device. |
ClientOS | The OS on which the inSync Client is installed. |
Updated 1 day ago