Events API to export inSync events
About Events API
Using the Events API, you can export events from inSync. This API capability helps organizations to:
- Get all the inSync events in a single API call
- Monitor the reported failures and take corrective actions
- Detect malicious activity through IP address logging
- Integrate the exported events and alerts with the third-party SIEM tool
Workflow to export Endpoints and Data Governance events
- Enable the option to export events from the inSync Management Console. For more information, see Enable export of events in inSync.
- Configure the events that can be exported using Events API. For more information, see Configure inSync to export events.
- Generate token to access Event API. For more information, see Use EVENTAPI to export events from inSync.
- Access Event API through any REST Client to receive a response in JSON format.
Supported Endpoints and Data Governance events
The following table lists the Endpoints and Data Governance events that you can export by using the Events API:
Event Category | Event Types | Event State | Description |
---|---|---|---|
Alerts & Notifications | Alerts Alert Resolution Alert Notification * Alert | Severity High Critical Warning Notification | Events related to Endpoints and Data Governance alerts with varied level of severity. |
Backup & Restore | Backup & Restore Backup Restore * Download | Backup Success Failed Canceled Backed up with errors Backup Paused Backup Resumed Restore Success Failed Download Success Failed | Events generated for every Backup & Restore activity and event state type. |
WebDAV | WebDAV authentication | Success Failed | Events for each attempt to access WebDAV using Endpoints and Data Governance legal administrator credentials. |
Admin Event | Admin events Administrator authentication Administrator Audit Trail | Administrator authentication Success Failed Administrator Audit Trail * Admin event | Events for actions like administrator authentication and Audit Trail for activities performed by Endpoints and Data Governance administrators. |
API | API authentication | Success Failed | Events for each attempt to access API using Endpoints and Data Governance administrator credentials. |
System Event | System Events AD Synchronization Data Source | AD Synchronization User imported User preserved User re-enabled User information updated _ User deleted Data Source _ Device deleted * Device marked as inactive | Events for AD synchronization and update in Data Source status. |
Admin Event | Client Upgrade | Scheduled Failed Canceled Successful | Events for automatic and bulk device upgrade for inSync Client. |
All Events | User Event | Success Failed | Events for user login on inSync Client and Web. |
Configure inSync to export events
Only an inSync Cloud administrator can enable the option to export events and define the Events API settings.
Procedure
- On the Endpoints Console go to Settings (wheel icon) > Settings.
- Navigate to Event API Settings and click edit. The Edit Events API Settings window appears.
- Select the Export Events check box.
- In the Categories to export box, select the events that you want to export.
- In the Syslog facility field, type a value between 1 and 23 to assign a Syslog facility ID for inSync events. The default value is 23.
- Click Save.
Generate a token to access Events API
To generate a token to access Events API, see Authentication.
Access Events API
Make API requests. For more information, see the Events API reference.
You can also get the Events API response in CEF and Syslog formats. For more information, see Integrate Events API with a SIEM tool.
About Events API Response
- Each inSync Events API response contains a maximum of 500 inSync events.
- Every Events API response contains a tracker cookie. A tracker cookie, which is valid for the next 48 hours, is an identifier that contains inSync database reference and identifies the next set of unique events when successive Events API call is made.
- If there are more than 500 events in the inSync database while returning an Events API response, the response contains nextpage header attribute that contains the next page URL. Use the nextpage header attribute along-with the tracker cookie in your subsequent API call to get additional set of inSync events.
- Events API response is in the UTC timezone.
Integrate Events API with a SIEM tool
You can configure Security Information and Event Management (SIEM) tools like Splunk, ArcSight, and so on to consume inSync events. Events API enables inSync administrators to export inSync events in the following formats:
- Common Event Format (CEF)
- Syslog format
Configure your SIEM tool to ingest inSync events exported in the CEF and Syslog formats for your further analysis.
Obtain Events API response in CEF format
To get events in CEF format, add the following parameter to the API request:
Field | Value | Description |
---|---|---|
format | CEF | Gets the Events API response in the CEF format. |
CEF Response Output format
Following is a sample output of Events API in CEF format:
"Sep 21 2017 13:41:14 cloud.druva.com CEF:0|Druva|inSync|1||Admin Audit Trail|6|[email protected] dvchost=Admin’s Mac mini cs2Label=ClientVersion cs2=5.9.5r54841 deviceFacility=6 cs3Label=ClientOS cs3=Mac OS X duid=1 deviceExternalId=80 outcome=Admin Event cs1Label=EventDetails cs1=Device:[email protected] initiated backup for a device Admin’s Mac mini deviceTranslatedAddress=192.168.0.0 cn1Label=ProfileID cn1=1 cs5Label=ProfileName cs5=Default duser=Ernie",
CEF response output consists of header attributes and extension attributes.
Header attributes
CEF response consists of the following attributes in the Header part:
Attribute Name | Description |
---|---|
Timestamp | The date and time when the event was generated. Format: MMM DD YYYY HH:MM:SS |
Hostname | Fully Qualified Domain Name (FQDN)of the originator that sent the CEF message. The domain name of inSync Cloud or inSync GovCloud. |
CEF Version | The version is zero. Value: 0 |
Device Vendor | The name of the API vendor. Value: Druva |
Device Product | The name of the API vendor's product. Value: inSync |
Event API Version | The current version of inSync Events API. |
Event Class ID | The identifier for the event. |
Name | The exported inSync event type. |
Severity | The severity level of the event as defined in inSync. inSync has defined the severity of events in accordance with RFC 3164. Refer Severity Level section for details. |
Extension Attributes | Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping for CEF Format. |
Severity Level
Severity Level per RFC 3164.
Numerical Code | Severity |
---|---|
0 | Emergency: system is unusable |
1 | Alert: action must be taken immediately |
2 | Critical: critical conditions |
3 | Error: error conditions |
4 | Warning: warning conditions |
5 | Notice: normal but significant condition |
6 | Informational: informational messages |
7 | Debug: debug-level messages |
Extension Attribute Field Mapping for CEF Format
The following table lists the mapping of attributes in CEF format with JSON format.
Attribute Name in JSON format | Attribute Name in CEF format | Description |
---|---|---|
EventDetails | cs1/cs1Label | Additional details about the event occurred. Example, if it is a backup event, details such as the number of files backed up, files missed, time for backup, and so on. |
EventState | outcome | The state of the inSync event. For example, event triggered by an administrator. |
Initiator | suser | The initiator of the event. For example, manual backup triggered by a user named Ernie Carter. In case of a system event, the initiator is the name of the system. |
ErrorLogFullTrace | msg | Error details |
IPAddress | deviceTranslatedAddress | The IP address of the device on which the event occurred. In case of an admin event, IP address of the device on which the administrator performed the inSync activity is displayed. |
ProfileID | cn1/cn1Label | inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred. |
Profile Name | cs5/cs5Label | The name of the inSync profile associated with the user, for whom the event occurred. |
inSyncUserID | duid | inSync assigned identifier of the user associated with the event. |
inSyncUserName | duser | The name of the inSync user associated with the event. |
inSyncDataSourceID | deviceExternalId | inSync assigned identifier of the user device on which the event occurred. |
inSyncDataSourceName | dvchost | The data source name on which the event occurred. |
ClientVersion | cs2/cs2Label | The inSync Client version on the user device. |
ClientOS | cs3/cs3Label | The OS on which the inSync Client is installed. |
Facility | deviceFacility | The facility number as defined in inSync Management Console Events API settings. The default value is 23. |
Obtain Events API response in Syslog format
To get events in Syslog format, add the following parameter to the API request:
Field | Value | Description |
---|---|---|
format | Syslog | Gets the Events API response in the Syslog format. |
Syslog Response Output format
Following is a sample output of Events API in Syslog format:
"<54>1 2017-09-21T13:41:14Z cloud.druva.com Druva inSync - - [email protected] inSyncDataSourceName=Admin’s Mac mini ClientVersion=5.9.5r54841 EventType=Admin Audit Trail ClientOS=Mac OS X inSyncUserID=1 inSyncDataSourceID=80 EventState=Admin Event EventDetails=Device:[email protected] initiated backup for a device Admin’s Mac mini IP=192.168.0.0 ProfileID=1 ProfileName=Default inSyncUserName=Ernie",
Syslog response output consists of header attributes and extension attributes.
Header attributes
Syslog response consists of the following attributes in the Header part:
Attribute Name | Description |
---|---|
PRIVAL | The Priority value (PRIVAL), and represents both the Facility and Severity. PRIVAL is derived using the following formula: (Facility number x 8)+Severity |
VERSION | The current version of inSync Events API. |
TIMESTAMP | The date and time when the event was generated. Format: yyyy-mm-ddThh:mm:ssZ |
HOSTNAME | Fully Qualified Domain Name (FQDN)of the originator that sent the syslog message. The domain name of inSync Cloud or inSync GovCloud. |
APP-NAME | The name of the Events API publisher. Value: Druva inSync |
PROCID | The identifier for the event. |
Extension Attributes | Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping in Syslog format. |
Extension Attribute Field Mapping in Syslog format
Syslog response consists of the following attributes in the Extension part. The response in Extension is similar to that received in the JSON format.
Extension Attribute Name | Description |
---|---|
EventType | The exported inSync event type. |
EventState | The state of the inSync event. For example, event triggered by an administrator. |
EventID | The identifier to inter-relate multiple associated events. Example, all events associated with a backup event like Backup initialized, Backup paused, and Backup Success. |
Initiator | The initiator of the event. For example, Manual backup triggered by a user named Ernie Carter. In case of System event, the initiator will always be the name of the system. |
EventDetails | Additional details about the event occurred. Example, for a backup event, details such as the number of files backed up, files missed, time required for backup, and so on. |
IP | The IP address of the device on which the event occurred. In case of an admin event, IP address of the device from which the inSync administrator performed the inSync activity is displayed. |
ProfileID | inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred. |
ProfileName | The name of the inSync profile associated with the user, for whom the event occurred. |
inSyncUserID | inSync assigned identifier of the user associated with the event. |
inSyncUserName | The name of the inSync user associated with the event. |
inSyncDataSource ID | inSync assigned identifier of the user device on which the event occurred. |
inSyncDataSourceName | The data source name on which the event occurred. |
ClientVersion | The inSync Client version on the user device. |
ClientOS | The OS on which the inSync Client is installed. |
Updated 9 months ago