Druva Developer Portal

Welcome to the Druva developer portal — your one stop for the knowledge and resources to start integrating with Druva data protection and management products. The portal has comprehensive guides, reference materials, and more.

Events API to export inSync events

About Events API

Using the Events API, you can export events from inSync. This API capability helps organizations to:

  • Get all the inSync events in a single API call
  • Monitor the reported failures and take corrective actions
  • Detect malicious activity through IP address logging
  • Integrate the exported events and alerts with the third-party SIEM tool

📘

Limited Availability

This feature is currently under controlled availability. Contact your Druva Sales representative or Druva Support if you want to use this feature.

Workflow to export inSync events

  1. Contact Druva Support to enable the Events API feature.
  2. Enable the option to export events from the inSync Management Console. For more information, see Enable export of events in inSync.
  3. Configure the events that can be exported using Events API. For more information, see Configure inSync to export events.
  4. Generate token to access Event API. For more information, see Use EVENTAPI to export events from inSync.
  5. Access Event API through any REST Client to receive a response in JSON format.

Supported inSync events

The following table lists the inSync events that you can export by using the Events API:

Event Category

Event Types

Event State

Description

Alerts & Notifications

Alerts

  • Alert Resolution
  • Alert Notification

Severity

Events related to inSync alerts with varied level of severity.

Backup & Restore

Backup & Restore

  • Backup
  • Restore

Backup

  • Success
  • Failed
  • Canceled
  • Backed up with errors
  • Paused
  • Resumed

Restore

  • Success
  • Failed

Events generated for every Backup & Restore activity and event state type.

WebDAV

WebDAV authentication

  • Success
  • Failed

Events for each attempt to access WebDAV using inSync legal administrator credentials.

Admin Event

Admin events

  • Administrator authentication
  • Administrator Audit Trail

Administrator authentication

  • Success
  • Failed
    Administrator Audit Trail
  • Admin event

Events for actions like administrator authentication and Audit Trail for activities performed by inSync administrators.

API

API authentication

  • Success
  • Failed

Events for each attempt to access API using inSync administrator credentials.

System Event

System Events

  • AD Synchronization
  • Data Source

AD Synchronization

  • User imported
  • User preserved
  • User re-enabled
  • User information updated
  • User deleted

Data Source

  • Device deleted
  • Device marked as inactive

Events for AD synchronization and update in Data Source status.

Admin Event

Client Upgrade

  • Scheduled
  • Failed
  • Canceled
  • Successful

Events for automatic and bulk device upgrade for inSync Client.

Configure inSync to export events

Only an inSync Cloud administrator can enable the option to export events and define the Events API settings.

Procedure

  1. On the inSync Management Console menu bar, click Settings (wheel icon) > Settings. The Settings page appears.
  2. Click the inSync APIs tab.
  3. In the Events API settings area, click Edit. The Edit Events API Settings window appears.
  1. Select the Export Events check box.
  2. Click in the Categories to export box and select the events that you want to export from inSync.
  3. In the Syslog facility field, type a value between 1 and 23 to assign a Syslog facility ID for inSync events. The default value is 23.
  4. Click Save.

Generate a token to access Events API

To generate a token to access Events API, see Authentication.

Access Events API

Make API requests. For more information, see the Events API reference.

You can also get the Events API response in CEF and Syslog formats. For more information, see Integrate Events API with a SIEM tool.

About Events API Response

  • Each inSync Events API response contains a maximum of 500 inSync events.
  • Every Events API response contains a tracker cookie. A tracker cookie, which is valid for the next 48 hours, is an identifier that contains inSync database reference and identifies the next set of unique events when successive Events API call is made.
  • If there are more than 500 events in the inSync database while returning an Events API response, the response contains nextpage header attribute that contains the next page URL. Use the nextpage header attribute along-with the tracker cookie in your subsequent API call to get additional set of inSync events.
  • Events API response is in the UTC timezone.

Integrate Events API with a SIEM tool

You can configure Security Information and Event Management (SIEM) tools like Splunk, ArcSight, and so on to consume inSync events. Events API enables inSync administrators to export inSync events in the following formats:

  • Common Event Format (CEF)
  • Syslog format

Configure your SIEM tool to ingest inSync events exported in the CEF and Syslog formats for your further analysis.

Obtain Events API response in CEF format

To get events in CEF format, add the following parameter to the API request:

Field

Value

Description

format

CEF

Gets the Events API response in the CEF format.

CEF Response Output format

Following is a sample output of Events API in CEF format:

"Sep 21 2017 13:41:14 cloud.druva.com CEF:0|Druva|inSync|1||Admin Audit Trail|6|[email protected] dvchost=Admin’s Mac mini cs2Label=ClientVersion cs2=5.9.5r54841 deviceFacility=6 cs3Label=ClientOS cs3=Mac OS X duid=1 deviceExternalId=80 outcome=Admin Event cs1Label=EventDetails cs1=Device:[email protected] initiated backup for a device Admin’s Mac mini deviceTranslatedAddress=192.168.0.0 cn1Label=ProfileID cn1=1 cs5Label=ProfileName cs5=Default duser=Ernie",

CEF response output consists of header attributes and extension attributes.

Header attributes

CEF response consists of the following attributes in the Header part:

Attribute Name

Description

Timestamp

The date and time when the event was generated.

Format: MMM DD YYYY HH:MM:SS

Hostname

Fully Qualified Domain Name (FQDN)of the originator that sent the
CEF message. The domain name of inSync Cloud or inSync GovCloud.

CEF Version

The version is zero.
Value: 0

Device Vendor

The name of the API vendor.
Value: Druva

Device Product

The name of the API vendor's product.
Value: inSync

Event API Version

The current version of inSync Events API.

Event Class ID

The identifier for the event.

Name

The exported inSync event type.

Severity

The severity level of the event as defined in inSync.

Extension Attributes

Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping for CEF Format.

Extension Attribute Field Mapping for CEF Format
The following table lists the mapping of attributes in CEF format with JSON format.

Attribute Name in JSON format

Attribute Name in CEF format

Description

EventDetails

cs1/cs1Label

Additional details about the event occurred.

Example, if it is a backup event, details such as the number of files backed up, files missed, time for backup, and so on.

EventState

outcome

The state of the inSync event.

For example, event triggered by an administrator.

Initiator

suser

The initiator of the event.

For example, manual backup triggered by a user named Ernie Carter.

In case of a system event, the initiator is the name of the system.

ErrorLogFullTrace

msg

Error details

IPAddress

deviceTranslatedAddress

The IP address of the device on which the event occurred.

In case of an admin event, IP address of the device on which the administrator performed the inSync activity is displayed.

ProfileID

cn1/cn1Label

inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred.

Profile Name

cs5/cs5Label

The name of the inSync profile associated with the user, for whom the event occurred.

inSyncUserID

duid

inSync assigned identifier of the user associated with the event.

inSyncUserName

duser

The name of the inSync user associated with the event.

inSyncDataSourceID

deviceExternalId

inSync assigned identifier of the user device on which the event occurred.

inSyncDataSourceName

dvchost

The data source name on which the event occurred.

ClientVersion

cs2/cs2Label

The inSync Client version on the user device.

ClientOS

cs3/cs3Label

The OS on which the inSync Client is installed.

Facility

deviceFacility

The facility number as defined in inSync Management Console Events API settings. The default value is 23.

Obtain Events API response in Syslog format

To get events in Syslog format, add the following parameter to the API request:

Field

Value

Description

format

Syslog

Gets the Events API response in the Syslog format.

Syslog Response Output format
Following is a sample output of Events API in Syslog format:

"<54>1 2017-09-21T13:41:14Z cloud.druva.com Druva inSync - -  [email protected] inSyncDataSourceName=Admin’s Mac mini ClientVersion=5.9.5r54841 EventType=Admin Audit Trail ClientOS=Mac OS X inSyncUserID=1 inSyncDataSourceID=80 EventState=Admin Event EventDetails=Device:[email protected] initiated backup for a device Admin’s Mac mini IP=192.168.0.0 ProfileID=1 ProfileName=Default inSyncUserName=Ernie",

Syslog response output consists of header attributes and extension attributes.

Header attributes
Syslog response consists of the following attributes in the Header part:

Attribute Name

Description

PRIVAL

The Priority value (PRIVAL), and represents both the Facility and Severity.

PRIVAL is derived using the following formula:

(Facility number x 8)+Severity

VERSION

The current version of inSync Events API.

TIMESTAMP

The date and time when the event was generated.
Format: yyyy-mm-ddThh:mm:ssZ

HOSTNAME

Fully Qualified Domain Name (FQDN)of the originator that sent the
syslog message. The domain name of inSync Cloud or inSync GovCloud.

APP-NAME

The name of the Events API publisher.

Value: Druva inSync

PROCID

The identifier for the event.

Extension Attributes

Extension attributes in a key-value pair. For the list of all the extension attributes received in the response, see the following table - Extension Attribute Field Mapping in Syslog format.

Extension Attribute Field Mapping in Syslog format
Syslog response consists of the following attributes in the Extension part. The response in Extension is similar to that received in the JSON format.

Extension Attribute Name

Description

EventType

The exported inSync event type.

EventState

The state of the inSync event.

For example, event triggered by an administrator.

EventID

The identifier to inter-relate multiple associated events.

Example, all events associated with a backup event like Backup initialized, Backup paused, and Backup Success.

Initiator

The initiator of the event.

For example, Manual backup triggered by a user named Ernie Carter.

In case of System event, the initiator will always be the name of the system.

EventDetails

Additional details about the event occurred.

Example, for a backup event, details such as the number of files backed up, files missed, time required for backup, and so on.

IP

The IP address of the device on which the event occurred.

In case of an admin event, IP address of the device from which the inSync administrator performed the inSync activity is displayed.

ProfileID

inSync assigned identifier of the inSync profile associated with the user, for whom the event occurred.

ProfileName

The name of the inSync profile associated with the user, for whom the event occurred.

inSyncUserID

inSync assigned identifier of the user associated with the event.

inSyncUserName

The name of the inSync user associated with the event.

inSyncDataSource ID

inSync assigned identifier of the user device on which the event occurred.

inSyncDataSourceName

The data source name on which the event occurred.

ClientVersion

The inSync Client version on the user device.

ClientOS

The OS on which the inSync Client is installed.

Updated 2 months ago

Events API to export inSync events


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.