Audit and Core Modules

Audit actions

Energy Logserver logs audit events for security-relevant operations across the platform. Audit actions are grouped by module.

Authorization Plugin

Action Type

Path

From Request

LOGIN

/_logserver/login

username

LOGOUT

/_logserver/logout

username

FAILED_LOGIN

/_logserver/login

username

USER_CREATE

/_logserver/accounts

created user content

USER_UPDATE

/_logserver/accounts

whole body with diff

USER_DELETE

/_logserver/accounts

deleted user content

ROLE_CREATE

/_logserver/constraints

whole body with diff

ROLE_UPDATE

/_logserver/constraints

whole body with diff

ROLE_DELETE

/_logserver/constraints

whole body with diff

BULK

_bulk

whole body if enabled

QUERY

*

whole body if enabled

OBJECTS

/.kibana*

whole body if enabled

Paths excluded from auditing

The following paths are excluded from audit logging:

  • /

  • /_nodes*

  • /_stats*

  • /.auth

  • /.authconfig*

  • /_logserver/configuration/trustedhost

  • /_logserver/resolve_token

  • /_logserver/reports/checkpass

  • /_logserver/tasksList

  • /_logserver/configuration/domains

  • /_logserver/license

  • /_logserver/license/repo_access

  • /_logserver/license/mssp

  • /_logserver/mssp/*

Config

Action Type

Path

From Request

TOKENS DELETED

post:/api/setting/job/deletealltokens

SETTINGS TOKENDELETE

put:/api/setting/tokendelete

payload.value

SETTINGS TIMEOUT

put:/api/setting/ttl

payload.value

SETTINGS AUDIT SELECTION

put:/api/setting/auditselection

payload.value1

SETTINGS AUDIT EXCLUSION

put:/api/setting/auditexclusion

payload

SETTINGS ALERT EXCLUDE FIELDS

put:/api/setting/alert_exclude_fields

payload.value1

SETTINGS AUTH DOMAINS

put:/api/setting/auth_domains

payload.default_domain

MSSP PERMISSIVE MODE

put:/api/setting/mssp_permissive

payload.value2

MSSP SOURCES ALLOWED

post:/api/mssp/sources/allow

payload.sourcesIds

MSSP SOURCE DESCRIPTION EDITED

put:/api/mssp/source

payload.description

MSSP SOURCES DELETED

delete:/api/mssp/sources

payload.sourcesIds

Reports

Action Type

Path

From Request

DATA EXPORT CREATED

post:/api/reports/data/export

payload.taskName

MANUAL DATA EXPORT CREATED

post:/api/reports/data/export_manual

payload.user

DATA EXPORT EDITED

put:/api/reports/data/export

payload.taskName

DASHBOARD REPORT EXPORT CREATED

post:/api/reports/dashboard/export

payload.taskName

DASHBOARD REPORT EXPORT EDITED

put:/api/reports/dashboard/export

payload.taskName

DATA TABLE REPORT EXPORT CREATED

post:/api/reports/table/export

payload.taskName

DATA TABLE REPORT EXPORT EDITED

put:/api/reports/table/export

payload.taskName

SCHEDULED TASK ENABLED

put:/api/reports/scheduler/enable

payload.id

SCHEDULED TASK DISABLED

put:/api/reports/scheduler/disable

payload.id

TASKS DELETED

delete:/api/reports

payload.objs

SETTINGS PDF_EXPIRY

post:/api/reports/settings/pdf

payload.pdfExpiry

SETTINGS CSV_EXPIRY

post:/api/reports/settings/csv

payload.csvExpiry

REPORT UPLOAD LOGO

post:/api/reports/settings/logos

payload.fileName

ONGOING TASK STOP

post:/api/reports/stop

params.taskId

Alerts

Action Type

Path

From Request

ALERT RULE CREATED

post:/api/alerts

payload.name

ALERT RULE EDITED

put:/api/alerts

payload.name

ALERT RULES SAVED

post:/api/alerts/save

payload.names

ALERT RULE ENABLED/DISABLED

put:/api/alerts/toggle

payload.name

ALERT RULE RAN ONCE

post:/api/alerts/run_once

payload.name

ALERT RULE DELETED

delete:/api/alerts

payload.names

ALERT GROUP CREATED

post:/api/alerts/group

payload.name

ALERT GROUP RENAMED

put:/api/alerts/group

payload.name

ALERT GROUP DELETED

delete:/api/alerts/group

payload.name

ALERTS ADDED TO GROUP

post:/api/alerts/group/add

payload.names

ALERT CHANGED ROLES

put:/api/alerts/roles

payload.name

ALERT MANUAL INCIDENT CREATED

post:/api/alerts/incident

payload.name

ALERT RULE INCIDENT EDITED

put:/api/alerts/incident

payload.name

Index Management

Action Type

Path

From Request

ACTION CREATED

post:/api/index_management/action

payload.name

ACTION EDITED

put:/api/index_management/action

payload.name

ACTION START NOW

post:/api/index_management/action/run_action

payload.name

ACTION DELETED

delete:/api/index_management/action/

params.id

SYSTEM INDEX ROLLOVER CONFIGURE

post:/api/index_management/settings/rollover/

payload

Archive

Action Type

Path

From Request

ARCHIVAL TASK CREATED

post:/api/archive/task

payload.taskName

ARCHIVAL TASK UPDATED

put:/api/archive/task

payload.taskName

ARCHIVAL TASK START NOW

post:/api/archive/task/run

payload.taskName

TASKS DELETED

delete:/api/archive/task

payload.objs

SEARCH TASK CREATED

post:/api/archive/search

payload.taskName

RESTORE TASK CREATED

post:/api/archive/restore

payload.taskName

ARCHIVE(S) DELETED

delete:/api/archive

payload.objs

ARCHIVE POLICY EXECUTED

post:/api/archive/policy

payload

ARCHIVE RETENTION POLICY DELETED

delete:/api/archive/policy

payload

Sync

Action Type

Path

From Request

SYNC PROFILE CREATED

post:/api/sync/profile

payload.name

SYNC PROFILE DELETED

delete:/api/sync/profile

payload.name

SYNC SYNCHRONISED

post:/api/sync/sync

payload.indices

SYNC COPIED

post:/api/sync/copy

payload.indices

SYNC JOB DELETED

delete:/api/sync/job

payload.id

SYNC JOB RAN

post:/api/sync/job/run

payload.id

Agents

Action Type

Path

From Request

AGENTS AGENT RELOADED

post:/api/agents/reload

payload.agentId

AGENTS MASTERAGENT RELOADED

post:/api/agents/masteragent/reload

payload

AGENTS DELETED

delete:/api/agents

payload.agentIds

AGENTS FILE CREATED

post:/api/agents/file

payload.fileName

AGENTS FILE DELETED

delete:/api/agents/file

payload.fileName

AGENTS FILE EDITED

put:/api/agents/file

payload.fileName

AGENTS TEMPLATE CREATED

post:/api/agents/template

payload.name

AGENTS TEMPLATE EDITED

put:/api/agents/template

payload.name

AGENTS TEMPLATE DELETED

delete:/api/agents/template

payload.name

Intelligence

Action Type

Path

From Request

INTELLIGENCE RULE CREATED

post:/api/intelligence/rule

payload.name

INTELLIGENCE RULE EDITED

put:/api/intelligence/rule

payload.name

INTELLIGENCE RULE STOPPED

post:/api/intelligence/rule/stop

payload.name

INTELLIGENCE RULE STARTED

post:/api/intelligence/rule/start

payload.name

INTELLIGENCE RULE DELETED

delete:/api/intelligence/rule

payload.name

INTELLIGENCE USE CASE DOWNLOADED

post:/api/intelligence/usecase/download

payload.name

INTELLIGENCE USE CASE UPLOADED

post:/api/intelligence/usecase/upload

payload.name

ASSISTANT CONNECTION CREATED

post:/api/intelligence/assistant/connection

payload.name

ASSISTANT CONNECTION EDITED

put:/api/intelligence/assistant/connection

payload.name

ASSISTANT CONNECTION DELETED

delete:/api/intelligence/assistant/connection

payload.name

Network Probe

Action Type

Path

From Request

NETWORK-PROBE FILE CREATED

post:/api/network-probe/file

payload.fileName

NETWORK-PROBE FILE DELETED

delete:/api/network-probe/file

payload.fileName

NETWORK-PROBE UNREGISTERED

delete:/api/network-probe

payload.probeId

NETWORK-PROBE REREGISTERED

post:/api/network-probe/reregister

payload.probeId

NETWORK PROBE SERVICES STOPPED

post:/api/network-probe/services/stop

payload.probeId

NETWORK PROBE SERVICES STARTED

post:/api/network-probe/services/start

payload.probeId

NETWORK PROBE SERVICES RESTARTED

post:/api/network-probe/services/restart

payload.probeId

NETWORK-PROBE PIPELINES ENABLED

post:/api/network-probe/pipelines/enable

payload.names

NETWORK-PROBE PIPELINES DISABLED

post:/api/network-probe/pipelines/disable

payload.names

NETWORK-PROBE PIPELINES RELOADED

post:/api/network-probe/pipelines/reload

payload.probeId

NETWORK-PROBE PIPELINE CREATED

post:/api/network-probe/pipeline

payload.name