auth.keepersecurity.audit.events

Introduction

The tags beginning with auth.keepersecurity identify events generated by Keeper Security Audit.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as auth.keepersecurity. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology	Brand	Type	Subtype
auth	keepersecurity	audit	events

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag	Data table
auth.keepersecurity.audit.events	auth.keepersecurity.audit.events

Log samples

The following are sample logs sent to each of the auth.keepersecurity data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

auth.keepersecurity.audit.events

2021-10-11 16:02:04.440 localhost=127.0.0.1 auth.keepersecurity.audit.events: {"name": "sumo", "audit_event": "audit_sync_setup", "remote_address": "175.253.55.123", "client_version": "EMConsole.15.3.4", "timestamp": "2021-08-16T18:10:57.232Z", "username": "qcampbell", "enterprise_id": 99376}
2021-10-11 16:02:04.440 localhost=127.0.0.1 auth.keepersecurity.audit.events: {"audit_event": "login_console", "remote_address": "114.215.208.223", "client_version": "EMConsole.15.3.4", "timestamp": "2021-08-16T18:08:14.597Z", "username": "wyattjuan", "enterprise_id": 99376, "username_new": true, "client_version_new": true}
2021-10-11 16:02:04.440 localhost=127.0.0.1 auth.keepersecurity.audit.events: {"audit_event": "login_console", "remote_address": "37.23.107.125", "client_version": "EMConsole.15.3.4", "timestamp": "2021-08-16T18:11:22.582Z", "username": "villegaskimberly", "enterprise_id": 99376}
2021-10-11 16:02:04.440 localhost=127.0.0.1 auth.keepersecurity.audit.events: {"audit_event": "login_console", "remote_address": "215.26.15.161", "client_version": "EMConsole.15.3.4", "timestamp": "2021-08-17T18:20:59.529Z", "username": "meyerjamie", "enterprise_id": 99376}
2021-10-11 16:02:04.440 localhost=127.0.0.1 auth.keepersecurity.audit.events: {"audit_event": "login", "remote_address": "122.73.229.186", "client_version": "Commander.16.1.3", "timestamp": "2021-08-17T19:06:21.930Z", "username": "donaldmiller", "enterprise_id": 67241}

And this is how the log would be parsed:

Field	Value	Type	Extra fields
eventdate	`2021-10-11 16:02:04.44`	`timestamp`
hostname	`inj01-pro-eu-aws`	`str`
name	`sumo`	`str`
audit_event	`audit_sync_setup`	`str`
remote_address	`175.253.55.123`	`str`
client_version	`EMConsole.15.3.4`	`str`
timestamp	`2021-08-16 18:10:57.232`	`timestamp`
username	`qcampbell`	`str`
enterprise_id	`99376`	`int4`
username_new	`null`	`bool`
client_version_new	`null`	`bool`
device_name	`null`	`str`
recipient	`null`	`str`
origin	`null`	`str`
record_uid	`null`	`str`
shared_folder_uid	`null`	`str`
result_code	`null`	`str`
node	`null`	`str`
to_username	`null`	`str`
folder_type	`null`	`str`
folder_uid	`null`	`str`
role_id	`null`	`str`
enforcement	`null`	`str`
value	`null`	`str`
email	`null`	`str`
team_uid	`null`	`str`
hostchain	`localhost=127.0.0.1`	`str`	✓
tag	`auth.keepersecurity.audit.events`	`str`	✓
rawMessage	`{"name": "sumo", "audit_event": "audit_sync_setup", "remote_address": "175.253.55.123", "client_version": "EMConsole.15.3.4", "timestamp": "2021-08-16T18:10:57.232Z", "username": "qcampbell", "enterprise_id": 99376}`	`str`	✓