Binalyze AIR Audit Logs

Overview

The Audit Log feature in Binalyze AIR is designed to provide detailed and comprehensive logging information about all actions performed within the platform. This ensures a solid ‘chain-of-custody’, transparency, and accountability, and it also supports investigations by maintaining a clear record of all activities.

The Audit Logs can be searched, filtered and exported at the Organization level.

Audit Logs are accessed via the Activity button in the main menu and then from Audit Logs in the secondary menu:

Each log entry can have additional properties to view such as what individual interACT command was run and by whom:

Important to know:

Binalyze AIR v4.19 introduces a new audit log retention policy aimed at optimizing platform performance and data management. Users are encouraged to back up their audit logs regularly to ensure no loss of data.

Before AIR v.4.19, all audit logs were saved to MongoDB.
After AIR v.4.19, all audit logs are saved to PostgreSQL and retained for 3 months.

Starting with the release of AIR v.4.19, audit logs will undergo a migration process:

Migration Timing: Upon upgrading to AIR v.4.19, audit logs from the past 3 months will be transferred from MongoDB to PostgreSQL.
Exporting Logs: Post AIR v. 4.19, when exporting audit logs from the AIR console user interface, only the logs from the last 3 months will be included in the export.
This ensures that users will always have access to the most recent audit logs in the UI while maintaining the ‘historical logs’ (pre v. 4.19) in the MongoDB.

Information about the retention policy is displayed on the AIR Audit logs page in the Tool Tip shown:

This message says; "Audit logs are retained for 3 months from the date of creation and will be automatically deleted after this period."

The Audit Log advanced filter date and time selection columns are limited to the last 3 months:

AIR Audit Log Export

There are three options to export your AIR Audit Logs:

Export Logs: Export the logs directly from the console’s Audit Log page.
Send Logs to Syslog Server: Utilize the feature in AIR’s settings to send logs to your Syslog Server.
Use the AIR API: See our API documentation to use it to retrieve the Audit Logs.

See below:

At the Organization level, users can search and filter audit logs within the Binalyze AIR Console and easily export them in CSV format.

To do this, use the Export button located at the top right corner of the user interface. This action will generate a ZIP file containing the filtered audit logs in CSV format, making it convenient for further analysis and record-keeping:

Below we are providing users with a MongoDB dump script to access and extract historical audit logs, those being any AIR Audit Logs you have generated before AIR version 4.19.

The backup can be performed using the following commands:

For Single Tier Installation: docker exec -ti binalyze-air-app-1 sh -c 'mongoexport --uri=mongodb://air.mongodb.server/airdb --collection audit_logs --out /binalyze-air/backups/air-auditlogs-dump.json'

For 2-Tier Installation: docker exec -ti binalyze-air-app-1 sh -c '. /binalyze-air/config/.env && mongoexport --uri=$AIR_MONGODB_URI --collection audit_logs --out /binalyze-air/backups/air-auditlogs-dump.json'

The dump file path for the backups: /opt/binalyze-air/volumes/app/binalyze-air/backups/air-auditlogs-dump.json

Syslog/SIEM Integration

All logs are forwarded as Common Event Format (CEF) messages when integrated with Syslog/SIEM which is found at Settings > Features > Syslog/SIEM, all logs are forwarded as Common Event Format (CEF) messages.

Audit Logs via the AIR API

The AIR API can be used to export your audit logs - for documentation visit: https://docs.binalyze.com/air/api#5bc2d708-51b9-4fec-abbd-2fe2f6220dd9

PreviousProxy Configuration on Binalyze AIR Console NextTroubleshooting

Last updated 3 months ago