LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Overview
  • Starting with the release of AIR v.4.19, audit logs will undergo a migration process:
  • AIR Audit Log Export
  • Syslog/SIEM Integration
  • Audit Logs via the AIR API

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Binalyze AIR Audit Logs

PreviousProxy Configuration on Binalyze AIR ConsoleNextTroubleshooting

Last updated 9 months ago

Was this helpful?

Overview

The Audit Log feature in Binalyze AIR is designed to provide detailed and comprehensive logging information about all actions performed within the platform. This ensures a solid ‘chain-of-custody’, transparency, and accountability, and it also supports investigations by maintaining a clear record of all activities.

The Audit Logs can be searched, filtered and exported at the Organization level.

Audit Logs are accessed via the Activity button in the main menu and then from Audit Logs in the secondary menu:

AIR Audit Logs are found Activity > Audit Logs

Each log entry can have additional properties to view such as what individual interACT command was run and by whom:

Important to know:

Binalyze AIR v4.19 introduces a new audit log retention policy aimed at optimizing platform performance and data management. Users are encouraged to back up their audit logs regularly to ensure no loss of data.

  • Before AIR v.4.19, all audit logs were saved to MongoDB.

  • After AIR v.4.19, all audit logs are saved to PostgreSQL and retained for 3 months.

Starting with the release of AIR v.4.19, audit logs will undergo a migration process:

  • Migration Timing: Upon upgrading to AIR v.4.19, audit logs from the past 3 months will be transferred from MongoDB to PostgreSQL.

  • Exporting Logs: Post AIR v. 4.19, when exporting audit logs from the AIR console user interface, only the logs from the last 3 months will be included in the export.

  • This ensures that users will always have access to the most recent audit logs in the UI while maintaining the ‘historical logs’ (pre v. 4.19) in the MongoDB.

Information about the retention policy is displayed on the AIR Audit logs page in the Tool Tip shown:

This message says; "Audit logs are retained for 3 months from the date of creation and will be automatically deleted after this period."

The Audit Log advanced filter date and time selection columns are limited to the last 3 months:

AIR Audit Log Export

There are three options to export your AIR Audit Logs:

  • Export Logs: Export the logs directly from the console’s Audit Log page.

  • Send Logs to Syslog Server: Utilize the feature in AIR’s settings to send logs to your Syslog Server.

See below:

At the Organization level, users can search and filter audit logs within the Binalyze AIR Console and easily export them in CSV format.

To do this, use the Export button located at the top right corner of the user interface. This action will generate a ZIP file containing the filtered audit logs in CSV format, making it convenient for further analysis and record-keeping:

Below we are providing users with a MongoDB dump script to access and extract historical audit logs, those being any AIR Audit Logs you have generated before AIR version 4.19.

The backup can be performed using the following commands:

For Single Tier Installation: docker exec -ti binalyze-air-app-1 sh -c 'mongoexport --uri=mongodb://air.mongodb.server/airdb --collection audit_logs --out /binalyze-air/backups/air-auditlogs-dump.json'

For 2-Tier Installation: docker exec -ti binalyze-air-app-1 sh -c '. /binalyze-air/config/.env && mongoexport --uri=$AIR_MONGODB_URI --collection audit_logs --out /binalyze-air/backups/air-auditlogs-dump.json'

The dump file path for the backups: /opt/binalyze-air/volumes/app/binalyze-air/backups/air-auditlogs-dump.json

Syslog/SIEM Integration

All logs are forwarded as Common Event Format (CEF) messages when integrated with Syslog/SIEM which is found at Settings > Features > Syslog/SIEM, all logs are forwarded as Common Event Format (CEF) messages.

Audit Logs via the AIR API

Expand log entry for addition information

Use the AIR API: See our to use it to retrieve the Audit Logs.

The Audit Log Search, Advanced Filter, and Export options
integrated with Syslog/SIEM> Features> Syslog/SIEM through Settings > Features > Syslog/SIEM

The AIR API can be used to export your audit logs - for documentation visit:

API documentation
https://docs.binalyze.com/air/api#5bc2d708-51b9-4fec-abbd-2fe2f6220dd9
The Audit Log advanced filter
Audit Logs via the AIR API