Log Streaming
This feature may not be available in your service zone.
STA allows you to retrieve access and authentication logs. The retrieved logs can then be sent to a Security Information and Event Management (SIEM) system or System Logging Protocol (syslog) file server. The data from the captured logs can analyzed to identify security risks and alerts, and to address other administrative needs such as long term storage, auditing, forensic analysis, and so on.
Audit logs generated from actions taken in the STA Token Management console are not supported.
To retrieve logs from STA, you can use either the SafeNet Logging Agent or the Logs API.
-
SafeNet Logging Agent: The agent uses the Logs API to automatically retrieve logs from STA and send those logs to the specified location in your network. When using the SafeNet Logging Agent, the output is sent using the syslog protocol, with each syslog message providing one STA log.
-
Logs API: You can programmatically integrate the Logs API into your software. When using the Logs API, the logs are provided in a stream of JSON objects.
In both cases, the individual STA logs are provided in JSON format as described in Access and authentication log fields.
Both log streaming methods require an API key.
Log streaming activity information
You can view status and audit information about log streaming activity.
Log streaming status
The Log Streaming screen includes a status table with information about the Logs API activity. This status table allows you to quickly determine whether logs are effectively retrieved without needing to check the audit logs.
The table lists one entry for each API key from which at least one Logs API call was made. After 30 days with no log streaming activity, an API key is no longer included in the status table.
To view the records:
-
On the STA Access Management console, select Settings > Log Streaming.
The status of each log retrieval request displays:
-
API Key Name shows the friendly name for the API key that was used.
-
Agent Version shows the version of the SafeNet Logging Agent that initiated the Logs API function call, or N/A if the request was not initiated by an agent.
-
Last log retrieval request shows the timestamp for the last Logs API function call that was received using that API key, or No Activity if there is no history.
Log streaming in the audit logs
Each call to the Logs API function is recorded with an entry in the STA audit logs of operator activity. The entries include:
| Column | Description |
|---|---|
| Timestamp | The time when the Logs API function call was received by STA. |
| UserID | The identity of the user, mapped to the API key that was used. |
| IP Address | The public IP address from which the Logs API function call was initiated. |
| Organization | The name of the virtual server that the API key is associated with. This may be different than the virtual server to which the Logs API function call is made. |
| Action Taken | Read indicates that the logs were read and retrieved. |
| Object Type | Access & Audit Logs indicates that access or audit logs were retrieved. |
| Object Title | The timestamp (YYYY-MM-DD HH:MM:SS) of the first log retrieved through this Logs API function call. |