Archive the Audit Data

By default, the ActivID Appliance keeps 30 days of audit data in the database for online reporting that can be queried using the ActivID Management Console.

Audit data is automatically backed up internally to .csv files every day (using the database scheduler).

By default, the internal automatic backup is performed at 03.00 GMT. If an archive schedule is configured, to reduce the impact on performance, this backup is automatically configured to occur one hour before the scheduled time.

The schedule time should be defined so that the generation of the audit data .csv file occurs when the appliance’s load is low.

Note:  
  • The automatic backups are generated on the appliance’s local file system. They are not pushed to FTP/SFTP servers and the records are not purged from the database.
  • You can define the number of days of audit data to keep online using the ActivID Console.

If the Archive is not scheduled, the size of the .csv files on the appliance file system might impact performance. To avoid that the appliance stops functioning due to a full disk, the older .csv files will be automatically deleted after a maximum size limit is reached.

In this case, a warning message will be displayed on console dashboard – ‘Archive audit data has reached maximum size limit, please schedule archive process’.

Important: In High Availability deployments, you must configure the archive of audit data on both appliances to purge data that is not synchronized between the nodes.

The Archive Audit function pushes the .csv file archives to your defined FTP/SFTP server (which must be configured to be able to archive the audit data). The corresponding .csv files are then deleted.

The Scheduled Archive and Archive Now processes create a .tar file in your remote folder that contains encrypted audit data for each domain (for example, Audit_Myhost_MyDOMAIN_OBF_20190512-000011.tar where the file format is Audit_<hostname>_<domain>_OBF_<date format: AAAAMMDD>-<time format HHMMSS>).

The names of the .csv files for a domain (obtained by decrypting the .tar file using the activid_decrypt_archive.sh script) use the following convention:

A set of .csv files is generated on a daily basis.

The first .csv generated after installation of ActivID Appliance is:

ARCHIVE_<domain>_OBF_Until_AAAAMMDD

Then every day, a .csv file is automatically generated as:

ARCHIVE_<domain>_OBF_DAY_AAAAMMDD

A specific set of .csv files is generated containing records of the current day up to the exact date/time of start of archive now process.

The first .csv generated after installation of ActivID Appliance (where the Scheduled Archive process has not run yet so the file contains all audit records currently in the database) is:

ARCHIVE_<domain>_OBF_Until_AAAAMMDD_HHMMSS

Then per operation (where the scheduled process has already archived some records so the file contains records starting from the date/time of the previous .csv to the current time), a .csv file is generated as:

ARCHIVE_<domain>_OBF_FROM_AAAAMMDD_HHMMSS_TO_ AAAAMMDD_HHMMSS

Note:  
  • If there is no record to archive, the audit archive .tar file will only contain a readme explaining that no audit events were found.
  • For a Scheduled Archive operation, the audit archive .tar file will not contain events from the current day as they were not exported automatically from the database yet.
  • For an Archive Now operation, the audit archive .tar file will contain .csv files already collected, including a specific .csv file with the records of the current day.

Schedule the Audit Archive

You can define the remote server (FTP or SFTP) on which you want to archive the audit data and the archive schedule.

Note: It is recommended that you verify the audit data using the ActivID Management Console before archiving.

  1. Log on to the ActivID Console and, under System in the left menu, select Audit.

  2. Select the SFTP/FTP Site where the archive package must be copied (or click Add New to configure a new site).

  3. Enter and confirm the Archive Password.

    Important:  

    • The password:

      • Must contain between 1 and 20 characters

      • Can contain special characters except [ ] { } | < > " ' ( )

      • Must not contain empty characters such as spaces and tabulations

    • Make a note of this password. This password is passed to activid_decrypt_archive.sh using the –p option

  1. In the Scheduler section, select either:

    2. Define the frequency as:

    • Hourly
    • Daily (at midnight)
    • Weekly (on Sunday)
    • Monthly (on the 1st)
    • Yearly (on 1st Jan)
    • When system boots

    Define the frequency in:

    • Months
    • Weekdays
    • Days
    • Hours
    • Minutes

    For each criteria (except for Minutes), you can select All or use the Selected option to define the required value. For example, to schedule the backup for every Sunday at 11PM, define the schedule as:

    • Months = All
    • Weekdays = Sunday
    • Days = All
    • Hours = 23
    • Minutes = 0
    Note:  
    • If you leave the Hours criteria set to All, then the archive will be performed every hour of the selected day.
    • If you combine multiple criteria such as Weekdays and Days (for example, All Fridays and every 15th of each month), the scheduled operation will be triggered for both.

  1. Click Save to apply the configuration.

Archive the Audit Data On Demand

You can use the Archive Now option to start an immediate and on-demand archiving process of the audit data.

  1. Log on to the ActivID Console and, under System in the left menu, select Audit.

  2. Select the SFTP/FTP Site where the archive package must be copied (or click Add New to configure a new site).

  3. Enter and confirm the Archive Password.

    Important:  

    • The password:

      • Must contain between 1 and 20 characters

      • Can contain special characters except [ ] { } | < > " ' ( )

      • Must not contain empty characters such as spaces and tabulations

    • Make a note of this password. This password is passed to activid_decrypt_archive.sh using the –p option

  4. To create an on-demand audit archive, click Archive Now.

Note: If no audit events are found, a message is displayed.