Archive the Audit Data

By default, the ActivID Appliance keeps 30 days of audit data in the database for online reporting that can be queried using the ActivID Management Console.

Audit data is automatically backed up internally to .csv files every day (using the database scheduler).

By default, the internal automatic backup is performed at 03.00 GMT. If an archive schedule is configured, to reduce the impact on performance, this backup is automatically configured to occur one hour before the scheduled time.

The schedule time should be defined so that the generation of the audit data .csv file occurs when the appliance’s load is low.

Note:  
  • The automatic backups are generated on the appliance’s local file system. They are not pushed to FTP/SFTP servers and the records are not purged from the database.
  • You can define the number of days of audit data to keep online using the ActivID Console.

If the Archive is not scheduled, the size of the .csv files on the appliance file system might impact performance. To avoid that the appliance stops functioning due to a full disk, the older .csv files will be automatically deleted after a maximum size limit is reached.

In this case, a warning message will be displayed on console dashboard – ‘Archive audit data has reached maximum size limit, please schedule archive process’.

Important: In High Availability deployments, you must configure the archive of audit data on both appliances to purge data that is not synchronized between the nodes.

The Archive Audit function pushes the .csv file archives to your defined FTP/SFTP server (which must be configured to be able to archive the audit data). The corresponding .csv files are then deleted.

The Scheduled Archive and Archive Now processes create a .tar file in your remote folder that contains encrypted audit data for each domain (for example, Audit_Myhost_MyDOMAIN_OBF_20240812-000011.tar where the file format is Audit_<hostname>_<domain>_OBF_<date format: AAAAMMDD>-<time format HHMMSS>).

The names of the .csv files for a domain (obtained by decrypting the .tar file using the activid_decrypt_archive.sh script) use the following conventions:

Note:  
  • If there is no record to archive, the audit archive .tar file will only contain a readme explaining that no audit events were found.
  • For a Scheduled Archive operation, the audit archive .tar file will not contain events from the current day as they were not exported automatically from the database yet.
  • For an Archive Now operation, the audit archive .tar file will contain .csv files already collected, including a specific .csv file with the records of the current day.

Schedule the Audit Archive

You can define the remote server (FTP or SFTP) on which you want to archive the audit data and the archive schedule.

Note: It is recommended that you verify the audit data using the ActivID Management Console before archiving.
  1. Log on to the ActivID Console and, under System in the left menu, select Audit.

  2. Select the SFTP/FTP Site where the archive package must be copied (or click Add New to configure a new site).

  3. Enter and confirm the Archive Password.

    Important:  
    • The password:

      • Must contain between 1 and 20 characters

      • Can contain special characters except [ ] { } | < > " ' ( )

      • Must not contain empty characters such as spaces and tabulations

    • Make a note of this password. This password is passed to activid_decrypt_archive.sh using the –p option

  1. In the Scheduler section, select either:

  1. Click Save to apply the configuration.

Archive the Audit Data On Demand

You can use the Archive Now option to start an immediate and on-demand archiving process of the audit data.

  1. Log on to the ActivID Console and, under System in the left menu, select Audit.

  2. Select the SFTP/FTP Site where the archive package must be copied (or click Add New to configure a new site).

  3. Enter and confirm the Archive Password.

    Important:  
    • The password must be between 1 and 20 characters

    • Make a note of this password. This password is passed to activid_decrypt_archive.sh using the –p option

  4. To create an on-demand audit archive, click Archive Now.

Note: If no audit events are found, a message is displayed.