Saviynt Forums

Hi Sivagami

Application logs are stored in a Elasticsearch index instead of flat files (such as debug.log, error.log and so on).Logs are also shipped in real time to 3 different locations:

• Elasticsearch container: Logs are shipped to Elasticsearch using fluntd and can viewed by partners and customers from the application UI.
• Observe: Logs are shipped to Observe using observe agent and can be viewed by Saviynt operations team (CloudOps, Engineering, PS, CPS, POC) from Observe UI.
• S3 Bucket: Logs from both AWS and Azure tenants are also shipped using fluentd agent to a centralized S3 bucket for long term retention.

You can request old logs stored in s3 bucket by creating a ticket for CloudOps queue.

While creating the ticket please provide following details:

• Customer Name and Environment
• Microservice for which logs are required
• Duration for which logs are required
• Reason for Old Logs

CloudOps team will download the required logs from s3 bucket and share with you.

Let us know if this helps!

Thanks

Srinivas

Thanks Srinivas for the information on Application Logs.

My query is more around Application Audit logs & not application logs.

Note: Our Saviynt Version is V5.5 SP3.10

Hi Sivagami

Application audit logs are available in UI, the number of days it depends on logs rotations. And recent logs will be available.
yes there may be the case when the logs are not visible on UI but might be available in backend , we can archive the logs and store in DB.

Thanks

srinivas

@Srinivas - Could you shed some light on the log rotation process mentioned?

Hi Sivagami,

Greetings, 

Application Audit Logs contains the audit information of who did what at what time. This provides the User login information, User access Information and transactional information of what changed in the system. This is the SIEM data which saviynt expose. 

Coming to the Application Access Log Rotation Policy, Saviynt does not store the these SIEM for a very long time. Saviynt will maintain this data and archive the Application Access log older than 'X' number of days. The Archived Application Access Logs would be made available as a flat file which can be extracted on request from the Amazon S3 bucket.

The frequency of data archival or rotation policy is not standardized for all the customers at the moment. Currently there is no automated Job to archive Application Audit Logs as well. But if you want the details of your customer's archival, the project team can help with the details around when the latest archival was done and can also help extract the archive data flat file, if provided with a valid Business Justification.

Having said that, Every customer will have different standards and different rotation policies. To standardize this, it is recommended to look out for SIEM Integration tools and extract SIEM data from Saviynt on a regular basis and store it outside Saviynt based on the customer's retention policies.

Benefits:

• This improves the performance of Saviynt. 
• This allows the customer to choose their own rotation Policy.
• This allows the customer to utilize this SIEM data elsewhere (Eg. SOC Operations, Threat Analysis).

Hope this helps.