Elasticsearch security logs

For enterprise clients we can provide our security logs from elasticsearch. Contact us for more details about connecting and pulling logs.

Logs structure

Our logs monitors all HTTP requests that could change configuration of your organization from users. All logs have @timestamp field which provides time when request was executed. Also you can find field message.source.ip containing requester ip address. When user is authenticated we include message.user.id field which provides user's ID in Closer and message.user.roles which describes roles of the user.

We also provide message.http.request.body and message.http.request.method so you can identify what action user was trying to made. Fields message.http.response.body and message.http.response.status_code gives you information about result of the action. Full url address at which user was executing request is provided in field message.url.full.

For better filtering of logs we provide fields message.event.category, message.event.kind, message.event.type, message.event.outcome and message.event.action. Those fields are compilant with ECS event fields. List of our event actions:

• org_config_change- change made to general config of organization

• free_org_creation- creation of org with free plan

• stripe_org_creation- creation of org with paid plan

• widget_logo_creation- creation of new logo on widget header

• widget_logo_deletion- deletion of logo on widget header

• widget_background_creation- creation of new background image on widget header

• widget_background_deletion- deletion of background image on widget header

• agent_profile_change- change made to agent profile

• agent_deactivation- agent deactivation in organization

• agent_restore- agent restore in organization

• agent_login- agent login to closer using email and password

• agent_login_with_magic_link- agent login using magic link

• agent_logout- agent logout from closer

• agent_password_change- agent password change from settings

• agent_password_change_with_token- agent password change using token

• agent_password_reset- agent password reset request

• agent_skills_change- change of agent's skills

• agent_preferences_change- change of agent preferences about notifications and inbox sorting

• agent_limit_change- change of agent assigned conversations limit, currently not used

• agent_role_change- change of agent's role, from admin or to admin

• agent_invitation- invitation to organization for new agent

• agent_invitation_acceptation- invitation to organization accepted from new agent

• agent_avatar_creation- creation of new agent avatar

• agent_avatar_deletion- deletion of agent avatar

• unavailability_reason_creation- creation of unavailability reason for agent on unavailable status

• unavailability_reason_change- change of unavailability reason for agent on unavailable status

• unavailability_reason_deletion- deletion of unavailability reason for agent on unavailable status

• bot_type_change- change of bot type in closer

• lekta_config_creation- creation of lekta integration config for bot

• lekta_config_change- change in lekta integration config for bot

• event_action_config_creation- creation of event action config, response that is send by bot on specific event

• event_action_config_change- change of event action config

• event_action_config_deletion- deletion of event action config

• ai_suggestions_config_change- change on ai suggestions config

• ai_suggestions_intent_creation- creation of ai suggestions intent

• ai_suggestions_intent_change- change of ai suggestions intent

• ai_suggestions_intent_deletion- deletion of ai suggestions intent

• ai_suggestions_dataset_creation- creation of ai suggestions dataset for nlu

• ai_suggestions_dataset_change- change of ai suggestions dataset for nlu

• ai_suggestions_dataset_deletion- deletion of ai suggestions dataset for nlu

• widget_form_config_creation- creation of widget form config to display for customer on widget

• widget_form_config_change- change of widget form config

• widget_form_config_deletion- deletion of widget form config

• oauth_authorization- authorization of customer using oauth

• oauth_config_creation- creation of oauth config for customer authorization

• oauth_config_change- change of oauth config

• oauth_config_deletion- deletion of oauth config

• proactive_messages_config_creation- creation of proactive message config displayed over widget

• proactive_messages_config_change- change of proactive message config

• proactive_messages_config_deletion- deletion of proactive message config

• profanities_config_creation- creation of profanities config that is used to block some words for sending

• profanities_config_change- change of profanities config

• tag_mapping_config_creation- creation of tag mapping config for tagging customers on specific page

• tag_mapping_config_change- change of tag mapping config

• tag_mapping_config_deletion- deletion of tag mapping config

• org_topic_creation- creation of topic in org

• org_topic_change- change of topic in org

• org_topic_deletion- deletion of topic in org

Example event from elasticsearch

{
  "_index": "closer",
  "_type": "entry",
  "_id": "s3baO3kBZbVQk2pxTK-w",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2021-05-05T09:27:12.529+0000",
    "message": {
      "event.kind": [
        "event"
      ],
      "event.category": [
        "configuration"
      ],
      "event.type": [
        "change",
        "user"
      ],
      "event.action": "agent_skills_change",
      "event.outcome": "success",
      "http.request.body.content": "{\"skills\":[\"skill\"]}",
      "http.request.method": "PUT",
      "http.response.status_code": 204,
      "user.id": "00000000-0000-0000-0000-000000000000",
      "user.roles": [
        "ADMIN"
      ],
      "source.ip": "/89.187.249.34",
      "url.full": "http://spinner.stage.closer.app/api/users/agents/00000000-0000-0000-0000-000000000000/skills",
      "ecs.version": "1.9"
    }
  }
}