Reporting Commands

Commands for audit logging and reporting capabilities

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Reporting Commands
Command
Explanation
Show users that haven't performed a specific action in a given number of days
Determine which record passwords have NOT been changed in X days
audit-log
Export the enterprise audit and event logs
Show a customized report of audit events
See information about records in vaults of users across the enterprise
Display information about records shared with external accounts
Display information on managed company plans and available licenses
Show report of password security strength for each user in the enterprise
Display information about shared records
Show a report of shared records
Show a report of user logins

audit-log command

command: audit-log
Detail: Download event data from the Advanced Reporting & Alerts Module ("ARAM") to your local Commander instance, and then push the events to a SIEM provider. For a fully automated process, we recommend using the cloud-based SIEM export available in the Keeper Admin Console. For more information about the automated export see this link.
The audit-log command provides a SIEM push capability if the Keeper backend servers are not able to access the target endpoint. It can also be useful if you would like to just export events locally to a JSON file. Note that a Keeper record is used for storing the state of event exports, so that repeated use of the audit-log command will pick up where it left off.
Running audit-log for the first time will take a long time to process if there is a lot of usage history with Keeper, since it's starting from the beginning of time.
Switches:
--anonymize Anonymizes audit log by replacing email and user name with corresponding enterprise user id. If user was removed or if user's email was changed then the audit report will show that particular entry as deleted user.
--target <{splunk, sumo, syslog, syslog-port, azure-la, json}> Choose export target
  • splunk - Export events to Splunk HTTP Event Collector
  • sumo - Export events to Sumo Logic HTTP Event Collector
  • syslog - Export events to a local file in syslog format
  • syslog-port - Export events in syslog format to TCP port. Both plain and SSL connections are supported
  • azure-la - Export events to Azure Log Analytics to custom log named Keeper_CL
  • json - Export events to a local file in JSON format
--record <RECORD NAME OR UID> Select a Keeper record to store the current export state. This will also contain the secrets needed to connect to the target endpoint, such as Splunk parameters.
Examples:
audit-log --target=splunk
audit-log --record BhRRhjeL4armInSMqv2_zQ --target=json
  1. 1.
    Download all event data and push to Splunk endpoint HTTP event collector. Will be prompted to enter Splunk HEC endpoint.
  2. 2.
    Download all event data referencing the record UID and output in JSON format.

audit-report command

Running reports requires the ARAM add-on.
Command: audit-report
Details: Generate advanced ad-hoc customized audit event reports in raw and summarized formats.
Event Properties:
id event ID
created event time
username user that created audit event
to_username user that is audit event target
from_username user that is audit event source
ip_address IP address
geo_location location
audit_event_type audit event type
keeper_version Keeper application
channel 2FA channel
status Keeper API result_code
record_uid Record UID
shared_folder_uid Shared Folder UID
node_id Node ID (enterprise events only)
team_uid Team UID (enterprise events only)
Switches:
--report-type <{raw, dim, hour, day, week, month, span}> type of report to show (required)
  • raw - all audit events. Optionally use --report-format to change the format (Default list)
  • hour - show a report summarized by hour
  • day - show a report summarized by day
  • week - show a report summarized by week
  • month - show a report summarized by month
  • span - show a table of audit events with only number of occurrences shown by default. use --columns to add additional columns
  • dim - see list of all available values and details for a specified column. Include multiple columns to show detail lists one after the other. Must use --columns
--report-format <{message, fields}> choose output format (for "raw" reports only)
  • message - (default) show columns:
    • created
    • audit_event_type
    • username
    • ip_address
    • keeper_version
    • geo_location
    • message
  • fields - show columns:
    • created
    • audit_event_type
    • username
    • ip_address
    • keeper_version
    • geo_location
    • record_uid
--columns <COLUMN> decide what columns to show (ignored for "raw" reports)
available columns:
  • audit_event_type
  • username
  • ip_address
  • keeper_version
  • geo_location
  • message
  • created
  • record_uid
  • record_name (Requires Compliance Reports module *)
Usage: use the full switch for each column
audit-report --report-type day --columns username --columns ip_address
--aggregate <{occurrences, first_created, last_created}> aggregated value. Can be repeated. (ignored for raw reports)
  • occurrences - show number of times the event type took place
  • first_created - show the time the first occurrence of the event type took place
  • last_created - show the time the most recent occurrence of the event type took place
Usage: use the full switch for each aggregation you would like to show
audit-report --report-type day --aggregate occurrences --aggregate last_created
--timezone <TIMEZONE> return results for specific timezone
--limit <NUMBER OF ROWS> maximum number of returned rows (default 50, -1 for unlimited)
--order <{desc, asc}> sort order. Sorts based on the first returned column
--created <CREATED DATE> filter results by created date
Format:
use a predefined filter value from the list below:
  • today
  • yesterday
  • last_7_days
  • last_30_days
  • month_to_date
  • last_month
  • year_to_date
  • last_year
or use the following format for a custom date range:
"between %Y-%m-%dT%H:%M:%SZ and %Y-%m-%dT%H:%M:%SZ"
example: "between 2022-01-01 and 2022-06-01"
--event-type <EVENT CODE> filter by event type. See a list of all available event types here
--username <USERNAME> filter by username
--to-username <TARGET'S USERNAME> filter by event's target
--record-uid <RECORD UID> filter by record
--shared-folder-uid <SHARED FOLDER UID> filter by shared folder
--geo-location <GEO LOCATION> filter by geo location. Run the following command to get the list of available geo locations
audit-report --report-type=dim --columns=geo_location
--ip-address <IP Address> filter by IP Address
Geo location filter has format "[[City, ] State,] Country"
Example:
"El Dorado Hills, California, US"
"Bayern,DE" - Bavaria, Germany
"CA" - Canada
--ip-address <IP Address> filter by the user's IP Address. For example, to find the last 5,000 events coming from a particular IP:
audit-report --report-type raw --format csv --limit 5000 --ip-address 11.22.33.44
--device-type <DEVICE TYPE> Keeper device/application and optional version
audit-report --report-type=dim --columns=device_type
Device type filter has format "DeviceType[, Version]"
Example:
"Commander" Keeper Commander all versions
"Web App, 16" The Web Vault application versions "16.x.x"
--format <table, csv, json> format of the output, table is default
Examples
audit-report --report-type raw --limit 5000
audit-report --report-type raw --report-format fields
audit-report --report-type dim --column audit_event_type
audit-report --report-type day --column username --column audit_event_type
audit-report --report-type hour --aggregate occurrences --column audit_event_type --created today
audit-report --format=table --report-type=day --event-type=open_record --columns username --columns ip_address --columns record_uid --columns record_title --created today
  1. 1.
    Display an audit report with all events, including messages for each event, showing the last 5000 events.
  2. 2.
    Display an audit report with all events, including the record UID for each event
  3. 3.
    Show all available audit event types
  4. 4.
    Display an audit report that includes the event type and username, summarized by day
  5. 5.
    Display an audit report of the number of each event type that was performed per hour today
  6. 6.
    Display all occurrences of opened record events that occurred today, including the decrypted record title.

user-report command

Command: user-report
Details: Generate ad-hoc user status report
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--days <NUMBER OF DAYS> number of days to look back for last login date
--last-login show the last time each user logged in
Examples:
user-report
user-report --format csv --output logins.csv --days 30
user-report --format csv --output last-logins.csv
  1. 1.
    Show user login report for the past 365 days
  2. 2.
    Create a user report of the last 30 days and output it in csv format to a file named "logins.csv"
  3. 3.
    Create a report of the last time each user in the enterprise logged in and save it to the file "last-logins.csv"

security-audit-report command

Command: security-audit-report
Details: Generate a password security strength report for users of your enterprise
Report Columns:
My Vault> security-audit-report --syntax-help
Security Audit Report Command Syntax Description:
Column Name Description
username user name
email e-mail address
weak number of records whose password strength is in the weak category
medium number of records whose password strength is in the medium category
strong number of records whose password strength is in the strong category
reused number of reused passwords
unique number of unique passwords
securityScore security score
twoFactorChannel 2FA - ON/OFF
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--syntax-help display description of each column in the report
-n, --node name(s) or UID(s) of node(s) to filter results by
-b, --breachwatch display a Breachwatch security report (Commander v16.5.5+)
-su, --show-updated calculate current security audit scores for each vault and display locally (preview)
-s, --save similar to --show-updated above, but with an additional push of the updated scores to Keeper
-st, --score-type <{strong_passwords,default}> define how users' security scores are calculated (note: setting --score-type=strong_passwords will result in the report's summary security scores to be based solely on the number of each user's passwords deemed to be strong, identical to the value calculated and shown in the corresponding vault's Security Audit page)
For backward-compatibility, this command does not calculate updated security scores (based on recent vault changes) by default. Subsequently, it also does not save updated security scores by default.
To change the above behavior, include either the --show-updated flag or the --save flag in your command call (note: if the latter flag is included, there is no need to also include the former).
Examples:
security-audit-report
security-audit-report --format json --output security_score.json
security-audit-repor -b
security-audit-report -su
security-audit-report -s
sar -n Node1
security-audit-report --score-type=strong_passwords --save
  1. 1.
    Show security audit report - password strength for each user in the enterprise
  2. 2.
    Create a security audit report and output it in json format to a file named "security_score.json"
  3. 3.
    Show a Breachwatch security report
  4. 4.
    Recalculate security audit scores, then show security audit report. Do not push changes to Keeper.
  5. 5.
    Recalculate security audit scores, show security audit report, and push changes to Keeper.
  6. 6.
    Show security audit report (using the command abbreviation), limiting the results to accounts assigned to enterprise node Node1
  7. 7.
    Show security audit scores based on the number of each user's passwords deemed to be strong and push the results to Keeper

share-report command

Command: share-report
Details: Show a report of shared records (shared both with and by the caller)
Parameters:
Path or UID of folder containing the records to be shown in report. Optional (w/ multiple values allowed).
Switches:
--format <{table,csv}> format of the report
--output <FILENAME> output to the given filename
-r, --record <RECORD NAME OR UID> identify a specific record to show report for
-e, --email <USER'S EMAIL OR TEAM NAME> identify user or team to show shared record report for
-o, --owner display record's owner
--share-date display date when record was shared. Only used with owner report ( --owner switch). Only available to users with permission to execute reports for their company
-v, --verbose show record UID with report
Examples:
share-report
share-report --record 5R7Ued8#JctulYbBLwM$
share-report --format csv --output share_report.csv
share-report -e [email protected] --owner --share-date -v
share-report -o -v Team1_Folder Za2aspMQG9De5In28sc3KA
  1. 1.
    Display shared records report
  2. 2.
    Display share report for the record with the given UID
  3. 3.
    Output a shared records report in csv format
  4. 4.
    Display a report of records shared with "[email protected]" and show the original owner, as well as when it was shared
  5. 5.
    Show a report that includes ownership information and detailed share permissions for each shared record contained within the folder named "Team1_Folder" and the folder w/ UID = Za2aspMQG9De5In28sc3KA

shared-records-report command

Command: shared-records-report or srr
Details: Display information about shared records (Note: the displayed information is limited to records shared by the caller with other users, i.e., this excludes records shared with the caller by other users. To include both types of records, see share-report command)
Parameters:
Path or UID of folder containing the records to be shown in report. Optional (w/ multiple values allowed).
Switches:
--format <{json,csv,table}> format of the report
-o, --output <FILENAME> output to filename provided. Ignored for "table" format
--show-team-users or -tu show members of team for records shared via share team folders
Examples:
shared-records-report
shared-records-report --format csv
shared-records-report --show-team-users
srr --format json -o shared_records.json 'My Shares' Team1/Shares _qsA0AA0XwJkeTVQdijmEg
  1. 1.
    Display information about shared records in table format
  2. 2.
    Display information about shared records in csv format
  3. 3.
    Display information about records shared with individual members of all teams with whom those records are shared (via shared-folders)
  4. 4.
    Export information about shared records found in folders "My Shares", "Team1/Shares" (folders identified by their paths) and "_qsA0AA0XwJkeTVQdijmEg" (folder identified by its UID) to a JSON-formatted file named shared_records.json. In this case -- because containing folders are explicitly provided in the command call -- the records included in the resulting report will be limited to only those found within the specified folders (either as a child of the folder, or as a child of a subfolder, etc.)

external-shares-report command

Command: external-shares-report
Details: Display folders and records shared with users that are outside of the enterprise. Optionally, delete all external shares.
Switches:
--format {table,json,csv} output format
--output FILENAME output to filename. Ignored when using table format
-a, --action {remove,none} action to apply to external shares; use 'remove' to delete the shares with confirmation, 'none' if omitted
-t, --share-type {direct,shared-folder,all} show only individually shared records (direct) or shared folders, 'all' if omitted
-f, --force apply action w/o confirmation
-r, --refresh-data Sync and fetch latest data before running report
Examples:
external-shares-report
external-shares-report --format csv --output share_report.csv
external-shares-report -a remove
external-shares-report -a remove -t direct
external-shares-report -a remove -t shared-folder
external-shares-report -a remove -f
external-shares-report -r
  1. 1.
    Display all externally shared folders and records
  2. 2.
    Output all externally shared folders and records as share_report.csv
  3. 3.
    Remove all externally shared folders and records (with confirmation prompt)
  4. 4.
    Remove all externally shared individual records, but not shared folders
  5. 5.
    Remove all externally shared folders, but not individual records
  6. 6.
    Remove all externally shared folders and records without confirmation prompt
  7. 7.
    Sync with Keeper to fetch latest data, then generate the share report

msp-legacy-report command

Command: msp-legacy-report
Details: Display information about available managed company licenses
Switches:
--format <{json. table, csv}> format of the report
--range <{today, yesterday, last_7_days, last_30_days, month_to_date, last_month, year_to_date, last_year}> timeframe of license usage
--from <FROM DATE> start date of time range to display license usage. Use with audit type ( --type audit ), and without --range flag
format: YYYY-mm-dd ex. 2021-07-08
--to <TO DATE> end date of time range to display license usage. Use with audit type ( --type audit ), and without --range flag
format: YYYY-mm-dd ex. 2021-07-08
--output <FILENAME> file to output the report to
Examples:
msp-legacy-report
msp-legacy-report --range last_30_days
msp-legacy-report --from 2021-02-01 --to 2021-03-01
msp-legacy-report --format csv --output licenses.csv
  1. 1.
    Show a report of the currently allocated and remaining company licenses
  2. 2.
    Show a report of licenses usage over the last 30 days
  3. 3.
    Show a report of licenses usage from the first of February to the first of March 2021
  4. 4.
    Output a report of current licenses usage to a file named "licenses.csv" in csv format

aging-report command

This advanced report requires the Advanced Reporting & Alert module, and Compliance module. For more information see the dedicated Compliance Reports Page
Command: aging-report
Details: Determine which record passwords have NOT been changed in a specific amount of time. This report takes advantage of the advanced reporting capabilities of the Enterprise platform, as well as the compliance data which is able to decrypt record title for privileged admins.
Switches:
-r, --rebuild rebuild the record database
--delete deletes the local database cache containing encrypted compliance record data
-nc, --no-cache remove any local non-memory storage of data upon command completion
-s, --sort <{owner, title, last_changed}> sort output by chosen field
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--period <TIME PERIOD> look for records that have a password that hasn't changed in this period
--username <USERNAME> report expired passwords for the given user
--exclude-deleted omit deleted records from the report (note: adding this flag may result in the need for additional data to be retrieved and subsequent longer command execution times)
Examples:
1
aging-report --rebuild
2
aging-report --period=1y
3
aging-report --period=3m --format=table --username [email protected]
4
aging-report --exclude-deleted
  1. 1.
    Rebuild the audit and compliance data locally
  2. 2.
    Generate password aging report for passwords not updated in over 1 year period
  3. 3.
    Generate password aging report for a specific user's passwords not updated in over 3 month period
  4. 4.
    Generate password aging report that ignores any records currently in each vault's trash bin

action-report command

Requires ARAM add-on
Command: action-report
Details: Generate a report and/or take action on users in a particular status or that have not performed an action within in a given time period. The default timeframe is the last 30 days unless otherwise specified using --days-since.
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> if you want to save the results to a file
-d <NUMBER OF DAYS> or --days-since <NUMBER OF DAYS> look back this many days for targeted action (default value of 30 days is used if omitted)
-t or --target <no-logon, no-update, locked, invited, no-security-question-update, blocked> user status that you want to report or act on
-a or --apply-action <lock, delete, transfer, none> used after target, the action to take on each user account that matches the target user status
--target-user (used with transfer action above) the destination account to which vaults are transferred
-n or --dry-run show accounts that fall into the action-status category specified via the --target/-t switch and the corresponding administrative action to be applied (specified via the -a/--apply-action switch) without actually applying the action
-f or --force perform the administrative action specified via the -a/--apply-action option without being prompted for confirmation (applies only to "delete" and "transfer" administrative actions)

Example Target Reports:

  1. 1.
    Show a list of users that haven't logged in within the last 45 days
action-report --target no-logon --days-since 45
  1. 2.
    Show a list of user accounts that have remained in a locked status for 60+ days
action-report --target locked --days-since 60
  1. 3.
    Show a list of users who have been in an invited status for 15+ days.
action-report -t invited -d 15
  1. 4.
    Show a list of users that haven't updated any records in the last 35 days
action-report --target no-update --days-since 35
  1. 5.
    Show users that have not set/changed their account security questions within the default timeframe (the last 30 days)
action-report -t no-security-question-update

Example Target with Actions (add -n for dry run):

  1. 1.
    Delete any users whose accounts have been in invited status for more than 90 days:
action-report -t invited -a delete -d 90
  1. 2.
    Transfer the vaults of all users that have been locked for 90 days to a designated vault.
action-report -t locked -d 90 -a transfer --target-user [email protected]
  1. 3.
    Lock all users who haven't logged in within 180 days.
action-report -t no-logon -d 180 -a lock

compliance-report command

Requires Compliance Reporting add-on
For more information see the dedicated Compliance Reports Page
Command: compliance-report
Details: Generate a report of the sharing status of records across the enterprise.
This report relies on a cache which is built the first time the command is called. It may take some time for the first command in a session to complete depending on the size of your enterprise.
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
-u, --username <USERNAME> filter to records of the given user. Use multiple times for multiple users
-n, --node <NODE NAME or ID> filter to records in vaults in the given node
-jt, --job-title <JOB TITLE> filter to records in vaults owned by users with the given job title. Use multiple times for multiple titles
--record <RECORD NAME OR UID> show only the given record
--team <TEAM NAME> show only users in the given team
-r, --rebuild refresh the cached records used for this report
Examples:
compliance-report
compliance-report -u "[email protected]"
compliance-report --node "Chicago" -jt "Manager"
compliance-report -u "[email protected]" --shared
  1. 1.
    Show the sharing status of all records for all users in the enterprise
  2. 2.
    show the sharing status of records in the vault of user: "[email protected]"
  3. 3.
    Show the sharing status of records in vaults owned by managers in Chicago
  4. 4.
    Show the sharing status of records only shared records owned by "[email protected]"

Compliance Team Report

Requires Compliance Reporting add-on
For more information see the dedicated Compliance Reports Page
Command: compliance team-report
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
-n, --node <NODE NAME or ID> filter to records in vaults in the given node
-r, --rebuild refresh the cached records used for this report
Examples:
compliance team-report
compliance team-report --format csv --output "team-report.csv"
  1. 1.
    Show the compliance team report
  2. 2.
    Save a CSV file output of the compliance team report

Event Logging to SIEM

Commander supports integration with popular SIEM solutions such as Splunk, Sumo and general Syslog format. For more general reporting of events, we recommend using the audit-report command. For pushes of event data into on-prem SIEM, the audit-log command is a good choice because it automatically tracks the last event exported and only sends incremental updates. The list of over 100 event types is documented in our Enterprise Guide:
Using Commander for SIEM integration works well in an on-prem environment where the HTTP event collector is only available within your network. The Keeper Admin Console version 13.3+ is capable of integrating our backend event data into your SIEM solution but it requires that you are utilizing a cloud-based SIEM solution. If you need assistance in integrating Keeper into your SIEM solution without Commander, please contact our business support team at [email protected].

Export of Event Logs in Syslog Format

Commander can export all event logs to a local file in syslog format, or export data in incremental files. A Keeper record in your vault is used to store a reference to the last event
$ keeper shell
To export all events and start tracking the last event time exported:
My Vault> audit-log --target=syslog
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: Syslog]:
Enter filename for syslog messages.
... Syslog file name: all_events.log
... Gzip messages? (y/N): n
Exported 3952 audit events
My Vault>
This creates a record in your vault (titled "Audit Log: Syslog" in this example) which tracks the timestamp of the last exported event and the output filename. Then the event data is exported to the file in either text or gzip format.
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=syslog --record=<your record UID>
or from the shell:
My Vault> audit-log --target=syslog --record=<your record UID>
To automate the syslog event export every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=syslog"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Splunk HTTP Event Collector Push

Keeper can post event logs directly to your on-prem or cloud Splunk instance. Please follow the below steps:
  • Login to Splunk enterprise
  • Go to Settings -> Data Inputs -> HTTP Event Collector
  • Click on "New Token" then type in a name, select an index and finish.
  • At the last step, copy the "Token Value" and save it for the next step.
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Splunk integration with Commander. Commander will create a record in your vault that stores the provided token and Splunk HTTP Event Collector. This will be used to also track the last event captured so that subsequent execution will pick up where it left off. Note that the default port for HEC is 8088.
$ keeper audit-log --format=splunk
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: Splunk]: <enter>
Enter HTTP Event Collector (HEC) endpoint in format [host:port].
Example: splunk.company.com:8088
... Splunk HEC endpoint: 192.168.51.41:8088
Testing 'https://192.168.51.41:8088/services/collector' ...Found.
... Splunk Token: e2449233-4hfe-4449-912c-4923kjf599de
You can find the record UID of the Splunk record for subsequent audit log exports:
My Vault> search splunk
# Record UID Title Login URL
--- ---------------------- ----------------- ------- -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Splunk
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=splunk --record=<your record UID>
or from the shell:
My Vault> audit-log --target=splunk --record=<your record UID>
To automate the push of Splunk events every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=splunk"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Sumo Logic HTTP Event Collector Push

Keeper can post event logs directly to your Sumo Logic account. Please follow the below steps:
  • Login to Sumo Logic
  • Go to Manage Data -> Collection
  • Click on Add Collector -> Hosted Collector then Add Source -> HTTP Logs & Metrics
  • Name the collector and Save. Any other fields are default.
  • Note the HTTP Source Address which is the collector URL
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Sumo Logic integration with Commander. Commander will create a record in your vault that stores the HTTP Collector information. This will be used to also track the last event captured so that subsequent execution will pick up where it left off.
$ keeper audit-log --format=sumo
When asked for “HTTP Collector URL:” paste the URL captured from the Sumo interface above.
After this step, there will be a record in your vault used for tracking the event data integration. You can find the record UID of the Sumo record for subsequent audit log exports:
My Vault> search sumo
# Record UID Title Login URL
--- ---------------------- ----------------- ------- -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Sumo
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=sumo --record=<your record UID>
or from the shell:
My Vault> audit-log --target=sumo --record=<your record UID>
To automate the push of Sumo Logic events every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=sumo"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Export of Event Logs in JSON Format

Commander can export all event logs to a local file in JSON format. The local file is overwritten with every run of Commander. This kind of export can be used with conjunction with other application that process the file. A Keeper record in your vault is used to store a reference to the last event.
$ keeper shell
To export all events and start tracking the last event time exported:
My Vault> audit-log --target=json
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: JSON]:
JSON file name: all_events.json
Exported 3952 audit events
My Vault>
This creates a record in your vault (titled "Audit Log: JSON" in this example) which tracks the timestamp of the last exported event and the output filename. Then the event data is exported to the file.
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=json --record=<your record UID>
or from the shell:
My Vault> audit-log --target=json --record=<your record UID>
To automate the JSON event export every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=json"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Azure Log Analytics

Keeper can post event logs directly to your Azure Log Analytics workspace. Please follow the below steps:
  • Login to Azure Portal and open Log Analytics workspace
  • Go to Settings -> Advanced settings
  • Note the Workspace ID and Primary or Secondary key
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Log Analytics integration with Commander. Commander will create a record in your vault that stores the Log Analytics access information. This will be used to also track the last event captured so that subsequent execution will pick up where it left off.
$ keeper audit-log --format=azure-la
When asked for “Workspace ID:” paste Workspace ID captured from the Advanced settings interface above. When asked for “Key:” paste Primary or Secondary key captured from the Advanced settings interface above.
After this step, there will be a record in your vault used for tracking the event data integration. You can find the record UID of the Log Analytics record for subsequent audit log exports:
My Vault> search analytics
# Record UID Title Login URL
--- ---------------------- ------------------------------ ------------------------------------ -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Azure Log Analytics <WORKSPACE GUID>
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=azure-la --record=<your record UID>
or from the shell:
My Vault> audit-log --target=azure-la --record=<your record UID>
To automate the push of events to Azure Log Analytics every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=azure-la"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json