Reporting Commands
Commands for audit logging and reporting capabilities

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Reporting Commands
Command
Explanation
audit-log
Export the enterprise audit and event logs
audit-report
Show a customized report of audit events
user-report
Show a report of user logins
security-audit-report
Show report of password security strength for each user in the enterprise
share-report
Show a report of shared records
shared-records-report
Display information about shared records
msp-license-report
Display information on managed company plans and available licenses
aging-report
Display a report of password changes and expired passwords per record
action-report
Show users that haven't performed a specific action in a given number of days
compliance-report
See information about records in vaults of users across the enterprise

audit-log command

command: audit-log
Detail: Export the enterprise audit and event logs to SIEM - See Details
Switches:
--anonymize Anonymizes audit log by replacing email and user name with corresponding enterprise user id. If user was removed or if user's email was changed then the audit report will show that particular entry as deleted user.
--target <{splunk, sumo, syslog, syslog-port, azure-la, json}> Choose export target
  • splunk - Export events to Splunk HTTP Event Collector
  • sumo - Export events to Sumo Logic HTTP Event Collector
  • syslog - Export events to a local file in syslog format
  • syslog-port - Export events in syslog format to TCP port. Both plain and SSL connections are supported
  • azure-la - Export events to Azure Log Analytics to custom log named Keeper_CL
  • json - Export events to a local file in JSON format
--record <RECORD NAME OR UID> choose a record to show report log for
Examples:
audit-log --record BhRRhjeL4armInSMqv2_zQ --format json
audit-log --record social/Twitter --format splunk
  1. 1.
    Export an audit of the record with the given UID to a local json file
  2. 2.
    Export an audit of a record named "Twitter" in the social folder to a Splunk HTTP event collector. Will be prompted to enter Splunk HEC endpoint.

audit-report command

Running reports requires the ARAM addon
Command: audit-report
Details: Generate ad-hoc customized audit event reports in raw and summarized formats - See Details
Report Columns:
Event properties
id event ID
created event time
username user that created audit event
to_username user that is audit event target
from_username user that is audit event source
ip_address IP address
geo_location location
audit_event_type audit event type
keeper_version Keeper application
channel 2FA channel
status Keeper API result_code
record_uid Record UID
shared_folder_uid Shared Folder UID
node_id Node ID (enterprise events only)
team_uid Team UID (enterprise events only)
Switches:
--report-type <{raw, dim, hour, day, week, month, span}> type of report to show (required)
  • raw - all audit events. Optionally use --report-format to change the format (Default list)
  • hour - show a report summarized by hour
  • day - show a report summarized by day
  • week - show a report summarized by week
  • month - show a report summarized by month
  • span - show a table of audit events with only number of occurrences shown by default. use --columns to add additional columns
  • dim - see list of all available values and details for a specified column. Include multiple columns to show detail lists one after the other. Must use --columns
--report-format <{message, fields}> choose output format (raw reports only)
  • message - (default) show columns:
    • created,
    • audit_event_type
    • username
    • ip_address
    • keeper_version
    • geo_location
    • message
  • fields - show columns:
    • created
    • audit_event_type
    • username
    • ip_address
    • keeper_version
    • geo_location
    • record_uid
--columns <COLUMN> decide what columns to show (ignored for raw reports)
available columns:
  • audit_event_type
  • username
  • ip_address
  • keeper_version
  • geo_location
  • message
  • created
  • record_uid
  • record_name
Usage: use the full switch for each column
audit-report --report-type day --columns username --columns ip_address
--aggregate <{occurrences, first_created, last_created}> aggregated value. Can be repeated. (ignored for raw reports)
  • occurrences - show number of times the event type took place
  • first_created - show the time the first occurrence of the event type took place
  • last_created - show the time the most recent occurrence of the event type took place
Usage: use the full switch for each aggregation you would like to show
audit-report --report-type day --aggregate occurrences --aggregate last_created
--timezone <TIMEZONE> return results for specific timezone
--limit <NUMBER OF ROWS> maximum number of returned rows
--order <{desc, asc}> sort order. Sorts based on the first returned column
--created <CREATED DATE> filter results by created date
Format:
use a predefined filter value from the list below:
  • today
  • yesterday
  • last_7_days
  • last_30_days
  • month_to_date
  • last_month
  • year_to_date
  • last_year
or use the following format for a custom date range:
"between %Y-%m-%dT%H:%M:%SZ and %Y-%m-%dT%H:%M:%SZ"
example: "between 2022-01-01 and 2022-06-01"
--event-type <EVENT CODE> filter by event type. See a list of all available event types here
--username <USERNAME> filter by username
--to-username <TARGET'S USERNAME> filter by event's target
--record-uid <RECORD UID> filter by record
--shared-folder-uid <SHARED FOLDER UID> filter by shared folder
--geo-location <GEO LOCATION> filter by geo location. Run the following command to get the list of available geo locations
audit-report --report-type=dim --columns=geo_location
Geo location filter has format "[[City, ] State,] Country"
Example:
"El Dorado Hills, California, US"
"Bayern,DE" - Bavaria, Germany
"CA" - Canada
--device-type <DEVICE TYPE> Keeper device/application and optional version
audit-report --report-type=dim --columns=device_type
Device type filter has format "DeviceType[, Version]"
Example:
"Commander" Keeper Commander all versions
"Web App, 16" The Web Vault application versions "16.x.x"
--format <table, csv, json> format of the output, table is default
Examples
audit-report --report-type raw --limit 100
audit-report --report-type raw --report-format fields
audit-report --report-type dim --column audit_event_type
audit-report --report-type day --column username --column audit_event_type
audit-report --report-type hour --aggregate occurrences --column audit_event_type --created today
  1. 1.
    Display an audit report with all events, including messages for each event, showing the last 100 events
  2. 2.
    Display an audit report with all events, including the record UID for each event
  3. 3.
    Show all available audit event types
  4. 4.
    Display an audit report that includes the event type and username, summarized by day
  5. 5.
    Display an audit report of the number of each event type that was performed per hour today

user-report command

Command: user-report
Details: Generate ad-hoc user status report
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--days <NUMBER OF DAYS> number of days to look back for last login date
--last-login show the last time each user logged in
Examples:
user-report
user-report --format csv --output logins.csv --days 30
user-report --format csv --output last-logins.csv
  1. 1.
    Show user login report for the past 365 days
  2. 2.
    Create a user report of the last 30 days and output it in csv format to a file named "logins.csv"
  3. 3.
    Create a report of the last time each user in the enterprise logged in and save it to the file "last-logins.csv"

security-audit-report command

Command: security-audit-report
Details: Generate a password security strength report for users of your enterprise
Report Columns:
My Vault> security-audit-report --syntax-help
Security Audit Report Command Syntax Description:
Column Name Description
username user name
email e-mail address
weak number of records whose password strength is in the weak category
medium number of records whose password strength is in the medium category
strong number of records whose password strength is in the strong category
reused number of reused passwords
unique number of unique passwords
securityScore security score
twoFactorChannel 2FA - ON/OFF
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--syntax-help display description of each column in the report
-b, --breachwatch display a Breachwatch security report (Commander v16.5.5+)
Examples:
security-audit-report
security-audit-report --format json --output security_score.json
security-audit-repor -b
  1. 1.
    Show security audit report - password strength for each user in the enterprise
  2. 2.
    Create a security audit report and output it in json format to a file named "security_score.json"
  3. 3.
    Show a Breachwatch security report
  • user-report Generate ad-hoc user status report Parameters:
    • --format {table,json,csv}
    • --output output to the given filename
    • --days {number of days} number of days to look back for last login date
  • share-report Generate ad-hoc sharing permission report that displays users and team permissions for all records in the vault Parameters:
    • --record View share permissions on specific record
    • --email View share permissions with specific account. User email or team name
    • --owner Include the owner information for each record
    • --verbose Include the record title and permission settings for each record

share-report command

Command: share-report
Details: Show a report of shared records
Switches:
--format <{table,csv}> format of the report
--output <FILENAME> output to the given filename
-r, --record <RECORD NAME OR UID> identify a specific record to show report for
-e, --email <USER'S EMAIL OR TEAM NAME> identify user or team to show shared record report for
-o, --owner display record's owner
--share-date display date when record was shared. Only used with owner report ( --owner switch). Only available to users with permission to execute reports for their company
-v, --verbose show record UID with report
Examples:
share-report
share-report --record 5R7Ued8#JctulYbBLwM$
share-report --format csv --output share_report.csv
share-report -e [email protected] --owner --share-date -v
  1. 1.
    Display shared records report
  2. 2.
    Display share report for the record with the given UID
  3. 3.
    Output a shared records report in csv format
  4. 4.
    Display a report of records shared with "[email protected]" and show the original owner, as well as when it was shared

shared-records-report command

Command: shared-records-report
Details: Display information about shared records
Switches:
--format <{json.table,csv}> format of the report
Examples:
shared-records-report
share-report --format csv
  1. 1.
    Display information about shared records in table format
  2. 2.
    Display information about shared records in csv format

msp-license-report command

Command: msp-license-report
Details: Display information about available managed company licenses
Switches:
--type <{allocation, audit}> choose report type
  • allocation - report of how many licenses are being used/how many are remaining (default)
  • audit - report of how many licenses were used over a specified time
--format <{json. table, csv}> format of the report
--range <{today, yesterday, last_7_days, last_30_days, month_to_date, last_month, year_to_date, last_year}> timeframe of license usage
--from <FROM DATE> start date of time range to display license usage. Use with audit type ( --type audit ), and without --range flag
format: YYYY-mm-dd ex. 2021-07-08
--to <TO DATE> end date of time range to display license usage. Use with audit type ( --type audit ), and without --range flag
format: YYYY-mm-dd ex. 2021-07-08
--output <FILENAME> file to output the report to
Examples:
msp-license-report
msp-license-report --type audit --range last_30_days
msp-license-report --type audit --from 2021-02-01 --to 2021-03-01
msp-license-report --format csv --output licenses.csv
  1. 1.
    Show a report of the currently allocated and remaining company licenses
  2. 2.
    Show a report of licenses usage over the last 30 days
  3. 3.
    Show a report of licenses usage from the first of February to the first of March 2021
  4. 4.
    Output a report of current licenses usage to a file named "licenses.csv" in csv format

aging-report command

Requires Commander v16.5.11+
Requires ARAM addon
Command: aging-report
Details: Generate a report of last password change per record, and expired passwords
Switches:
-r, --rebuild rebuild the record database
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
--period <TIME PERIOD> look for records that have a password that hasn't changed in this period
--username <USERNAME> report expired passwords for the given user
Examples:
aging-report
aging-report --period 5d
aging-report --username [email protected]
  1. 1.
    Show password aging report
  2. 2.
    Show the password aging report for the last 5 days
  3. 3.
    Show the password aging report for the John Smith user

action-report command

Requires Commander v16.6.8+
Requires ARAM addon
Command: action-report
Details: Generate a report of users that have not performed an action in a given time period
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
-d, --days-since <NUMBER OF DAYS> look back this many days for targeted action
-t, --target <{no-logon, no-update, locked}> choose action to search for
-a, --apply-action <{lock, delete, transfer, none}> action to apply to each matching user account
--target-user (used with transfer action) the user account to transfer users to
Examples:
action-report
action-report --target no-update --days-since 35
action-report --target locked --days-since 100
action-report --target no-logon --days-since 45 -a lock
aciton-report -t no-logon -d 30 -a transfer --target-user [email protected]
  1. 1.
    Show users that haven't logged into Keeper in 30 days
  2. 2.
    Show users that haven't updated a Keeper record in 35 days
  3. 3.
    Show users accounts that have been locked for 100 days
  4. 4.
    Lock any users that haven't logged in for 45 days
  5. 5.
    Transfer all vaults of users that haven't logged in for 30 days to the user "[email protected]"

compliance-report command

Requires Commander v16.7.2+
Requires Compliance Reporting addon
For more information see the dedicated Compliance Reports Page
Command: compliance-report
Details: Generate a report of the sharing status of records across the enterprise.
This report relies on a cache which is built the first time the command is called. It may take some time for the first command in a session to complete depending on the size of your enterprise.
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
-u, --username <USERNAME> filter to records of the given user. Use multiple times for multiple users
-n, --node <NODE NAME or ID> filter to records in vaults in the given node
-jt, --job-title <JOB TITLE> filter to records in vaults owned by users with the given job title. Use multiple times for multiple titles
--record <RECORD NAME OR UID> show only the given record
--team <TEAM NAME> show only users in the given team
-r, --rebuild refresh the cached records used for this report
Examples:
compliance-report
compliance-report -u "[email protected]"
compliance-report --node "Chicago" -jt "Manager"
compliance-report -u "[email protected]" --shared
  1. 1.
    Show the sharing status of all records for all users in the enterprise
  2. 2.
    show the sharing status of records in the vault of user: "[email protected]"
  3. 3.
    Show the sharing status of records in vaults owned by managers in Chicago
  4. 4.
    Show the sharing status of records only shared records owned by "[email protected]"

Compliance Team Report

Requires Commander v16.7.6+
Requires Compliance Reporting addon
For more information see the dedicated Compliance Reports Page
Command: compliance team-report
Switches:
--format <{table,json,csv}> format of the report
--output <FILENAME> output to the given filename
-n, --node <NODE NAME or ID> filter to records in vaults in the given node
-r, --rebuild refresh the cached records used for this report
Examples:
compliance team-report
compliance team-report --format csv --output "team-report.csv"
  1. 1.
    Show the compliance team report
  2. 2.
    Save a CSV file output of the compliance team report

Event Logging to SIEM

Commander supports integration with popular SIEM solutions such as Splunk, Sumo and general Syslog format. For more general reporting of events, we recommend using the audit-report command. For pushes of event data into on-prem SIEM, the audit-log command is a good choice because it automatically tracks the last event exported and only sends incremental updates. The list of over 100 event types is documented in our Enterprise Guide:
Using Commander for SIEM integration works well in an on-prem environment where the HTTP event collector is only available within your network. The Keeper Admin Console version 13.3+ is capable of integrating our backend event data into your SIEM solution but it requires that you are utilizing a cloud-based SIEM solution. If you need assistance in integrating Keeper into your SIEM solution without Commander, please contact our business support team at [email protected].

Export of Event Logs in Syslog Format

Commander can export all event logs to a local file in syslog format, or export data in incremental files. A Keeper record in your vault is used to store a reference to the last event
$ keeper shell
To export all events and start tracking the last event time exported:
My Vault> audit-log --target=syslog
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: Syslog]:
Enter filename for syslog messages.
... Syslog file name: all_events.log
... Gzip messages? (y/N): n
Exported 3952 audit events
My Vault>
This creates a record in your vault (titled "Audit Log: Syslog" in this example) which tracks the timestamp of the last exported event and the output filename. Then the event data is exported to the file in either text or gzip format.
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=syslog --record=<your record UID>
or from the shell:
My Vault> audit-log --target=syslog --record=<your record UID>
To automate the syslog event export every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=syslog"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Splunk HTTP Event Collector Push

Keeper can post event logs directly to your on-prem or cloud Splunk instance. Please follow the below steps:
  • Login to Splunk enterprise
  • Go to Settings -> Data Inputs -> HTTP Event Collector
  • Click on "New Token" then type in a name, select an index and finish.
  • At the last step, copy the "Token Value" and save it for the next step.
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Splunk integration with Commander. Commander will create a record in your vault that stores the provided token and Splunk HTTP Event Collector. This will be used to also track the last event captured so that subsequent execution will pick up where it left off. Note that the default port for HEC is 8088.
$ keeper audit-log --format=splunk
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: Splunk]: <enter>
Enter HTTP Event Collector (HEC) endpoint in format [host:port].
Example: splunk.company.com:8088
... Splunk HEC endpoint: 192.168.51.41:8088
Testing 'https://192.168.51.41:8088/services/collector' ...Found.
... Splunk Token: e2449233-4hfe-4449-912c-4923kjf599de
You can find the record UID of the Splunk record for subsequent audit log exports:
My Vault> search splunk
# Record UID Title Login URL
--- ---------------------- ----------------- ------- -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Splunk
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=splunk --record=<your record UID>
or from the shell:
My Vault> audit-log --target=splunk --record=<your record UID>
To automate the push of Splunk events every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=splunk"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Sumo Logic HTTP Event Collector Push

Keeper can post event logs directly to your Sumo Logic account. Please follow the below steps:
  • Login to Sumo Logic
  • Go to Manage Data -> Collection
  • Click on Add Collector -> Hosted Collector then Add Source -> HTTP Logs & Metrics
  • Name the collector and Save. Any other fields are default.
  • Note the HTTP Source Address which is the collector URL
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Sumo Logic integration with Commander. Commander will create a record in your vault that stores the HTTP Collector information. This will be used to also track the last event captured so that subsequent execution will pick up where it left off.
$ keeper audit-log --format=sumo
When asked for “HTTP Collector URL:” paste the URL captured from the Sumo interface above.
After this step, there will be a record in your vault used for tracking the event data integration. You can find the record UID of the Sumo record for subsequent audit log exports:
My Vault> search sumo
# Record UID Title Login URL
--- ---------------------- ----------------- ------- -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Sumo
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=sumo --record=<your record UID>
or from the shell:
My Vault> audit-log --target=sumo --record=<your record UID>
To automate the push of Sumo Logic events every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=sumo"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Export of Event Logs in JSON Format

Commander can export all event logs to a local file in JSON format. The local file is overwritten with every run of Commander. This kind of export can be used with conjunction with other application that process the file. A Keeper record in your vault is used to store a reference to the last event.
$ keeper shell
To export all events and start tracking the last event time exported:
My Vault> audit-log --target=json
Do you want to create a Keeper record to store audit log settings? [y/n]: y
Choose the title for audit log record [Default: Audit Log: JSON]:
JSON file name: all_events.json
Exported 3952 audit events
My Vault>
This creates a record in your vault (titled "Audit Log: JSON" in this example) which tracks the timestamp of the last exported event and the output filename. Then the event data is exported to the file.
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=json --record=<your record UID>
or from the shell:
My Vault> audit-log --target=json --record=<your record UID>
To automate the JSON event export every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=json"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json

Azure Log Analytics

Keeper can post event logs directly to your Azure Log Analytics workspace. Please follow the below steps:
  • Login to Azure Portal and open Log Analytics workspace
  • Go to Settings -> Advanced settings
  • Note the Workspace ID and Primary or Secondary key
  • Login to Keeper Commander shell
$ keeper shell
Next set up the Log Analytics integration with Commander. Commander will create a record in your vault that stores the Log Analytics access information. This will be used to also track the last event captured so that subsequent execution will pick up where it left off.
$ keeper audit-log --format=azure-la
When asked for “Workspace ID:” paste Workspace ID captured from the Advanced settings interface above. When asked for “Key:” paste Primary or Secondary key captured from the Advanced settings interface above.
After this step, there will be a record in your vault used for tracking the event data integration. You can find the record UID of the Log Analytics record for subsequent audit log exports:
My Vault> search analytics
# Record UID Title Login URL
--- ---------------------- ------------------------------ ------------------------------------ -----
1 schQd2fOWwNchuSsDEXfEg Audit Log: Azure Log Analytics <WORKSPACE GUID>
Each subsequent audit log export can be performed with this command:
$ keeper audit-log --format=azure-la --record=<your record UID>
or from the shell:
My Vault> audit-log --target=azure-la --record=<your record UID>
To automate the push of events to Azure Log Analytics every 5 minutes, create a JSON configuration file such as this:
{
"server":"https://keepersecurity.com",
"password":"your_password_here",
"mfa_token":"filled_in_by_commander",
"mfa_type":"device_token",
"debug":false,
"plugins":[],
"commands":["sync-down","audit-log --target=azure-la"],
"timedelay":600
}
Then run Commander using the config parameter. For example:
$ keeper --config=my_config_file.json
Export as PDF
Copy link
On this page
Commands
audit-log command
audit-report command
user-report command
security-audit-report command
share-report command
shared-records-report command
msp-license-report command
aging-report command
action-report command
compliance-report command
Compliance Team Report
Event Logging to SIEM
Export of Event Logs in Syslog Format
Splunk HTTP Event Collector Push
Sumo Logic HTTP Event Collector Push
Export of Event Logs in JSON Format
Azure Log Analytics