Administrative logs are stored separately from user log data and are used to track all administrative logins and changes to configuration data.
Figure 196
Records
Date - The date/time the action occurred.
Application Instance ID - The application instance ID that handled the request. This ID uniquely identifies a particular MFT Server instance and can help administrators distinguish between nodes in a multi-node HA cluster. If this MFT Server instance is not part of a HA cluster, then this value will always be the Application Instance ID of this instance.
Client Host - The client IP address of the administrator.
Client Port - The client port of the administrator.
User - The user login of the administrator.
Domain - The domain affected by this change.
Action - The action that occurred.
Description - A description of the action that occurred.
Purge - Performs a purge of all administrative records.
Export - Exports all administrative records to a CSV file.
Settings
Clear records older than N days - If enabled log records older than N days will be automatically purged from database.
Syslog
Enable syslog - When checked, MFT Server sends administrative logs to a syslog service
Host - The IP address of syslog daemon.
Port - The port of syslog daemon.
Facility - The syslog facility to use.
Extensions
Log to Splunk HTTP Event Collector. When checked, MFT Server sends administrative logging data to a Splunk HTTP Event Collector (HEC). To use this option you must have a Splunk HEC installation. This feature works in addition to existing administrative logging and the syslog service, if enabled (Manager Service > Logs > Syslog).
Host - The IP or hostname of the Splunk Enterprise or Splunk Cloud Platform server.
Port - The port of the Splunk deployment. The default is 8088.
Timeout - The connection timeout, in seconds. The default is 30.
Access token - The token that is used by the MFT Server to authenticate the connection to Splunk HEC. Your Splunk administrator or a designated token administrator should generate and provide you with a valid token.
Source - The source value to assign to the event data. This typically identifies the application where the data is coming from (e.g. MFT Server).
Source Type - The source type value to assign to the event data. This typically identifies the type of data coming from the source. (e.g. Administrative logs).
Use SSL Connection - When checked, an SSL connection is used to connect to the Splunk deployment.
Index - The name of the Splunk index.
Test Parameters - Click on this button to test the connection from the MFT Server to the Splunk deployment.
Note: If a failure occurs in logging the data to the Splunk HEC, you can be alerted about this condition using a Trigger with an Event type of Log Extension Failure.