Audit Logs

Overview

Glassix has many logs documenting both general changes and security events.

You might want to save these logs on your end or preform actions based on your needs.

Glassix provides two integration methods for receiving said logs:

  1. Sending logs via Webhooks.
  2. Using logs in Functions.

Log Types

Glassix has two main log types:

  1. Informative - logs of general operations and management e.g., chatbot mapping, department name change, business hours update, etc.
  2. Security - logs regarding sensitive information and operations e.g., security settings changes, user logins, password changes, etc.

Event Type Reference

Every audit log includes a type field identifying the event, and a logType field (Security or Informative). The tables below list all event types Glassix can emit, so you can map them in your monitoring or SIEM system.

Security events

These cover access, identity, permissions, and sensitive operations.

typeDescription
UserLoginA user signed in
UserLogoutA user signed out
UserLoginFailedA sign-in attempt failed
UserFaildLoginAttemptA failed login attempt was recorded
LoginAttemptUnauthorizedIPLogin attempted from an IP outside the allowed list
UserUnlockedA locked user account was unlocked
IncorrectPinCodeAn incorrect PIN code was entered
PinCodeGeneratedByAdminAn admin generated a PIN code for a user
TwoFactorAuthenticationEnabledTwo-factor authentication was enabled
TwoFactorAuthenticationDisabledTwo-factor authentication was disabled
NewUserCreatedA new user was created
UserRemovedA user was removed
RoleAddedA role was granted to a user
RoleRemovedA role was removed from a user
TenantAddedToUserA workspace/department was added to a user
TenantRemovedFromUserA workspace/department was removed from a user
UserPasswordResetA user password was reset
UserPasswordChangeA user changed their password
UserPasswordResetLinkSentA password reset link was sent
UserShortNameChangeA user's short name was changed
UserFullNameChangeA user's full name was changed
UserJobTitleChangeA user's job title was changed
UserSetPhoneNumberA user's phone number was set
UserStatusChangedA user's availability status changed
TicketParticipantNameChangeA ticket participant's name was changed
TicketOwnerChangedA ticket's owner was changed
GetUserAccessTokenA user access token was issued
UserShowApiCredentialsA user viewed API credentials
EnteredSettingsScreenA user opened the settings screen
AuthorizedIPAddressesChangeThe list of authorized IP addresses was changed
BlackListUpdatedThe blacklist was updated
PasswordStrengthSettingsChangePassword strength settings were changed
AgentIdleSettingsChangeAgent idle settings were changed
AlwaysAllowSupportTeamAccessToSettingsChangedThe "always allow support team access" setting was changed
SupportDataAccessGrantedAccess to data was granted to the support team
SupportDataAccessRevokedAccess to data was revoked from the support team
BillingChangedBilling settings were changed
UserGlobalDefinitionChangeA global user definition was changed
TicketSearchQueryA ticket search query was performed
ApiListFirstTicketsQueryAn API query listed the first page of tickets
ApiListNextTicketsQueryAn API query listed a subsequent page of tickets
QueryA query was executed
ReportsGenerationA report was generated
ReportsPushedToQueueA report was queued for generation
PdfTicketSummaryDownloadA PDF ticket summary was downloaded
AvailableEmailAgentAn email agent became available
AutoSetUserOfflineBrowserClosedA user was set offline automatically after closing the browser
FailedCreateDepartmentA department creation attempt failed

Informative events

These cover channel/integration connections and general configuration changes.

typeDescription
CompanyNameChangedThe company name was changed
DepartmentNameChangedA department name was changed
DepartmentLogoChangedA department logo was changed
DepartmentLocationChangeA department location was changed
DepartmentSetDeletedA department set was deleted
BusinessHoursUpdateBusiness hours were updated
LicensingChangedLicensing was changed
SetTenantTagsWorkspace tags were set
SetTenantDefinitionA workspace definition was set
LocalizationResourceChangeA localization resource was changed
CopyTicketSummaryToClipboardA ticket summary was copied to the clipboard
AddCannedRepliesA canned reply was added
UpdateCannedReplyCategoryA canned reply category was updated
DeleteCannedReplyCategoryA canned reply category was deleted
ChatbotMappingsChangeChatbot mappings were changed
SurveyMappingsChangeSurvey mappings were changed
SurveyUpdatedOrAddedA survey was added or updated
SurveyDeletedA survey was deleted
FlowPublishedA chatbot flow was published
FlowDeletedA chatbot flow was deleted
FlowDuplicatedA chatbot flow was duplicated
FlowConversationCardsChangedA flow's conversation cards were changed
FunctionEventAddedA function event was added
FunctionEventChangedA function event was changed
FunctionEventDeletedA function event was deleted
FunctionLogA function emitted a log
EnvironmentVariableLogAn environment variable change was logged
WebhookItemAddedA webhook was added
WebhookItemChangedA webhook was changed
WebhookItemDeletedA webhook was deleted
ProtocolSettingChangeA channel protocol setting was changed
ProtocolIdentifierDeletedA channel protocol identifier was deleted
InvalidThirdPartyAccessTokenA third-party access token was found invalid
ApiGetAccessTokenAn API access token was issued
MetaPageConnectedA Meta (Facebook) page was connected
FacebookTokenIsValidChangeA Facebook token validity status changed
GoogleBusinessMessagesConnectedGoogle Business Messages was connected
Outlook365ConnectedAn Outlook 365 mailbox was connected
Outlook365SubscribeInboundMessagesSubscribed to Outlook 365 inbound messages
Outlook365ResubscribeInboundMessagesRe-subscribed to Outlook 365 inbound messages
GmailConnectedA Gmail mailbox was connected
GmailResubscribeInboundMessagesRe-subscribed to Gmail inbound messages
SendGridConnectedA SendGrid account was connected
SendGridDomainAuthenticatedA SendGrid domain was authenticated
SendGridDomainValidatedA SendGrid domain was validated
WhatsAppTemplateSubmittedA WhatsApp template was submitted for approval
WhatsAppTemplateDeletedA WhatsApp template was deleted
📘

Note:

New event types are added over time. If you receive a type not listed here, treat its logType field as the source of truth for categorization.


Logs Format

🚧

Note:

The initiatorUser and targetUser objects are sent only when applicable.

Informative

{
	"key": "9200c94a-13d7-4397-a52c-1728fc6bb670",
	"dateTime": "2024-01-07T12:23:16.9159993Z",
	"changes": [
		{
			"_event": "AUDIT_LOGS",
			"log": {
				"id": "8e548273-0418-4e7b-acd6-c79f7d31e3ec",
				"dateTime": "2024-01-07T12:23:16.7965229Z",
				"departmentId": "9200c94a-13d7-4397-a52c-1728fc6bb670",
				"initiatorUser": {
					"id": "aca76a89-8950-4424-b727-2f277c24a891",
					"gender": "Male",
					"UserName": "[email protected]",
					"culture": "en-US",
					"isAnonymous": false,
					"uniqueArgument": "",
					"type": "AGENT"
				},
				"ipAddress": "212.199.97.210",
				"message": "[email protected] changed chatbot mappings",
				"type": "ChatbotMappingsChange",
				"logType": "Informative"
			}
		}
	]
}

Security

{
	"key": "9200c94a-13d7-4397-a52c-1728fc6bb670",
	"dateTime": "2024-01-11T09:18:32.7608826Z",
	"changes": [
		{
			"_event": "AUDIT_LOGS",
			"log": {
				"id": "cb20ff99-25bb-400c-a8cd-9052fc5f6d3f",
				"dateTime": "2024-01-11T09:18:32.7452358Z",
				"departmentId": "9200c94a-13d7-4397-a52c-1728fc6bb670",
				"initiatorUser": {
					"id": "aca76a89-8950-4424-b727-2f277c24a891",
					"gender": "Male",
					"UserName": "[email protected]",
					"culture": "en-US",
					"isAnonymous": false,
					"uniqueArgument": "",
					"type": "AGENT"
				},
				"targetUser": {
					"id": "2bab1a91-b203-4127-a546-8636165e873a",
					"gender": "Male",
					"UserName": "[email protected]",
					"culture": "en-US",
					"isAnonymous": false,
					"uniqueArgument": "",
					"type": "AGENT"
				},
				"ipAddress": "212.199.97.210",
				"message": "[email protected] removed by [email protected]",
				"type": "UserRemoved",
				"logType": "Security"
			}
		}
	]
}

Send Logs via Webhooks

You can connect logs to your webhooks endpoint to receive a copy of the event's message to your systems. You can perform various actions using these logs, including documenting them in your systems.

  1. Go to Settings.

    Click on the symbol in the agent dashboard.

  2. In the Developers section, click on EventsWebhooksAdd +.
  3. Type a name for your webhook in the Name text box.
  4. In the Target text box, type <Your HTTPS Endpoint>.
  5. Use the checkbox to choose AUDIT_LOGS .
  6. Click Save.

Send logs to Syslog using Glassix functions

Syslog is a protocol that computer systems use to send event data logs to a central location for storage. Logs can then be accessed by analysis and reporting software to perform audits, monitoring, troubleshooting, and other essential IT operational tasks.

Syslog Format Example

<166>1 2024-01-15T11:19:07.00Z glassix.com glassix - ad681bbc-9608-4a2a-a283-717011f35c35 [data id="ad681bbc-9608-4a2a-a283-717011f35c35" dateTime="2024-01-15T11:19:07.7935597Z" departmentId="95b4ae47-a872-4dd5-920d-7b01d64288ad" initiatorUser_id="f4d56da7-f39f-4741-8c84-4b5b34e40ad3" initiatorUser_gender="Undefined" initiatorUser_UserName="[email protected]" initiatorUser_culture="en-US" initiatorUser_isAnonymous="false" initiatorUser_uniqueArgument="" initiatorUser_type="AGENT" targetUser_id="2563e94e-f68e-4cf8-b13b-17cfc95c437d" targetUser_gender="Undefined" targetUser_UserName="[email protected]" targetUser_culture="en-US" targetUser_isAnonymous="true" targetUser_uniqueArgument="" targetUser_type="AGENT" ipAddress="212.199.97.210" message="[email protected] removed role SystemUser from [email protected]" type="RoleRemoved" logType="Security"] RoleRemoved: [email protected] removed role SystemUser from [email protected]

Most Syslog servers support receiving messages using TCP or UDP protocols, and NOT HTTP.
As our webhooks events are sent using HTTP requests, you need to find a way to send these messages using TCP or UDP. One way of doing that is by utilizing our native functions integration.
Glassix functions can be triggered by events.

You can connect logs to trigger a function whenever an event occurs.
The log object passed to the function will contain information about the log message, such as message text, timestamp, and related users that were affected.

First, you will have to create a webhook function that can listen to events.

Function Examples

Sending audit logs to a Syslog server using TCP

🚧

Note:

You must import the net and glossy NPM. For more info on NPMs and Glassix read here.

import * as net from "net";
import * as glossy from "glossy";

const handler = async (key, dateTime, changes) => {
	let glassixLog = changes?.[0]?.log;

    if (!glassixLog.id) {
        console.error('Payload must contain a log "id"');
    };

    //Flatten the log object
    const mapObjProprties = (obj, output = {}, prefix = '') => {
        Object.entries(obj).forEach(([key, val]) => {
            if (val && typeof val == 'object') mapObjProprties(val, output, prefix + key + '_');
            else output[prefix + key] = val;
        });
        return output;
    };

    glassixLog = mapObjProprties(glassixLog);

    try {
        //Open TCP Connection
        const Syslog = glossy.Produce;
        const syslogServerHost = process.env.SYSLOG_SERVER_HOST; // Your server's hostname
        const syslogServerPort = process.env.SYSLOG_SERVER_PORT; // Syslog listener port
        const socket = new net.createConnection(syslogServerPort, syslogServerHost);

        const connectToServer = () => new Promise((resolve, reject) => {
            socket.on('connect', () => {
                resolve(true)
            });

            socket.on('error', function(error) {
                resolve(false)
            });

            socket.on('timeout', function(error) {
                resolve(false)
            })
        });

        const isConnected = await connectToServer();

        if (isConnected) {
            const producer = new Syslog({ type: 'RFC5424', app_id: 'glassix', host: 'glassix.com' });
           
            const logData = {
                facility: 'local4', // You can override the default facility here if needed
                severity: 'info', // Log severity level
                appName: 'glassix', // Log source application
                date: glassixLog.dateTime, // Log timestamp
                msgID: glassixLog.id,
                message: `${glassixLog.type}: ${glassixLog.message}`,
                structuredData: { data: glassixLog }
            };

            // Convert the log data to the syslog format
            const syslogMessage = producer.produce(logData);


            // Send the syslog message to the server
            socket.write(syslogMessage);


            // Close the socket connection after sending the message
            socket.end();
        }


        socket.end();
    } catch (e) {
        console.log(e)
    }
};

Sending audit logs to a Syslog server using UDP

🚧

Note:

You must import the dgram and glossy NPM. For more info on NPMs and Glassix read here.

import * as dgram from "dgram";
import * as glossy from "glossy";

const handler = async (key, dateTime, changes) => {
	try {
        // Define UDP 
        const Syslog = glossy.Produce;
        const client = dgram.createSocket('udp4');
        const syslogServerHost = process.env.SYSLOG_SERVER_HOST; // Your server's hostname
        const syslogServerPort = process.env.SYSLOG_SERVER_PORT; // Syslog listener port

        let glassixLog = changes?.[0]?.log;

	    if (!glassixLog.id) {
            console.error('Payload must contain a "id" key');
        };

        const mapObjProprties = (obj, output = {}, prefix = '') => {
            Object.entries(obj).forEach(([key, val]) => {
                if (val && typeof val == 'object') mapObjProprties(val, output, prefix + key + '_');
                else output[prefix + key] = val;
            });
            return output;
        };

        glassixLog = mapObjProprties(glassixLog);

        // Create a glossy producer
        const producer = new Syslog({type: 'RFC5424', app_id: 'glassix', host: 'glassix.com'});

        // Log a message
        const logData = {
            facility: 'local4', // You can override the default facility here if needed
            severity: 'info', // Log severity level
            appName: 'glassix', // Log source application
            date: glassixLog.dateTime, // Log timestamp
            msgID: glassixLog.id,
            message: `${glassixLog.type}: ${glassixLog.message}`,
            structuredData: { data: glassixLog }
        };

        // Convert the log data to the syslog format
        const syslogMessage = producer.produce(logData);
        const packet = Buffer.from(syslogMessage)

        client.send(packet, syslogServerPort, syslogServerHost, (err) => {
            if (err) {
                console.error('Failed to send syslog.')
            } else {
                console.log('Syslog sent successfully!')
            }
            client.close();
        });
    } catch (e) {
        console.log(e)
    }
};

Next, we will have to connect our function to the audit logs event type.

  1. Go to Settings.

    Click on the symbol in the agent dashboard.

  2. In the Developers section, click on EventsFunctionsAdd +.
  3. Fill Name.
  4. From the Events drop-down select AUDIT_LOGS .
  5. From the Functions drop-down select your desired function.
  6. Click Save.


Did this page help you?