# Butler Admin Guide
This page lists default Butler settings and Butler audit data.
## Clipboard Configuration
| Description | Default |
| ------------------------------------ | ---------------- |
| Enable or disable Clipboard Transfer | Enabled |
| User host clipboard operations | Upload, Download |
| Environment clipboard operations | Upload, Download |
| Clipboard data expiration | 1 hour |
## Translation Configuration
| Description | Default |
| ---------------------------------- | ------- |
| Enable or disable text Translation | Enabled |
## File Configuration
These are the default Butler file transfer settings.
{% hint style="info" %}
Butler data transfers are performed over encrypted channels and Butler Storage encrypts data at rest.
{% endhint %}
| Description | Default |
| ---------------------------------------------- | ---------------------------------------- |
| Enable or disable File Transfer | Enabled |
| User host file operations | List, Upload, Download, Delete, Copy |
| Environment file operations | List, Upload, Download, Delete, Copy |
| The maximum file size allowed for upload | 400MB |
| The maximum number of files allowed per upload | 10 |
| Anti-Virus (AV) scanning | Enabled |
| Anti-Virus (AV) ignore | None |
| Infected file download | Blocked (Except in malware environments) |
| File Encryption at Rest | Enabled |
| File Encryption Algorithm | AES-256 |
| File Integrity Verification | Disabled |
| File Integrity Algorithm | None (options available) |
## Environment Events
Butler can send actions into Replica environments. If environment events are enabled, the environment receives and processes event messages. Use the Butler API sample for programmatic access.
| Description | Default |
| ------------------------------------------- | ----------------------- |
| Enable or disable Environment Events | Disabled |
| Enable or disable Environment File Autosync | Disabled |
| Environment File Autosync directory | Desktop Files directory |
### File Events
When file events are enabled, Butler can automatically transfer uploaded files into the environment.
### Browser Events
When browser events are enabled, Butler can open a URL inside a Replica environment.
## File History
Butler records file activity in its history and logging systems. Each event includes a UTC timestamp.
#### Fields
Butler resource history entries include the following fields:
| Name | Description |
| -------------- | ---------------------------------------------------- |
| resource\_id | A unique identifier assigned to the Resource |
| resource\_path | The Resource path in Butler Storage |
| entity\_type | The Entity Type that performed the action |
| entity\_id | The Entity Id that performed the action |
| accessed | The timestamp of when the action was performed (UTC) |
| operation | The action that was performed |
#### Entity Types
| Name | Description |
| ------- | --------------------------------------- |
| User | A Replica user plus their User Id |
| Group | A Replica group plus their Group Id |
| Profile | A Replica profile plus their Profile Id |
#### Operation Types
| Name | Description |
| -------- | --------------------------------------------------------------- |
| Delete | The resource was deleted from Butler Storage |
| Download | The resource was downloaded from Butler Storage |
| Transfer | The resource was transferred between Enclaves in Butler Storage |
| Upload | The resource was created or updated in Butler Storage |
Resource History Sample
```json
[
{
"resource_id": "resource_id",
"resource_path": "resource_path",
"entity_type": "entity_type",
"entity_id": "entity_id",
"accessed": "2023-10-30T17:14:08.000Z",
"operation": "upload"
},
{
"resource_id": "resource_id",
"resource_path": "resource_path",
"entity_type": "entity_type",
"entity_id": "entity_id",
"accessed": "2023-10-30T17:14:22.415Z",
"operation": "download"
},
{
"resource_id": "resource_id",
"resource_path": "resource_path",
"entity_type": "entity_type",
"entity_id": "entity_id",
"accessed": "2023-10-30T17:16:43.501Z",
"operation": "delete"
}
]
```
***
### File Event Logging
| Name | Description |
| ------ | ------------------------------------- |
| Get | Get a Resource from Butler Storage |
| Put | Save a Resource in Butler Storage |
| Delete | Delete a Resource from Butler Storage |
Transfer Sample
```json
{
"@timestamp": "2023-10-30T17:54:57.925Z",
"log.level": "info",
"message": "Auth credentials accepted",
"ecs": { "version": "8.10.0" },
"event": {
"kind": "event",
"type": ["allowed"],
"category": ["authentication"],
"outcome": "success"
},
"http": {
"version": "1.1",
"request": {
"method": "PUT",
"headers": {
"host": "replicacyber.com",
"x-request-id": "8709f71e96fd500b5e3433bf0051ef44",
"x-real-ip": "1.2.3.4",
"x-forwarded-for": "1.2.3.4",
"x-forwarded-host": "replicacyber.com",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"x-forwarded-scheme": "https",
"x-requested-with": "XMLHttpRequest",
"x-scheme": "https",
"content-type": "multipart/form-data; boundary=---------------------------1804628349855675348442767821",
"user-agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0",
"accept": "application/json",
"accept-language": "en-US,en;q=0.5",
"accept-encoding": "gzip, deflate, br",
"cookie": "redacted"
},
"body": { "bytes": 6165 }
},
"response": {
"status_code": 200,
"headers": {
...
}
}
},
"url": {
"path": "/butler/api/v1/transfer/resources/mY9bUtVCxc7F-9R6MHOgA-SQZJMD5Bt0V-pUAG2cVnA/test.txt",
"domain": "replicacyber.com"
},
"client": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 36600
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"
},
"user": {
"authenticated": true,
"id": "a123456-1234-1234-1234-123456789123",
"email": "username@replicacyber.com",
"full_name": "User Name"
}
}
```
Auth Sample
```json
{
"@timestamp": "2023-10-30T17:52:41.164Z",
"log.level": "info",
"message": "Auth credentials accepted",
"ecs": {
"version": "8.10.0"
},
"event": {
"kind": "event",
"type": ["allowed"],
"category": ["authentication"],
"outcome": "success"
},
"http": {
"version": "1.1",
"request": {
"method": "GET",
"headers": {
"host": "replicacyber.com",
"x-request-id": "39a4d4d54dd906fdc942a239df23a26a",
"x-real-ip": "1.2.3.4",
"x-forwarded-for": "1.2.3.4",
"x-forwarded-host": "replicacyber.com",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"x-forwarded-scheme": "https",
"x-scheme": "https",
"accept": "application/json",
"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36",
...
}
},
"response": {
"status_code": 200,
...
}
},
"url": {
"path": "/butler/api/v1/enclaves",
"domain": "replicacyber.com"
},
"client": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 48354
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
},
"user": {
"authenticated": true,
"id": "a123456-1234-1234-1234-123456789123",
"email": "username@replicacyber.com",
"full_name": "User Name"
}
}
```
Login Sample
```json
{
"@timestamp": "2023-10-30T17:02:07.450Z",
"log.level": "info",
"message": "User John Smith logged into butler",
"ecs": {
"version": "8.10.0"
},
"event": {
"kind": "event",
"type": ["user"],
"category": ["authentication"],
"outcome": "success"
}
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.replicacyber.com/admin-guide/butler-admin-guide.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.