# Logging Use Logging to search, analyze, and export Replica logs. ## Log Types ### Replica Environment Virtual environment activity is logged by event type. For DNS, URL, and packet logging details, see [Network Monitoring](/admin-guide/network-monitoring.md). | Name | Index | Description | Default Retention | | ----------------- | ----------- | ---------------------------------------------------------------------------------------------- | ----------------- | | System | env.system | Environment Operating System start up events | 30 days | | DNS & URL Logging | env.traffic | Capture and extract URLs from network packets and Environment Domain Name System (DNS) queries | 1 day | ### Replica Platform | Name | Elasticsearch Indices | | ---------------- | ----------------------------------------- | | Auth (SSO) | app.sso | | Egress | app.wharf, app.rest-api | | Entity | app.user-service, app.rest-api | | Environment | app.ic2, app.hive, app.keel, app.rest-api | | Image | app.hull | | Permissions | app.user-service | | Profiles | app.profile-memory, app.rest-api | | Telephony | app.telephony | | VE Clipboard | app.butler | | VE Files | app.butler | | VE Jobs | app.butler, app.keel | | General VE Usage | env.usage | | VE Translations | app.butler | ## Logging Data Management Replica snapshots Elasticsearch indices to secondary backup volumes. Snapshots are typically retained for 30 to 90 days. All Replica logs include timestamps synchronized through Amazon Time Sync. ### Retention Policies | Index Name | Retention | | ------------------ | --------- | | app.butler | 180 days | | app.hull | 30 days | | app.ic2 | 90 days | | app.keel | 90 days | | app.profile-memory | 90 days | | app.rest-api | 180 days | | app.sso | 180 days | | app.telephony | 30 days | | app.user-service | 180 days | | app.wharf | 180 days | | env.system | 30 days | | env.traffic | 1 day | | env.usage | 90 days | ## Accessing Logging Open **Logging** from the **Administration** menu to access the logging home screen. ### Dashboards #### Accessing Dashboards To open the preloaded dashboard, click the menu button in the top-left corner and select **Dashboard** under **Analytics**. The default *Replica Dashboard* includes built-in visualizations that update as new data arrives. You can clone it or create your own dashboard. {% hint style="warning" %} Changes to the default *Replica Dashboard* may be overwritten during system upgrades or maintenance. {% endhint %} #### Customizing Dashboards To clone the Replica Dashboard: 1. Open **Replica Dashboard**. 2. Click **Save as** in the top-right corner. 3. Enter a **Title** and optional **Description** or **Tags**. 4. Confirm **Save as new dashboard** is selected, then click **Save**. #### Creating Your Own Dashboards To create your own dashboard: 1. Click **Create dashboard**. 2. Click **Save** in the top-right corner. 3. Enter a **Title** and optional **Description** or **Tags**. 4. Click **Save**. #### Requesting Updates We use customer feedback to periodically improve the Replica Dashboard. To request changes and additions to the Replica Dashboard, contact support. ### Discover The **Discover** tab provides access to logs generated by Replica services. It also supports filtering with [Kibana Query Language](https://www.elastic.co/guide/en/kibana/current/kuery-query.html) (KQL). For more detail on Discover, see the [Kibana Discover documentation](https://www.elastic.co/guide/en/kibana/current/discover.html). ## Export to Splunk Integration ### Add the Replica Indices to Splunk (Optional but Recommended) 1. In Splunk, go to **Settings > Indexes**. 2. Select **New Index** and add the following: ``` replica_app_sso replica_ve_packet_logging replica_ve_packet_capture replica_ve_traffic ``` ### Create an HTTPS Event Collector (HEC) for Replica in Splunk 1. In Splunk, go to **Settings > HTTP Event Collector > New Token**. 2. Choose a name and select **Next**. 3. Add the indices from the previous step and select **Finish**. This is only required if you want Replica to use those index names. 4. Send the following HEC details to your Replica point of contact so they can add them to your Replica cluster: ``` HEC Server Address HEC Server Port Number HEC Token If you do/don't want Replica logs tagged with the above indices ``` ## Export to S3 Integration The Export to S3 integration sends logging data to external systems that can ingest data from an S3 bucket. Before setup, create an S3 bucket and an IAM identity with the required permissions. All logs will be written to the provided bucket under a `logs/` directory in JSON format. ### Example IAM policy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::my-s3bucket" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::my-s3bucket/*" } ] } ``` ### Required Information To configure this integration, prepare the following information and provide it to Replica support: * Key ID * Secret Key * Bucket Name * AWS region --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.replicacyber.com/admin-guide/logging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.