Skip to main content
Sumo Logic

Audit Event Index

availability of Trial and Enterprise accounts

The Audit Event Index provides event logs in JSON on your account's activities allowing you to monitor and audit changes. It is enabled and available to search by default.

This index is improved and different from the Audit Index. The Audit Index provides event logs in plain text and supports auditing a few different features, like throttling.

This feature is still in development. We're working on providing you a reference of all the event log schemas. Until this is ready refer to the common parameters section.

Search the Audit Event Index

Searching the Audit Event Index is the same as running a normal search against your ingested data. Just specify the _index metadata field with a value of sumologic_audit_events.

To search:

  1. In the Search page, enter the following:
  2. Choose the time range for the incidents that you'd like to review.
  3. Click Start to run the search.

Audited events

This index has detailed JSON logs for the following features. To search audit events for a specific feature use the metadata field _sourceCategory with its corresponding value. For example, to search events for access keys you would use the query:

_index=sumologic_audit_events _sourceCategory=accessKeys

Product Feature _sourceCategory Value
Access Keys accessKeys
Collection collection
Connections connections
Content content
Data Forwarding dataForwarding
Field Extraction Rules fieldExtractionRules
Ingest Budgets (In beta) ingestBudgets
Roles roles
SAML saml
Users users
User Sessions userSessions

Metadata assignment

Metadata fields are assigned to audit event logs as follows:

Metadata Field Assignment Description
_sourceCategory Value of the subsystem common parameter.
_sourceName Value of the eventName common parameter.
_sourceHost The remote IP address of the host that made the request. If not available the value will be no_sourceHost.

Common parameters

Each audit event log has common keys that categorize it to a product area and provide details of the event.

Parameter Description Data Type
accountId Organization identifier. String
eventId Unique identifier of event. String
eventName Name of event. String
eventTime Date and time of event expressed according to ISO 8601. String
eventFormatVersion Audit Event Index log format version. String
operator Information of who did operation. If missing, the Sumo service was the operator. JSON object of Strings
subsystem Product area of event. String

    "content": {
        "type": "search",
        "name": "this search should be packaged NHAXoOdq80o1ZKZ",
        "description": "savedSearch"
    "operator": {
        "email": "",
        "id": "0000000002F2438D",
        "interface": "UI",
        "sessionId": "go42n37za657ck0i3t4368",
        "sourceIp": "",
        "type": "UserContext"
    "contentIdentity": {
        "type": "search",
        "contentId": "0000000009B2636B",
        "externalId": "000000000BFB73FE",
        "name": "this search should be packaged NHAXoOdq80o1ZKZ"
    "adminMode": false,
    "accountId": "0000000000000131",
    "eventId": "0234cc63-333c-4585-a78f-08517e5f9fd7",
    "eventName": "ContentCreated",
    "eventTime": "2018-12-11T21:37:33.950Z",
    "eventFormatVersion": "1.0 beta",
    "subsystem": "content"