The Audit Event Index provides event logs in JSON on activities from your account allowing you to monitor and audit changes. Enterprise accounts have the Audit Event Index enabled and available to search by default. You can use the Enterprise Audit Apps to visually display data from the Audit Event Index logs for monitoring and analysis.
This index is improved and different from the Audit Index, and there is some overlap of audited events. The Audit Index provides event logs in plain text and audits when account limits are reached and operation failures, like throttling and scheduled search events.
This feature is still in development. We're working on providing you a reference of all the event log schemas. Until this is ready refer to the common parameters section.
Search the Audit Event Index
Searching the Audit Event Index is the same as running a normal search against your ingested data. Just specify the
_index metadata field with a value of
- In the Search page, enter the following:
- Choose the time range for the incidents that you'd like to review.
- Click Start to run the search.
This index has detailed JSON logs for the following features. To search audit events for a specific feature use the metadata field
_sourceCategory with its corresponding value. For example, to search events for access keys you would use the query:
|Product Feature||_sourceCategory Value|
|Field Extraction Rules||
|Ingest Budgets (In beta)||
Metadata fields are assigned to audit event logs as follows:
|Metadata Field||Assignment Description|
|_sourceCategory||Value of the common parameter,
|_sourceName||Value of the common parameter,
|_sourceHost||The remote IP address of the host that made the request. If not available the value will be
Each audit event log has common keys that categorize it to a product area and provide details of the event.
|accountId||The unique identifier of the organization.||String|
|eventId||The unique identifier of the event.||String|
|eventName||The name of the event.||String|
|eventTime||The event timestamp in ISO 8601 format.||String|
|eventFormatVersion||The event log format version.||String|
|operator||Information of who did the operation. If its missing, the Sumo service was the operator.||JSON object of Strings|
|subsystem||The product area of the event.||String|
"name": "this search should be packaged NHAXoOdq80o1ZKZ",
"name": "this search should be packaged NHAXoOdq80o1ZKZ"
"eventFormatVersion": "1.0 beta",