Skip to main content
Sumo Logic

Audit Event Index

Availability

Account Type Account Level
Cloud Flex Trial, Enterprise
Credits Trial, Enterprise Operations, Enterprise Security, Enterprise Suite

The Audit Event Index contains event logs in JSON format on account activities, allowing you to monitor and audit changes. Enterprise accounts have the Audit Event Index enabled and available to search by default. You can use the Enterprise Audit Apps to visually display data from the Audit Event Index for monitoring and analysis.

This index is improved and different from the Audit Index, and there is some overlap of audited events. The Audit Index provides event logs in plain text and audits when account limits are reached and operation failures, like throttling and scheduled search events.

The Audit Event Index logs two types of events:

  • Events that are the result of user actions, referred to as user action events.
  • Events that are the result of Sumo Logic actions, referred to as system action events.

Documentation 

All available audited events are documented for your reference. This documentation is hosted on each deployment, instead of on this document. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. See how to determine which endpoint to use if you are unsure.

Select the documentation link for your deployment:

Deployment Documentation URL
AU https://service.au.sumologic.com/audit/docs/
CA https://service.ca.sumologic.com/audit/docs/
DE https://service.de.sumologic.com/audit/docs/
EU https://service.eu.sumologic.com/audit/docs/
FED https://service.fed.sumologic.com/audit/docs/
IN https://service.in.sumologic.com/audit/docs/
JP https://service.jp.sumologic.com/audit/docs/
US1 https://service.sumologic.com/audit/docs/
US2 https://service.us2.sumologic.com/audit/docs/

Search the Audit Event Index

Searching the Audit Event Index is the same as running a normal search against your ingested data. You specify the _index metadata field with one of these values: 

  • sumologic_audit_events. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API. To search for user action events, include this in the scope of your search:

    _index=sumologic_audit_events

  • sumologic_system_events. This index contains system action events, which are events that were triggered by Sumo Logic, for example throttling events, rules triggered, and so on. To search for system action events, include this in the scope of your search:
     
    _index=sumologic_system_events

Source categories for user action events

The table below lists the source category assigned to events written to the sumologic_audit_events index by product feature. To search for user action events for a specific feature, use _sourceCategory with its corresponding value, along with _index=sumologic_audit_events. For example, to search for user action events for access keys you would use the query:

_index=sumologic_audit_events _sourceCategory=accessKeys

For the individual events that are logged for each feature, see the sumologic_audit_events section of the online Audit Event Index documentation.

Product Feature _sourceCategory Value
2-Step Verification multiFactorAuthentication
Access Keys accessKeys
Collection collection
Content Sharing content
Data Forwarding dataForwarding
Event Action  
Field Extractions fieldExtractionRules
Field Management fieldManagement
Ingest Budgets ingestBudgets
Installation Tokens token
Logs-to-Metrics Rules metricExtractionRule
Monitors monitorLibrary
Parsers ParsersLibrary
Partitions partitions
Password Policy passwordPolicy
Roles roles
SAML saml
Scheduled Views scheduledView
Security Policies: Share Dashboards Outside of the Organization, Data Access Level for Shared Dashboards, Per User Concurrent Sessions Limit, and User Session Timeout orgSettings
Security Policy: Support Account Access supportAccount
Service Allowlist serviceAllowlist
Support Account supportAccount
Transformation Rules transformationRules
Users users
User Sessions userSessions

Source categories for system action events

The table below lists the source category assigned to events written to the sumologic_system_events index by product feature. To search for system action events for a specific feature, use _sourceCategory with its corresponding value, along with _index=sumologic_system_events. For example, to search for system action events for alerts  you would use the query:

_index=sumologic_system_events _sourceCategory=alerts

For the individual events that are logged for each feature, see the sumologic_system_events section of the online Audit Event Index documentation.

Product Feature _sourceCategory Value
Alerts alerts
Health Events collection
Monitors monitors
Tracing tracingIngest

Metadata assignment

Metadata fields are assigned to audit event logs as follows:

Metadata Field Assignment Description
_sourceCategory Value of the common parametersubsystem.
_sourceName Value of the common parameter, eventName.
_sourceHost The remote IP address of the host that made the request. If not available the value will be no_sourceHost.

Common parameters

Each audit event log has common keys that categorize it to a product area and provide details of the event.

Parameter Description Data Type
accountId The unique identifier of the organization. String
eventId The unique identifier of the event. String
eventName The name of the event. String
eventTime The event timestamp in ISO 8601 format. String
eventFormatVersion The event log format version. String
operator Information of who did the operation. If its missing, the Sumo service was the operator. JSON object of Strings
subsystem The product area of the event. String

{
    "content": {
        "type": "search",
        "name": "this search should be packaged NHAXoOdq80o1ZKZ",
        "description": "savedSearch"
    },
    "operator": {
        "email": "searchservice_test@demo.com",
        "id": "0000000002F2438D",
        "interface": "UI",
        "sessionId": "go42n37za657ck0i3t4368",
        "sourceIp": "50.18.133.252",
        "type": "UserContext"
    },
    "contentIdentity": {
        "type": "search",
        "contentId": "0000000009B2636B",
        "externalId": "000000000BFB73FE",
        "name": "this search should be packaged NHAXoOdq80o1ZKZ"
    },
    "adminMode": false,
    "accountId": "0000000000000131",
    "eventId": "0234cc63-333c-4585-a78f-08517e5f9fd7",
    "eventName": "ContentCreated",
    "eventTime": "2018-12-11T21:37:33.950Z",
    "eventFormatVersion": "1.0 beta",
    "subsystem": "content"
}

Index retention period

By default, the retention period of the Audit Event index is the same as the retention period of your Default Continuous Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events and sumologic_system_events. For more information, see Edit a Partition.