Audit Event Index
Availability
Account Type | Account Level |
---|---|
Cloud Flex | Trial, Enterprise |
Credits | Trial, Enterprise Operations, Enterprise Security, Enterprise Suite |
The Audit Event Index contains event logs in JSON format on account activities, allowing you to monitor and audit changes. Enterprise accounts have the Audit Event Index enabled and available to search by default. You can use the Enterprise Audit Apps to visually display data from the Audit Event Index for monitoring and analysis.
This index is improved and different from the Audit Index, and there is some overlap of audited events. The Audit Index provides event logs in plain text and audits when account limits are reached and operation failures, like throttling and scheduled search events.
The Audit Event Index logs two types of events:
- Events that are the result of user actions, referred to as user action events.
- Events that are the result of Sumo Logic actions, referred to as system action events.
Documentation
All available audited events are documented for your reference. This documentation is hosted on each deployment, instead of on this document. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. See how to determine which endpoint to use if you are unsure.
Select the documentation link for your deployment:
Search the Audit Event Index
Searching the Audit Event Index is the same as running a normal search against your ingested data. You specify the _index
metadata field with one of these values:
sumologic_audit_events
. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API. To search for user action events, include this in the scope of your search:_index=sumologic_audit_events
sumologic_system_events
. This index contains system action events, which are events that were triggered by Sumo Logic, for example throttling events, rules triggered, and so on. To search for system action events, include this in the scope of your search:
_index=sumologic_system_events
Source categories for user action events
The table below lists the source category assigned to events written to the sumologic_audit_events
index by product feature. To search for user action events for a specific feature, use _sourceCategory
with its corresponding value, along with _index=sumologic_audit_
events
. For example, to search for user action events for access keys you would use the query:
_index=sumologic_audit_
events _sourceCategory=accessKeys
For the individual events that are logged for each feature, see the sumologic_audit_events section of the online Audit Event Index documentation.
Product Feature | _sourceCategory Value |
---|---|
2-Step Verification | multiFactorAuthentication |
Access Keys | accessKeys |
Collection | collection |
Content Sharing | content |
Data Forwarding | dataForwarding |
Event Action | |
Field Extractions | fieldExtractionRules |
Field Management | fieldManagement |
Ingest Budgets | ingestBudgets |
Installation Tokens | token |
Logs-to-Metrics Rules | metricExtractionRule |
Monitors | monitorLibrary |
Parsers | ParsersLibrary |
Partitions | partitions |
Password Policy | passwordPolicy |
Roles | roles |
SAML | saml |
Scheduled Views | scheduledView |
Security Policies: Share Dashboards Outside of the Organization, Data Access Level for Shared Dashboards, Per User Concurrent Sessions Limit, and User Session Timeout | orgSettings |
Security Policy: Support Account Access | supportAccount |
Service Allowlist | serviceAllowlist |
Support Account | supportAccount |
Transformation Rules | transformationRules |
Users | users |
User Sessions | userSessions |
Source categories for system action events
The table below lists the source category assigned to events written to the sumologic_system_events
index by product feature. To search for system action events for a specific feature, use _sourceCategory
with its corresponding value, along with _index=sumologic_system_
events
. For example, to search for system action events for alerts you would use the query:
_index=sumologic_system_events _sourceCategory=alerts
For the individual events that are logged for each feature, see the sumologic_system_events section of the online Audit Event Index documentation.
Product Feature | _sourceCategory Value |
---|---|
Alerts | alerts |
Health Events | collection |
Monitors | monitors |
Tracing | tracingIngest |
Metadata assignment
Metadata fields are assigned to audit event logs as follows:
Metadata Field | Assignment Description |
---|---|
_sourceCategory |
Value of the common parameter, subsystem . |
_sourceName |
Value of the common parameter, eventName . |
_sourceHost |
The remote IP address of the host that made the request. If not available the value will be no_sourceHost . |
Common parameters
Each audit event log has common keys that categorize it to a product area and provide details of the event.
Parameter | Description | Data Type |
---|---|---|
accountId |
The unique identifier of the organization. | String |
eventId |
The unique identifier of the event. | String |
eventName |
The name of the event. | String |
eventTime |
The event timestamp in ISO 8601 format. | String |
eventFormatVersion |
The event log format version. | String |
operator |
Information of who did the operation. If its missing, the Sumo service was the operator. | JSON object of Strings |
subsystem |
The product area of the event. | String |
{
"content": {
"type": "search",
"name": "this search should be packaged NHAXoOdq80o1ZKZ",
"description": "savedSearch"
},
"operator": {
"email": "searchservice_test@demo.com",
"id": "0000000002F2438D",
"interface": "UI",
"sessionId": "go42n37za657ck0i3t4368",
"sourceIp": "50.18.133.252",
"type": "UserContext"
},
"contentIdentity": {
"type": "search",
"contentId": "0000000009B2636B",
"externalId": "000000000BFB73FE",
"name": "this search should be packaged NHAXoOdq80o1ZKZ"
},
"adminMode": false,
"accountId": "0000000000000131",
"eventId": "0234cc63-333c-4585-a78f-08517e5f9fd7",
"eventName": "ContentCreated",
"eventTime": "2018-12-11T21:37:33.950Z",
"eventFormatVersion": "1.0 beta",
"subsystem": "content"
}
Index retention period
By default, the retention period of the Audit Event index is the same as the retention period of your Default Continuous Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events
and sumologic_system_events
. For more information, see Edit a Partition.