Skip to main content
Sumo Logic

Enable and Manage Auditing

3.png

Sumo Logic Auditing automatically captures information on the internal events that occur in your account associated with account management, user activity, scheduled searches, and more. Events report audit messages, and these event messages are collected to give you better visibility into your account usage.

Before you can use the audit index, an administrator must enable it. When the audit index is enabled, Sumo logs messages to it once every five minutes. Note that data does not backfill.

Enable the audit index

  1. Go to Administration > Security > Policies.
  2. Next to Sumo Logic Auditing, select the Enable check box.

Query the audit index

You can query the audit index in a log search tab. To search for all types of audit events,  enter:

_index=sumologic_audit

You can run more targeted search by including other metadata, message fields, or keyworkds in your query. The source categories for event types are listed in Audit index source categories below. The fields associated with event messages are listed in Audit event message fields

Results are returned in the Messages tab.

audit-index-search.png

Audit index source categories

Event type Source Category
Account Management account_management
User Activity user_activity
Support User Activity support_account_activity
Scheduled Search scheduled_search
Metrics metrics
Alerting alert

Audit event message fields

The table below lists defines the fields returned for an audit event. Note that by default, only the event time and the raw message are displayed. You can display selected fields by clicking the box next to a field in the Hidden Fields section of the page.

Field Description
Time (_messagetime) The time that the event occurred
Message (_raw) The raw log message written to the audit index. 
Action The action that was performed. Actions vary by event type. For more information, see Audit event classes and actions.
Class The object affected by the event. Classes vary by event type. For more information, see Audit event classes and actions.
Collector Values include "InternalCollector". 
Interface Indicates how the event was initiated from the Sumo UI or using an API. Values include: "UI", "API", and "INTERNAL".
_sourceCategory The source category associated with the event type. For more information, see Audit index source categories below.
_sourcehost IP address of the source's host, or "no_sourcehost".
sourceSession The session ID associated with the event, or "no_session".
sourceUser The Sumo username associated with the event. 
Status The status of the action, which can be success or failure
Target The object for the action, such as a key name.

Audit event classes and actions

The sections list the classes of objects—for example collectors, users, and sessions—for which Sumo writes audit logs, and the actions, such as create or delete, that result in a message to the audit log.  

When you query the audit index, the search results will include the class and action for each audit log. The class and action are hidden by default. To display a hidden field, click the checkbox next to it in the Hidden Fields section of the Messages tab. You can also preform targeted searches of the audit index using the class and action fields in your query.

Account management events

 _sourceCategory=account_management 

The table below shows the value of the class and action fields for account management events.

Class Actions
ACCESS_KEY CREATE
ENABLE
DISABLE
DELETE
COLLECTOR CREATE
UPDATE
UPGRADE
DELETE
THROTTLE
DATA_FORWARDING ENABLE
DISABLE
PASSWORD_POLICY MODIFY
ROLE CREATE
MODIFY
DELETE
SERVICE_WHITELIST ENABLE
DISABLE
MODIFY
USER CREATE
MODIFY
DISABLE
VOLUME_QUOTA EXCEEDED
RESET
Microsoft Office 365 Audit Source events

Sumo logs audit messages for Microsoft Office 365 Audit Source when the following events occur:

  • Source registration success with Microsoft
  • Failure to read back content from Microsoft
  • Token-update failure events
  • Subscription watchpoint failure events

To search for these events use this query:

_index=sumologic_audit _sourcecategory=account_management _sourceName=collector

The events have these formats:

Registration success event

Received validation notification from Office 365 for Audit Source with ID SOURCEID, name SOURCENAME. Validation code - VALIDATIONCODE

Callback failure event

Failed to read back from Office 365 for audit source with ID SOURCEID, name SOURCENAME. Object identifier - CONTENTURI

Token and Subscription failure event where NAME is either token or watchpoint 

Failed to refresh OAuth NAME for source SOURCENAME. Exception: EXCEPTION. Error message: ERRORMESSAGE

Throttling events

Status is provided to the audit index (_index=sumologic_audit) in the account management source category (_sourceCategory=account_management) and volume quota source (_sourceName=VOLUME_QUOTA). The status includes the type of resource that experienced throttling in the last 15 minutes.

A scheduled search can be set up to send an alert when throttling occurs. See Schedule a search

Throttling events reported include:

  • LogIngest. Log data sent to Sumo Logic has been temporarily throttled.
  • MetricIngest. Metric data sent to Sumo Logic has been temporarily throttled.

Throttling events are reported in the Audit Index if the following criteria are met:

  • A throttling event has occurred in the last 15 minutes.
  • At least 2 percent of collector sources experienced the effect of data throttling in the time interval.

For example, searching with the following query

_index=sumologic_audit _sourceCategory=account_management _sourceName=VOLUME_QUOTA

yields the following throttling notification.

An automatic data ingest rate limit has been temporarily enabled for your account. (Resource type: LogIngest)

Amazon CloudWatch metrics throttling events

AWS automatically throttles CloudWatch data if the limits that Amazon sets for the associated APIs are exceeded.  If you have a high volume of metrics data points in your account, it is likely that Amazon will throttle your CloudWatch data.

If no adjustments are made on the Sumo Logic side, throttling on the Amazon side can cause metrics data to be dropped. To prevent this from occurring, Sumo Logic automatically doubles the CloudWatch scan interval if more than one throttling message is received in a single interval. However, the change in scan interval isn't reflected in the Sumo Logic UI. The original configured interval is still shown. See Amazon CloudWatch Source for Metrics for instructions on setting the CloudWatch scan interval. 

When the scan interval is increased, a message is added to the audit log. No action is required by the Sumo Logic user. 

The following is an example query to locate throttling notification in the audit index.

_index=sumologic_audit _sourceCategory=account_management _sourceName=COLLECTOR

The query yields the following throttling notification.

CloudWatch source ui-cw-oldPrimary received throttling exception from AWS while querying for metrics.
Increasing scan interval to 20 minutes.
Audit Source OAuth Token and Watchpoints Refresh

For audit sources, Sumo Logic refreshes OAuth tokens and subscription watchpoints periodically to prevent data loss. 

If the refresh fails for any reason, a message is added to the audit log.

The following is an example query to locate refresh failure notification in the audit index.

_index = sumologic_audit  _sourcecategory = "account_management" _sourceName=COLLECTOR

The query yields the following refresh failure notification.

Failed to refresh OAuth token for source SOURCE_NAME.
Exception: com.sumologic.cocoa.api.FailedThirdPartyOperationException
Error message: Status code: 400, error message: { "error": "invalid_grant", "error_description": "Token has been expired or revoked."}....

User activity events

_sourceCategory=user_activity

The table below shows the value of the class and action fields for user activity events.

Class Actions
CONTENT_LIBRARY CREATE
DELETE
MOVE
COPY
UPDATE (name or description)
IMPORT
EXPORT
APP_INSTALLATION
FOLDER EXPORT
INSTALL
DELETE
IMPORT
MANAGE_PERMISSIONS
CREATE
MOVE
COPY
PASSWORD MODIFY
RESET
PREFERENCES MODIFY
REPORT UPDATE
MANAGE_PERMISSIONS
VIEW
SEARCH CREATE
UPDATE
MOVE
EXPORT
DELETE
MANAGE_PERMISSIONS
SESSION LOGIN
UPDATE
LOGOUT
SOURCE CREATE
UPDATE

Collector upgrade events

If you upgrade or downgrade a collector through the Web UI, an entry is written to the audit index.

The status is provided to the audit index (_index=sumologic_audit) for each event in the user activity source category ( _sourceCategory=user_activity), and collector source (_sourceName=COLLECTOR), including the returned log message of success or failure.

Collector upgrade events reported for your account include the following:

  • Status (SUCCESS/FAILURE) 
  • Collector Name
  • From version
  • To version
  • Request time
  • Failure reason

For example, searching with the following query:

_index=sumologic_audit _sourceCategory=user_activity _sourceName=COLLECTOR | Status

yields the following collector upgrade events.

Status: FAILURE
Message: Upgrade collector yanm-mac, from version 20.1-2832, 
to version 20.1-2844. request time Mon Jul 25 10:47:32 PDT 2016, 
Cannot run program "/Applications/Sumo Logic Collector/jre1.8.0_92.jre/Contents/Home/bin/java": 
error=2, No such file or directory

Support account events

_sourceCategory=support_account_activity

The table below shows the value of the class and action fields for support account events.

Class Actions
SESSION LOGIN
LOGOUT

Scheduled search events

_sourceCategory=scheduled_search

The table below shows the value of the class and action fields for scheduled search events.

Class Action Description
SCHEDULED_SEARCH Create Scheduled search was created.
Start Scheduled search started.
Finish Scheduled search finished successfully.
Delete Scheduled search was deleted.
Modify Scheduled search was modified.
Timeout Scheduled search did not complete within the timeout period, which is 20 minutes to an hour, depending on the time range set for the query.

For more information, see How to Prevent your Scheduled Search from Timing Out.
Suspend Indicates that Sumo has suspended the search because it has timed out repeatedly. 

When a Scheduled Search query fails, Sumo Logic attempts to run the query again two more times, for a total of three tries. If all attempts fail, then an Alert Email is sent with a notification of the failure. The Scheduled Search is not run again until the next time it is scheduled to do so.

The next time the Scheduled Search runs, if it fails again after the three tries, then it is suspended. Another Alert Email is sent to notify you that the query has been suspended.

The Scheduled Search will remain suspended for four hours for non-daily searches (for example, searches recurring every 15 minutes, every 1 hour, etc.) and for up to an extra day for a daily search (two failed executions on two days and skips the third day).
Skip Scheduled search was skipped, because it was in a suspended state at a time when it was scheduled to run.  

For more information, see What Happens When a Scheduled Search Is Suspended?
Unsuspend Indicates that Sumo has unsuspended a suspended scheduled search.

Suspend events only occur if Sumo Logic has manually suspended a search for some reason. If you see a suspended search and feel that this is in error, contact Sumo Logic Support.

Metric ingestion events

_sourceCategory=metrics

The table below shows the value of the class and action fields for metric events.

Class Actions
INGEST TRUNCATE

Metric monitor events

_sourceCategory=metrics

The table below shows the value of the class and action fields for metric monitor events.

Class Actions
MONITOR MODIFY