Skip to main content
Sumo Logic

Enable and Manage the Audit Index

The Sumo Logic Audit Index automatically provides information on the internal events that occur in your account associated with account management, user activity, scheduled searches, and more. Events report audit messages, and these event messages are collected in the Audit Index to give you better visibility into your account usage.

Before it can be used, the Audit Index must be manually enabled by an administrator. Once enabled, it will begin populating, and create a set of log messages within the Audit Index every five minutes. It's important to note that data does not backfill. Also, data is only provided to the Data Volume Index while the option is enabled.

Access the Audit Index using the query _index=sumologic_audit.

Creating an Index typically adds a nominal amount of data to your overall volume (approximately one to two percent) when pre-aggregated. Depending on your Sumo Logic account type and subscription, this data will count against your data volume quota. For more information, see Managing Data Volume.

Enable the Audit Index 

  1. Go to Manage > Security.
  2. Select the Sumo Logic Policies tab.
  3. Next to Sumo Logic Auditing, select the Enable check box.

Using the Audit Index

You can query the Audit Index just like any other message using the Sumo Logic Search page. To see the data created within the Audit Index, when you search, specify the _index metadata field with a value of sumologic_audit.

To query the Audit Index:

  1. In the Search page, enter the following query: 
    _index=sumologic_audit
    Important: Make sure to enter the query exactly as shown. Changing any part of the query renders it ineffective.
  2. Choose the time range for the incidents that you'd like to review.
  3. Click Start to run the search.

Results are returned in the Messages tab.

Collected Audit Index Events

The Audit Index is populated with a set of log messages every five minutes, which contains information on the events that your account is generating.

Specifically, events are collected for:

  • Source Category (_sourceCategory). The category of activity being audited
  • Source Host (_sourcehost). IP address of the user
  • Class. The object that the activity is being performed on.
  • Action. The action being taken.
  • Message Time (_messagetime). The time that the action was taken
  • Source User (sourceUser). The username of the user taking the action.
  • Source Session (sourceSession). The session ID for the user taking the action.
  • Interface. Indicates where the action is coming from, either the UI or the API.
  • Status. The status of the action, which can be success or failure.
  • Target. The object for the action, such as a key name.
  • Message (_raw). The message text produced by the action.

Audit Index events are currently provided for the Source Categories Account Management and User Activity, described in detail in the following sections.

Account Management

The status is provided to the Audit Index (_index=sumologic_audit) for each event in the Account Management Source Category ( _sourceCategory=account_management), including the returned log message of success or failure.

Account management events reported for your account include:

  Enable Disable Create Modify Delete
User    
Role    
Data Forwarding      
Access Key  
Password Policy        
Service Whitelist    
SAML    

 

User Activity

The status is provided to the Audit Index (_index=sumologic_audit) for each event in the User Activity Source Category ( _sourceCategory=user_activity), including the returned log message of success or failure.

User activity events reported for your account include:

  • Password
    • Modify
    • Reset
  • Preferences
    • Modify
  • Session
    • Login

If you have enabled a Support Account, it also includes the following information on these  Support Account Source Category activities
(_sourceCategory=support_account_activity):

  • Session
    • Login
    • Logout

Scheduled Search

The status is provided to the Audit Index (_index=sumologic_audit) for each event in the Scheduled Search Source Category ( _sourceCategory=scheduled_search), including the returned log message of success or failure.

Scheduled search events reported for your account include:

  • Start
  • Finish
  • Create
  • Delete
  • Update
  • Timeout
  • Skip
  • Suspend
  • Unsuspend

Suspend events only occur if Sumo Logic has manually suspended a search for some reason. If you see a suspended search and feel that this is in error, contact Sumo Logic Support.

Throttling Notifications

Status is provided to the Audit Index (_index=sumologic_audit) in the Account Management Source Category (_sourceCategory=account_management) and Volume Quota Source (_sourceName=VOLUME_QUOTA). The status includes the type of resource that experienced throttling in the last 15 minutes.

A Scheduled Search can be set up to send an alert when throttling occurs. See Schedule a search

Throttling events reported for your account include:

  • LogIngest. Log data sent to Sumo Logic has been temporarily throttled.
  • MetricIngest. Metric data sent to Sumo Logic has been temporarily throttled.

Throttling events are reported if the following criteria are met:

  • At least 15 minutes has elapsed since the last time a throttling event was reported.
  • At least 2 percent of Collector Sources experienced the effect of data throttling in the time interval.

For example, searching with the following query

  • _index=sumologic_audit _sourceCategory=account_management _sourceName=VOLUME_QUOTA
    

    yields the following throttling notification.

    An automatic data ingest rate limit has been temporarily enabled for your account. (Resource type: LogIngest)

Throttling Amazon CloudWatch metrics data

AWS automatically throttles CloudWatch data if the limits that Amazon sets for the associated APIs are exceeded.  If you have a high volume of metrics data points in your account, it is likely that Amazon will throttle your CloudWatch data.

If no adjustments are made on the Sumo Logic side, throttling on the Amazon side can cause metrics data to be dropped. To prevent this from occurring, Sumo Logic automatically doubles the CloudWatch scan interval if more than one throttling message is received in a single interval. However, the change in scan interval isn't reflected in the Sumo Logic UI. The original configured interval is still shown. See Amazon CloudWatch Source for Metrics for instructions on setting the CloudWatch scan interval. 

When the scan interval is increased, a message is added to the audit log. No action is required by the Sumo Logic user. 

The following is an example query to locate throttling notification in the audit index.

_index=sumologic_audit _sourceCategory=account_management _sourceName=COLLECTOR

The query yields the following throttling notification.

CloudWatch source ui-cw-oldPrimary received throttling exception from AWS while querying for metrics.
Increasing scan interval to 20 minutes.

Collector upgrade notifications

If you upgrade or downgrade a collector through the Web UI, an entry is written to the Audit Index.

The status is provided to the Audit Index (_index=sumologic_audit) for each event in the User Activity Source Category ( _sourceCategory=user_activity), and Collector Source (_sourceName=COLLECTOR), including the returned log message of success or failure.

Collector upgrade events reported for your account include the following:

  • Status (SUCCESS/FAILURE) 
  • Collector Name
  • From version
  • To version
  • Request time
  • Failure reason

For example, searching with the following query:

_index=sumologic_audit _sourceCategory=user_activity _sourceName=COLLECTOR | Status

yields the following Collector upgrade events.

Status: FAILURE
Message: Upgrade collector yanm-mac, from version 20.1-2832, to version 20.1-2844. request time Mon Jul 25 10:47:32 PDT 2016, Cannot run program "/Applications/Sumo Logic Collector/jre1.8.0_92.jre/Contents/Home/bin/java": error=2, No such file or directory