Skip to main content
Sumo Logic

Enable and Manage Auditing

Sumo Logic Auditing automatically captures information on the internal events that occur in your account associated with account management, user activity, scheduled searches, and more. Events report audit messages, and these event messages are collected to give you better visibility into your account usage.

Before it can be used, Auditing must be manually enabled by an administrator. Once audit records are enabled, the system will capture a set of log messages every five minutes. It's important to note that data does not backfill. Also, data is only captured while the option is enabled.

Access the audit index using the query _index=sumologic_audit.

Enable Auditing

  1. Go to Manage > Security > Policies (Manage > Security, Sumo Logic Policies tab in the classic UI).
  2. Next to Sumo Logic Auditing, select the Enable check box.

Using the Audit Index

You can query the audit index just like any other message using the Sumo Logic Search page. To see the data created within the audit index, when you search, specify the _index metadata field with a value of sumologic_audit.

To query the audit index

  1. In the Search page, enter the following query: 
    _index=sumologic_audit
    Important: Make sure to enter the query exactly as shown. Changing any part of the query renders it ineffective.
  2. Choose the time range for the incidents that you'd like to review.
  3. Click Start to run the search.

Results are returned in the Messages tab.

Collected Audit Index Events

The audit index is populated with a set of log messages every five minutes, which contains information on the events that your account is generating.

Specifically, events are collected for:

  • Source Category (_sourceCategory). The category of activity being audited
  • Source Host (_sourcehost). IP address of the user
  • Class. The object on which the activity is being performed
  • Action. The action being taken
  • Message Time (_messagetime). The time that the action was taken
  • Source User (sourceUser). The username of the user taking the action
  • Source Session (sourceSession). The session ID for the user taking the action
  • Interface. Indicates where the action is coming from, either the UI or the API
  • Status. The status of the action, which can be success or failure
  • Target. The object for the action, such as a key name
  • Message (_raw). The message text produced by the action

Audit index events are currently provided for the source categories "Account Management" and "User Activity," described in detail in the following sections.

Account Management

The status is provided to the audit index (_index=sumologic_audit) for each event in the account management source category ( _sourceCategory=account_management), including the returned log message of success or failure.

Account management events reported for your account include:

  Enable Disable Create Modify Delete
User    
Role    
Data Forwarding      
Access Key  
Password Policy        
Service Whitelist    
SAML    

 

User Activity

The status is provided to the audit index (_index=sumologic_audit) for each event in the user activity source category ( _sourceCategory=user_activity), including the returned log message of success or failure.

User activity events reported for your account include:

  • Password
    • Modify
    • Reset
  • Preferences
    • Modify
  • Session
    • Login

If you have enabled a support account, it also includes the following information on these support account source category activities
(_sourceCategory=support_account_activity):

  • Session
    • Login
    • Logout

Scheduled Search

The status is provided to the audit index (_index=sumologic_audit) for each event in the Scheduled Search Source Category ( _sourceCategory=scheduled_search), including the returned log message of success or failure.

Scheduled search events reported for your account include:

  • Start
  • Finish
  • Create
  • Delete
  • Update
  • Timeout
  • Skip
  • Suspend
  • Unsuspend

Suspend events only occur if Sumo Logic has manually suspended a search for some reason. If you see a suspended search and feel that this is in error, contact Sumo Logic Support.

Throttling Notifications

Status is provided to the audit index (_index=sumologic_audit) in the account management source category (_sourceCategory=account_management) and volume quota source (_sourceName=VOLUME_QUOTA). The status includes the type of resource that experienced throttling in the last 15 minutes.

A scheduled search can be set up to send an alert when throttling occurs. See Schedule a search

Throttling events reported for your account include:

  • LogIngest. Log data sent to Sumo Logic has been temporarily throttled.
  • MetricIngest. Metric data sent to Sumo Logic has been temporarily throttled.

Throttling events are reported if the following criteria are met:

  • At least 15 minutes has elapsed since the last time a throttling event was reported.
  • At least 2 percent of collector sources experienced the effect of data throttling in the time interval.

For example, searching with the following query

  • _index=sumologic_audit _sourceCategory=account_management _sourceName=VOLUME_QUOTA
    

    yields the following throttling notification.

    An automatic data ingest rate limit has been temporarily enabled for your account. (Resource type: LogIngest)

Throttling Amazon CloudWatch metrics data

AWS automatically throttles CloudWatch data if the limits that Amazon sets for the associated APIs are exceeded.  If you have a high volume of metrics data points in your account, it is likely that Amazon will throttle your CloudWatch data.

If no adjustments are made on the Sumo Logic side, throttling on the Amazon side can cause metrics data to be dropped. To prevent this from occurring, Sumo Logic automatically doubles the CloudWatch scan interval if more than one throttling message is received in a single interval. However, the change in scan interval isn't reflected in the Sumo Logic UI. The original configured interval is still shown. See Amazon CloudWatch Source for Metrics for instructions on setting the CloudWatch scan interval. 

When the scan interval is increased, a message is added to the audit log. No action is required by the Sumo Logic user. 

The following is an example query to locate throttling notification in the audit index.

_index=sumologic_audit _sourceCategory=account_management _sourceName=COLLECTOR

The query yields the following throttling notification.

CloudWatch source ui-cw-oldPrimary received throttling exception from AWS while querying for metrics.
Increasing scan interval to 20 minutes.

Collector upgrade notifications

If you upgrade or downgrade a collector through the Web UI, an entry is written to the audit index.

The status is provided to the audit index (_index=sumologic_audit) for each event in the user activity source category ( _sourceCategory=user_activity), and collector source (_sourceName=COLLECTOR), including the returned log message of success or failure.

Collector upgrade events reported for your account include the following:

  • Status (SUCCESS/FAILURE) 
  • Collector Name
  • From version
  • To version
  • Request time
  • Failure reason

For example, searching with the following query:

_index=sumologic_audit _sourceCategory=user_activity _sourceName=COLLECTOR | Status

yields the following collector upgrade events.

Status: FAILURE
Message: Upgrade collector yanm-mac, from version 20.1-2832, to version 20.1-2844. request time Mon Jul 25 10:47:32 PDT 2016, Cannot run program "/Applications/Sumo Logic Collector/jre1.8.0_92.jre/Contents/Home/bin/java": error=2, No such file or directory

Audit Source OAuth Token and Watchpoints Refresh

For audit sources, Sumo Logic refreshes OAuth tokens and subscription watchpoints periodically to prevent data loss. 

If the refresh fails for any reason, a message is added to the audit log.

The following is an example query to locate refresh failure notification in the audit index.

_index = sumologic_audit  _sourcecategory = "account_management" _sourceName=COLLECTOR

The query yields the following refresh failure notification.

Failed to refresh OAuth token for source SOURCE_NAME.
Exception: com.sumologic.cocoa.api.FailedThirdPartyOperationException
Error message: Status code: 400, error message: { "error": "invalid_grant", "error_description": "Token has been expired or revoked."}....