Skip to main content

Audit Event Index

Availability

Account TypeAccount Level
Cloud FlexTrial, Enterprise
CreditsTrial, Enterprise Operations, Enterprise Security, Enterprise Suite

The Audit Event Index contains event logs in JSON format on account activities, allowing you to monitor and audit changes. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API. Enterprise accounts have the Audit Event Index enabled and available to search by default. You can use the Enterprise Audit Apps to visually display data from the Audit Event Index for monitoring and analysis.

This index is separate from the System Event Index, which shows events triggered by Sumo Logic rather than user action events.

This index is improved and different from the Audit Index, and there is some overlap of audited events. The Audit Index provides event logs in plain text and audits when account limits are reached and operation failures, like throttling and scheduled search events.

Documentation 

All available audited events are documented for your reference. See Documentation for Audit Log Definitions.

Search the Audit Event Index

Searching the Audit Event Index is the same as running a normal search against your ingested data. You specify the _index metadata field with sumologic_audit_events.

For example, to search for audit events:

  1. In the Search page, enter the following: _index=sumologic_audit_events  
    info

    Make sure to enter the query exactly as shown. Changing any part of the query renders it ineffective.

  2. Choose the time range for the incidents that you'd like to review.
  3. Click Start to run the search.

Audited events

This Audit Event Index has detailed JSON logs for the following features. To search for audit events for a specific feature use the metadata field _sourceCategory with its corresponding value. For example, to search user action events for access keys you would use the query:

_index=sumologic_audit_events _sourceCategory=accessKeys
Product Feature_sourceCategory Value
Access KeysaccessKeys
Alertsalerts
Automation Service and Cloud SOARoar*
Cloud SIEMcse*
Collectioncollection
Connectionsconnections
Content Sharingcontent
Data ForwardingdataForwarding
Field ExtractionsfieldExtractionRules
FieldsfieldManagement
Ingest BudgetsingestBudgets
Installation Tokenstoken
Logs-to-Metrics RulesmetricExtractionRule
MonitorsmonitorLibrary
Password PolicypasswordPolicy
Rolesroles
SAMLsaml
Scheduled ViewsscheduledView
Security Policies: Share Dashboards Outside of the Organization, Data Access Level for Shared Dashboards, Per User Concurrent Sessions Limit, and User Session TimeoutorgSettings
Security Policy: Support Account AccesssupportAccount
Service AllowlistserviceAllowlist
Support AccountsupportAccount
Transformation RulestransformationRules
Usersusers
User SessionsuserSessions
2-Step VerificationmultiFactorAuthentication

When performing create, update, and delete requests through Sumo Logic APIs, you can find the API accessID within the operator field of your related Audit Event Index messages.

Metadata assignment

Metadata fields are assigned to audit event logs as follows:

Metadata FieldAssignment Description
_sourceCategoryValue of the common parametersubsystem.
_sourceNameValue of the common parameter, eventName.
_sourceHostThe remote IP address of the host that made the request. If not available the value will be no_sourceHost.

Common parameters

Each audit event log has common keys that categorize it to a product area and provide details of the event.

ParameterDescriptionData Type
accountIdThe unique identifier of the organization.String
eventIdThe unique identifier of the event.String
eventNameThe name of the event.String
eventTimeThe event timestamp in ISO 8601 format.String
eventFormatVersionThe event log format version.String
operatorInformation of who did the operation. If its missing, the Sumo service was the operator.JSON object of Strings
subsystemThe product area of the event.String
{
"content": {
"type": "search",
"name": "this search should be packaged NHAXoOdq80o1ZKZ",
"description": "savedSearch"
},
"operator": {
"email": "searchservice_test@demo.com",
"id": "0000000002F2438D",
"interface": "UI",
"sessionId": "go42n37za657ck0i3t4368",
"sourceIp": "50.18.133.252",
"type": "UserContext"
},
"contentIdentity": {
"type": "search",
"contentId": "0000000009B2636B",
"externalId": "000000000BFB73FE",
"name": "this search should be packaged NHAXoOdq80o1ZKZ"
},
"adminMode": false,
"accountId": "0000000000000131",
"eventId": "0234cc63-333c-4585-a78f-08517e5f9fd7",
"eventName": "ContentCreated",
"eventTime": "2018-12-11T21:37:33.950Z",
"eventFormatVersion": "1.0 beta",
"subsystem": "content"
}

Index retention period

By default, the retention period of the Audit Event index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partition, sumologic_audit_events. For more information, see Edit a Partition.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.