Audit Index
Availability
Account Type | Account Level |
---|---|
Cloud Flex | Trial, Professional, Enterprise |
Credits | Trial, Essentials, Enterprise Operations, Enterprise Security, Enterprise Suite |
The Audit Index provides event logs in plain text on the internal events that occur in your account associated with account management, throttling, scheduled searches, and more. Events report audit messages, and these event messages are collected to give you better visibility into your account usage.
This index is different from the Audit Event Index, and there is some overlap of audited events. The Audit Event Index provides event logs in JSON on activities from your account.
Before you can use the audit index, an administrator must enable it. When the audit index is enabled, Sumo logs messages to it once every five minutes. Note that data does not backfill.
All users can access the data contained within the audit index, but only administrators can enable and disable auditing.
Enable the audit index
- In the main Sumo Logic menu, select Administration > Security > Policies.
- Next to Sumo Logic Auditing, select the Enable check box.
Auditing typically adds a nominal amount of data to your overall volume (approximately one to two percent) when pre-aggregated. In your Sumo Logic account, this data will count against your data volume quota. For more information, see Manage Ingestion.
Query the audit index
You can query the audit index in a log search tab. To search for all types of audit events, enter:
_index=sumologic_audit
You can run more targeted search by including other metadata, message fields, or keywords in your query. The source categories for event types are listed in Audit index source categories below. The fields associated with event messages are listed in Audit event message fields.
Results are returned in the Messages tab.
The audit index must be enabled for a search to produce results.
Audit index source categories
Event type | Source Category |
---|---|
Account Management | account_management |
User Activity | user_activity |
Support User Activity | support_account_activity |
Scheduled Search | scheduled_search |
Metrics | metrics |
Alerting | alert |
Audit event message fields
The table below lists defines the fields returned for an audit event. Note that by default, only the event time and the raw message are displayed. You can display selected fields by clicking the box next to a field in the Hidden Fields section of the page.
Field | Description |
---|---|
Time (_messagetime ) | The time that the event occurred |
Message (_raw ) | The raw log message written to the audit index. |
Action | The action that was performed. Actions vary by event type. For more information, see Audit event classes and actions. |
Class | The object affected by the event. Classes vary by event type. For more information, see Audit event classes and actions. |
Collector | Values include "InternalCollector". |
Interface | Indicates how the event was initiated from the Sumo UI or using an API. Values include: "UI", "API", and "INTERNAL". |
_sourceCategory | The source category associated with the event type. For more information, see Audit index source categories below. |
_sourceHost | IP address of the source's host, or "no_sourceHost". |
sourceSession | The session ID associated with the event, or "no_session". |
sourceUser | The Sumo username associated with the event. |
Status | The status of the action, which can be success or failure |
Target | The object for the action, such as a key name. |
Audit event classes and actions
The sections list the classes of objects — for example: collectors, users, and sessions—for which Sumo writes audit logs, and the actions, such as create or delete, that result in a message to the audit log.
When you query the audit index, the search results will include the class and action for each audit log. The class
and action
are hidden by default. To display a hidden field, click the checkbox next to it in the Hidden Fields section of the Messages tab. You can also perform targeted searches of the audit index using the class
and action
fields in your query.
Account management events
_sourceCategory=account_management
The table below shows the value of the class
and action
fields for account management events.
Class | Actions | Product Feature |
---|---|---|
ACCESS_KEY | CREATE ENABLE DISABLE DELETE | Access Keys |
COLLECTOR | CREATE UPDATE UPGRADE DELETE THROTTLE | Collection |
DATA_FORWARDING | ENABLE DISABLE | Data Forwarding |
PASSWORD_POLICY | MODIFY | Password Policy |
ROLE | CREATE MODIFY DELETE | Roles |
USER | CREATE MODIFY DISABLE | Users |
VOLUME_QUOTA | EXCEEDED RESET | Throttling and Ingest Budgets, see Audit Ingest Budgets for example queries. |