Skip to main content

Audit Index

Availability

Account TypeAccount Level
Cloud FlexTrial, Professional, Enterprise
CreditsTrial, Essentials, Enterprise Operations, Enterprise Security, Enterprise Suite

The Audit Index provides event logs in plain text on the internal events that occur in your account associated with account management, throttling, scheduled searches, and more. Events report audit messages, and these event messages are collected to give you better visibility into your account usage.

This index is different from the Audit Event Index, and there is some overlap of audited events. The Audit Event Index provides event logs in JSON on activities from your account.

Before you can use the audit index, an administrator must enable it. When the audit index is enabled, Sumo logs messages to it once every five minutes. Note that data does not backfill.

note

All users can access the data contained within the audit index, but only administrators can enable and disable auditing.

Enable the audit index

  1. Go to Administration > Security > Policies.
  2. Next to Sumo Logic Auditing, select the Enable check box.
info

Auditing typically adds a nominal amount of data to your overall volume (approximately one to two percent) when pre-aggregated. Depending on your Sumo Logic account type and subscription, this data will count against your data volume quota. For more information, see Manage Ingestion.

Query the audit index

You can query the audit index in a log search tab. To search for all types of audit events,  enter:

_index=sumologic_audit

You can run more targeted search by including other metadata, message fields, or keywords in your query. The source categories for event types are listed in Audit index source categories below. The fields associated with event messages are listed in Audit event message fields

Results are returned in the Messages tab.

audit-index-search.png

note

The audit index must be enabled for a search to produce results.

Audit index source categories

Event typeSource Category
Account Managementaccount_management
User Activityuser_activity
Support User Activitysupport_account_activity
Scheduled Searchscheduled_search
Metricsmetrics
Alertingalert

Audit event message fields

The table below lists defines the fields returned for an audit event. Note that by default, only the event time and the raw message are displayed. You can display selected fields by clicking the box next to a field in the Hidden Fields section of the page.

FieldDescription
Time (_messagetime)The time that the event occurred
Message (_raw)The raw log message written to the audit index. 
ActionThe action that was performed. Actions vary by event type. For more information, see Audit event classes and actions.
ClassThe object affected by the event. Classes vary by event type. For more information, see Audit event classes and actions.
CollectorValues include "InternalCollector". 
InterfaceIndicates how the event was initiated from the Sumo UI or using an API. Values include: "UI", "API", and "INTERNAL".
_sourceCategoryThe source category associated with the event type. For more information, see Audit index source categories below.
_sourcehostIP address of the source's host, or "no_sourcehost".
sourceSessionThe session ID associated with the event, or "no_session".
sourceUserThe Sumo username associated with the event. 
StatusThe status of the action, which can be success or failure
TargetThe object for the action, such as a key name.

Audit event classes and actions

The sections list the classes of objects—for example collectors, users, and sessions—for which Sumo writes audit logs, and the actions, such as create or delete, that result in a message to the audit log.  

When you query the audit index, the search results will include the class and action for each audit log. The class and action are hidden by default. To display a hidden field, click the checkbox next to it in the Hidden Fields section of the Messages tab. You can also perform targeted searches of the audit index using the class and action fields in your query.

Account management events

_sourceCategory=account_management
``` 

The table below shows the value of the `class` and `action` fields for account management events.

| Class | Actions | Product Feature |
|--|--|--|
| ACCESS_KEY | CREATE<br/>ENABLE<br/>DISABLE<br/>DELETE | Access Keys |
| COLLECTOR | CREATE<br/>UPDATE<br/>UPGRADE<br/>DELETE<br/>THROTTLE | Collection |
| DATA_FORWARDING | ENABLE<br/>DISABLE | Data Forwarding |
| PASSWORD_POLICY | MODIFY | Password Policy |
| ROLE | CREATE<br/>MODIFY<br/>DELETE | Roles |
| USER | CREATE<br/>MODIFY<br/>DISABLE | Users |
| VOLUME_QUOTA | EXCEEDED<br/>RESET | Throttling and Ingest Budgets, see Audit Ingest Budgets for example queries. |

### Microsoft Office 365 Audit Source events

Sumo logs audit messages for Microsoft Office 365 Audit Source when the following events occur:

* Source registration success with Microsoft
* Failure to read back content from Microsoft
* Token-update failure events
* Subscription watchpoint failure events

To search for these events use this query:

```sql
_index=sumologic_audit _sourcecategory=account_management _sourceName=collector

The events have these formats:

Registration success event

Received validation notification from Office 365 for Audit Source with ID SOURCEID, name SOURCENAME. Validation code - VALIDATIONCODE

Callback failure event

Failed to read back from Office 365 for audit source with ID SOURCEID, name SOURCENAME. Object identifier - CONTENTURI

Token and Subscription failure event where NAME is either token or watchpoint

Failed to refresh OAuth NAME for source SOURCENAME. Exception: EXCEPTION. Error message: ERRORMESSAGE

Throttling events

Status is provided to the audit index (_index=sumologic_audit) in the account management source category (_sourceCategory=account_management) and volume quota source (_sourceName=VOLUME_QUOTA). The status includes the type of resource that experienced throttling in the last 15 minutes.

A scheduled search can be set up to send an alert when throttling occurs. See Schedule a search

Throttling events reported include:

  • LogIngest. Log data sent to Sumo Logic has been temporarily throttled.
  • MetricIngest. Metric data sent to Sumo Logic has been temporarily throttled.

Throttling events are reported in the Audit Index if the following criteria are met:

  • A throttling event has occurred in the last 15 minutes.
  • At least 8 percent of collector sources experienced the effect of data throttling in the time interval.

For example, searching with the following query

_index=sumologic_audit
_sourceCategory=account_management _sourceName=VOLUME_QUOTA  "rate limit"

yields the following throttling notification.

An automatic data ingest rate limit has been temporarily enabled for your account. (Resource type: LogIngest)

Amazon CloudWatch metrics throttling events

AWS automatically throttles CloudWatch data if the limits that Amazon sets for the associated APIs are exceeded.  If you have a high volume of metrics data points in your account, it is likely that Amazon will throttle your CloudWatch data.

If no adjustments are made on the Sumo Logic side, throttling on the Amazon side can cause metrics data to be dropped. To prevent this from occurring, Sumo Logic automatically doubles the CloudWatch scan interval if more than one throttling message is received in a single interval. However, the change in scan interval isn't reflected in the Sumo Logic UI. The original configured interval is still shown. See Amazon CloudWatch Source for Metrics for instructions on setting the CloudWatch scan interval. 

When the scan interval is increased, a message is added to the audit log. No action is required by the Sumo Logic user. 

The following is an example query to locate throttling notification in the audit index.

_index=sumologic_audit _sourceCategory=account_management _sourceName=COLLECTOR

The query yields the following throttling notification.

CloudWatch source ui-cw-oldPrimary received throttling exception from AWS while querying for metrics. Increasing scan interval to 20 minutes.

Audit Source OAuth Token and Watchpoints Refresh

For audit sources, Sumo Logic refreshes OAuth tokens and subscription watchpoints periodically to prevent data loss. If the refresh fails for any reason, a message is added to the audit log.

The following is an example query to locate refresh failure notification in the audit index.

_index = sumologic_audit  
_sourcecategory = "account_management" _sourceName=COLLECTOR

The query yields the following refresh failure notification.

Failed to refresh OAuth token for source SOURCE_NAME. Exception: com.sumologic.cocoa.api.FailedThirdPartyOperationException Error message: Status code: 400, error message: { "error": "invalid_grant", "error_description": "Token has been expired or revoked."}....

User activity events

_sourceCategory=user_activity

The table below shows the value of the class and action fields for user activity events.

ClassActions
CONTENT_LIBRARYCREATE
DELETE
MOVE
COPY
UPDATE (name or description)
IMPORT
EXPORT
APP_INSTALLATION
FOLDEREXPORT
INSTALL
DELETE
IMPORT
MANAGE_PERMISSIONS
CREATE
MOVE
COPY
PASSWORDMODIFY
RESET
PREFERENCESMODIFY
REPORTUPDATE
MANAGE_PERMISSIONS
VIEW
SEARCHCREATE
UPDATE
EXPORT
DELETE
MANAGE_PERMISSIONS
SESSIONLOGIN
UPDATE
LOGOUT
SOURCECREATE
UPDATE

Collector upgrade events

If you upgrade or downgrade a collector through the Web UI, an entry is written to the audit index.

The status is provided to the audit index (_index=sumologic_audit) for each event in the user activity source category ( _sourceCategory=user_activity), and collector source (_sourceName=COLLECTOR), including the returned log message of success or failure.

Collector upgrade events reported for your account include the following:

  • Status (SUCCESS/FAILURE) 
  • Collector Name
  • From version
  • To version
  • Request time
  • Failure reason

For example, searching with the following query:

_index=sumologic_audit _sourceCategory=user_activity _sourceName=COLLECTOR | Status

yields the following collector upgrade events.

Status: FAILURE Message: Upgrade collector yanm-mac, from version 20.1-2832,  to version 20.1-2844. request time Mon Jul 25 10:47:32 PDT 2016,  Cannot run program "/Applications/Sumo Logic Collector/jre1.8.0_92.jre/Contents/Home/bin/java":  error=2, No such file or directory

Support account events

_sourceCategory=support_account_activity

The table below shows the value of the class and action fields for support account events.

note

Support account events are logged only if you have enabled a support account.

ClassActions
SESSIONLOGIN
LOGOUT

Scheduled search events

_sourceCategory=scheduled_search

The table below shows the value of the class and action fields for scheduled search events SCHEDULED_SEARCH.

ActionsDescription
CreateScheduled search was created.
StartScheduled search started.
FinishScheduled search finished successfully.
DeleteScheduled search was deleted.
ModifyThe alert condition for the scheduled search was met and the alert action was fired.
TimeoutScheduled search did not complete within the timeout period, which is 20 minutes to an hour, depending on the time range set for the query.
For more information, see How to Prevent your Scheduled Search from Timing Out.
SuspendIndicates that Sumo has suspended the search because it has timed out repeatedly.

When a Scheduled Search query fails, Sumo Logic attempts to run the query again two more times, for a total of three tries. If all attempts fail, then an Alert Email is sent with a notification of the failure. The Scheduled Search is not run again until the next time it is scheduled to do so.

The next time the Scheduled Search runs, if it fails again after the three tries, then it is suspended. Another Alert Email is sent to notify you that the query has been suspended.

The Scheduled Search will remain suspended for four hours for non-daily searches (for example, searches recurring every 15 minutes, every 1 hour, etc.) and for up to an extra day for a daily search (two failed executions on two days and skips the third day).
SkipScheduled search was skipped, because it was in a suspended state at a time when it was scheduled to run. For more information, see What Happens When a Scheduled Search Is Suspended?
UnsuspendIndicates that Sumo has unsuspended a suspended scheduled search.

Suspend events only occur if Sumo Logic has manually suspended a search for some reason. If you see a suspended search and feel that this is in error, contact Sumo Logic Support.

Metric ingestion and extraction events

_sourceCategory=metrics

The table below shows the value of the class and action fields for metric events.

ClassActionsDescription
INGESTTRUNCATE 
METRIC_EXTRACTIONSKIPA logs-to-metrics rule extracted one or more dimensions that are longer than 250 character. For more information, see Logs-to-Metrics.

Index retention period

By default, the retention period of the Audit Index is the same as the retention period of your Default Partition. You can change the retention period by editing the partition that contains the index, sumologic_audit. For more information, see Edit a Partition.

Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.