Audit Event Index
Availability
| Account Type | Account Level |
|---|---|
| Cloud Flex | Trial, Enterprise |
| Credits | Trial, Enterprise Operations, Enterprise Security, Enterprise Suite |
The Audit Event Index contains event logs in JSON format on account activities, allowing you to monitor and audit changes. Enterprise accounts have the Audit Event Index enabled and available to search by default. You can use the Enterprise Audit Apps to visually display data from the Audit Event Index for monitoring and analysis.
This index is improved and different from the Audit Index, and there is some overlap of audited events. The Audit Index provides event logs in plain text and audits when account limits are reached and operation failures, like throttling and scheduled search events.
Documentation
All available audited events are documented for your reference. This documentation is hosted on each deployment, instead of on this document. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. See how to determine which endpoint to use if you are unsure.
Select the documentation link for your deployment:
Search the Audit Event Index
Searching the Audit Event Index is the same as running a normal search against your ingested data. You specify the _index metadata field with one of these values:
sumologic_audit_events. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API.sumologic_system_events. This index contains system action events, which are events that were triggered by Sumo Logic, for example throttling events, rules triggered, and so on.
For example, to search for user action events:
In the Search page, enter the following:
_index=sumologic_audit_``eventsinfoMake sure to enter the query exactly as shown. Changing any part of the query renders it ineffective.
Choose the time range for the incidents that you'd like to review.
Click Start to run the search.
Audited events
This index has detailed JSON logs for the following features. To search audit events for a specific feature use the metadata field _sourceCategory with its corresponding value. For example, to search events for access keys you would use the query:
_index=sumologic_audit_``events _sourceCategory=accessKeys
| Product Feature | _sourceCategory Value |
|---|---|
| Access Keys | accessKeys |
| Collection | collection |
| Content Sharing | content |
| Data Forwarding | dataForwarding |
| Field Extractions | fieldExtractionRules |
| Fields | fieldManagement |
| Ingest Budgets | ingestBudgets |
| Installation Tokens | token |
| Logs-to-Metrics Rules | metricExtractionRule |
| Monitors | monitorLibrary |
| Password Policy | passwordPolicy |
| Roles | roles |
| SAML | saml |
| Scheduled Views | scheduledView |
| Security Policies: Share Dashboards Outside of the Organization, Data Access Level for Shared Dashboards, Per User Concurrent Sessions Limit, and User Session Timeout | orgSettings |
| Security Policy: Support Account Access | supportAccount |
| Service Allowlist | serviceAllowlist |
| Support Account | supportAccount |
| Transformation Rules | transformationRules |
| Users | users |
| User Sessions | userSessions |
| 2-Step Verification | multiFactorAuthentication |
Metadata assignment
Metadata fields are assigned to audit event logs as follows:
| Metadata Field | Assignment Description |
|---|---|
| _sourceCategory | Value of the common parameter, subsystem. |
| _sourceName | Value of the common parameter, eventName. |
| _sourceHost | The remote IP address of the host that made the request. If not available the value will be no_sourceHost. |
Common parameters
Each audit event log has common keys that categorize it to a product area and provide details of the event.
| Parameter | Description | Data Type |
|---|---|---|
| accountId | The unique identifier of the organization. | String |
| eventId | The unique identifier of the event. | String |
| eventName | The name of the event. | String |
| eventTime | The event timestamp in ISO 8601 format. | String |
| eventFormatVersion | The event log format version. | String |
| operator | Information of who did the operation. If its missing, the Sumo service was the operator. | JSON object of Strings |
| subsystem | The product area of the event. | String |
{
"content": {
"type": "search",
"name": "this search should be packaged NHAXoOdq80o1ZKZ",
"description": "savedSearch"
},
"operator": {
"email": "searchservice_test@demo.com",
"id": "0000000002F2438D",
"interface": "UI",
"sessionId": "go42n37za657ck0i3t4368",
"sourceIp": "50.18.133.252",
"type": "UserContext"
},
"contentIdentity": {
"type": "search",
"contentId": "0000000009B2636B",
"externalId": "000000000BFB73FE",
"name": "this search should be packaged NHAXoOdq80o1ZKZ"
},
"adminMode": false,
"accountId": "0000000000000131",
"eventId": "0234cc63-333c-4585-a78f-08517e5f9fd7",
"eventName": "ContentCreated",
"eventTime": "2018-12-11T21:37:33.950Z",
"eventFormatVersion": "1.0 beta",
"subsystem": "content"
}
Index retention period
By default, the retention period of the Audit Event index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events and sumologic_system_events. For more information, see Edit a Partition.
