Audit Trail

Coralogix provides you with easy access to monitor the usage events of your team. 

When a team's Audit account is configured, it will gather all internal events that occur within your team.

By observing these events, you will track how your team uses Coralogix.

How does it work?

Under Settings on the right side click Audit Account.

Click on “Create New Audit Team”

Once the team is configured, you will be able to either open the activity of your entire team by clicking on “Open Audit History” or  monitoring the activity of a specific user by clicking on “User Audit History.”

The links send you to the logs tab to view the event logs from the audit team.

Within this audit team, you will be able to enjoy all the Coralogix capabilities such as creating custom views, alerting on suspicious activity, creating visualizations, and enriching IP addresses both by security and geo-enrichment to monitor where your teams are gaining access. 

Are you a member of more than one team?

Once you have one audit team, you can attach it to other teams as well. 

Audit Team settings

The audit team has a plan of up to 0.025GB per day and 7 days of retention. 

The audit logs quota should be sufficient for audits, but if you wish to increase it, you can do it, and also, you can move the quota between teams using the quota management CLI.

Configuring an archive will allow you to store audit logs for a long time. As long as your bucket is live, you will be able to query these logs with our archive query feature. 

Admins in your team will automatically be added to the audit team once it is created and can access the data.

Audit Team Management

The audit team and its logs can be managed in the same way like your team. You can switch to the audit team:

You can track actions based on action_details.operation.action. For example, you can track logins with the following query:

action_details.operation.action:"POST:/api/v1/user/login"

A part of actions contain additional information under action_details.operation.operation_payload key.

A log example:

{
  actor:{
    type:user
    username:[email protected]
    account_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  }
  action_details:{
    source_type:HTTP
    ip_address:::ffff:10.1.2.3
    operation:{
      action:POST:/api/v1/logquery
      user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
      operation_payload:{
        queryDef:{
          type:freeText
          pageSize:100
          queryParams:{
            query:{
              text:test query
              type:exact
              templateIds:[]
            }
            templateIds:[]
            metadata:{
              applicationName:[]
              subsystemName:[]
              severity:[
                1
                2
                3
                4
                5
                6
              ]
            }
            jsonObject:{}
            jsonAggFields:[]
            aggregationInterval:1000
            externalFilters:{
              teams:[]
            }
            selectedLogs:[]
          }
          sortModel:[
            {
              field:timestamp
              ordering:desc
              missing:_last
            }
          ]
          endDate:1631256696661
          startDate:1631255796661
          tagId:-1
          selectedViewId:-1
          pageIndex:0
          cacheQueryId:30zpfB11QzT
        }
      }
    }
    result:{
      succeeded:true
      status_code:200
    }
  }
  action_start_timestamp:1631256697042
  action_type:crud
  audit_schema_version:v1
  action:{
    team_id:8868
    team_name:cs-test-medium
    description:get tags
  }
}

Here is the list of the most common actions which include action_details.operation.operation_payload key:

As mentioned, the audit team behavior is the same as any team so you can also set alerts to be notified about particular actions.

Previous SSO with SAML

Next TCO Optimizer: Traces

Theme

Light

light

dark