Skip to content

Audit system usage

Lightrun maintains a record of your organization's Lightrun system usage, which is crucial for observing continuous compliance, performing system audits, and maintaining security.

The stored events include data about activities related to the Management Portal, Lightrun plugins, and agents. With the Lightrun audit events, you can answer questions such as:

  • How is a specific user in your organization using Lightrun?
  • What changes have been made to your organization’s account, and when?
  • Who made a particular change, and when?
  • Who created an agent or action, and when?

View captured events in the Management Portal

You can view a brief overview of all captured events in your Management portal.

To view audited events
  1. Log in to your Lightrun account.
  2. Click Settings on the top right-hand side of your screen to navigate to the Settings dashboard.
  3. Select Audit events under Security in the Settings dashboard sidebar.

The Audits page should appear similar to the following image:

Audits list

The following table describes the data available in the Audit table:

Data Description
Date Date of activity.
USER Username of who performed the activity, including automated system actions.
STATE State of the Activity.
EXTRA DATA More data from the activity. See Events Type below for a list of all events audited by Lightrun and their metadata.

Filter Audit table

You can filter the Audit table in two ways:

To filter the Audit table based on a specific date range
  1. Enter the start date by clicking on the From input. From date --quarter

  2. Enter the end date by clicking on the To input. To date --quarter

The data filter will be automatically applied after selecting any of the two options.

To filter the Audit table by specifying custom conditions
  1. Click the filter icon Filter --icon next to the date fields. A menu appears that allows you to filter on various conditions. Custom filter

  2. Populate the present fields with your preferred conditions. The Audit table will be updated automatically.

Audit events retention

The default retention period for captured events is 30 days. For advanced capabilities, such and extended timeframe and the use of an external event storage, please reach out to our support team.

Events and events metadata

Stored events

The following table describes a list of events stored by Lightrun and their corresponding metadata.

Event Actor Description Metadata
create action success Agent/User New action creation was successful. - Action Metadata
- Agent Metadata
- User Metadata
create action failure Agent/User Action creation failed due to an error_message. - Action Metadata
- Agent Metadata
- User Metadata
create new user User, System New user was created successfully or failed due to an error_message. User Metadata, System Metadata
delete user User User was deleted successfully or failed due to an error_message. User Metadata
create agent success Agent Action was created successfully. - Action Metadata
- Agent Metadata
- User Metadata
create agent failed Agent Action creation failed due to an error_message. - Action Metadata
- Agent Metadata
- User Metadata
remove agent success Agent Action was removed successfully. - Action Metadata
- Agent Metadata
- User Metadata
integration added User New integration was added successfully. User Metadata
daily exception limit reached System Daily exception limit reached. System Metadata
change company name User Organization was renamed successfully or failed due to an error_message. User Metadata
tag created System New METADATA TAG added to organization’s account. User Metadata
authentication Success User User was authenticated successfully. User Metadata

Events metadata

User metadata

The following table describes the data available in the User metadata.

Data Description
user_id User ID value.
user_name User name.
user_types User type.
user_group User group.

Action metadata

The following table describes the data available in the Action metadata.

Data Description
action_type Action type:
- Log
- Metrics
- Snapshot
action_id Action ID.
condition Action conditions.
expression Action expression.
file_name, line Action filename and line.
ignore_qouta Action ignore_qouta configuration.
max_hit_count Action max_hit_count value.

System metadata

The following table describes the data available in the System metadata.

Data Description
operation_type System operation type.
executor_ip System IP address.
message System operation message.
operation_result System operation result.
actor Event actor.
target Event target.

Agent metadata

The following table describes the data available in the Agent metadata.

Data Description
agent_api_version Agent API version.
agent_ip Agent IP address.
agent_id Agent ID value.
agent_name Agent name.
agent_os Agent OS.
agent_pid Agent PID value.
agent_version Agent version.
runtime environment Runtime environment.
log_piping Agent configured routing value.
source Agent source.

Export captured events

Lightrun provides two options for exporting captured system events.

Export to a CSV file

To export your captured system events to a CSV file
  1. Log in to your Lightrun account.
  2. Click Settings on the top right-hand side of your screen to navigate to the Settings dashboard.
  3. Select Audit events under Security in the Settings dashboard sidebar.
  4. Apply the necessary filters to the Audit table. See Filter Audit table for more information.
  5. Click the Export as CSV button to download the .csv file.

The exported .csv file will have the following naming format lightrun-audit-events-<timestamp>.csv.

Important

The CSV export feature is limited to a maximum of 1,000 records. If you require more, please contact our support team for alternative solutions.

CSV file fields

The following fields will be present in the exported CSV file.

Fields Description
Date Date of activity.
Actor type Event actor, can be:
- Agent pool
- Agent
- System
- User.
Actor Event actor, can be:
-Agent pool name
-User email
- Agent ID.
ID Event ID.
Agent Pool Name of agent pool whose agent were used to register the action.
Event Type Event type.
Result Outcome of the event (success or failure).
EXTRA DATA More data from the activity. See Events Type below for a list of all events audited by Lightrun and their metadata.

Export to SysLog

Lightrun captures all events made by every user associated with your organization and stores the event in Amazon S3 buckets in a Syslog file format.

Important

The option to access audit events in Amazon S3 buckets is not available to every Lightrun account. Please reach out to our support team for more information.

Audit events retention (AWS S3 buckets)

The audit events S3 buckets are updated daily and have a default retention period of 24 months. Please contact our support team for more information on configuring your organization’s audit event retention period.

SysLog file format

Lightrun Audit events data are stored in Amazon S3 in a Syslog file format. The following code sample describes an example audit event for an agent-removed event.

1
2
3
1 2022-08-29T12:19:51Z 10.50.29.9 Lightrun 72850 
[actorId=d885cc7b-344f-44aa-a853-0a261a844d8d eventType=delete event=REMOVED_AGENT_SUCCESS outcome=success]
[runtime_environment=Java agent_id=d885cc7b-344f-44aa-a853-0a261a844d8d agent_name=shiran-Latitude-7410 (pid 72850) api_version=1.7 log_piping=BOTH agent_os=linux agent_pid=72850 agent_version=1.7.0-rc4.de87b07b3]
The Syslog message has the following format:

The following table describes the data in the Header part of the audit event data.

Data Description
Version Syslog protocol version
TimeStamp The time when the audit log was created in an ISO 8601 format.
HostName The machine that sent the events data
PROCID The log Process ID which can be used to further identify the sender of the audit log.
MSGID Audit log message ID.
- authn
- creation
- access
- change
- deletion
Structured data

The following table describes the data in the Structured Data part of the audit event.

Data Description
Actor type Event actor, can be:
- Agent
- System
- User
Actor ID Event actor ID. For example, User ID, Agent ID, or System ID.
Event The event that created the audit log. See Events Type below for a list of all events audited by Lightrun.
Event Type Event type, can be:
- authentication
- creation
- access
- change
- deletion
Outcome Event outcome, can be:
- success
- failure
- unknown
Target Event target.
Details Event details.
Message

Event metadata. See Events Type above for a list of all events audited by Lightrun and their metadata.


Last update: December 18, 2024