Audit system use¶
Lightrun maintains a record of your organization's Lightrun system usage, which is crucial for observing continuous compliance, performing system audits, and maintaining security.
The stored audit logs include data about activities related to the Management Portal, Lightrun plugins, and agents. With the Lightrun audit logs, you can answer questions such as:
- How is a specific user in your organization using Lightrun?
- What changes have been made to your organization’s account, and when?
- Who made a particular change, and when?
- Who created an agent or action, and when?
You can view a brief overview of all captured events in your Management portal.
To view audit logs in your Management Portal¶
- Log in to your Lightrun account.
- Click Settings on the top right hand side of your screen to navigate to the Settings dashboard.
- Select Audit events under Security in the Settings dashboard sidebar.
The Audits page should appear similar to the following image:
Use the from and to fields to filter by date and the arrows at the bottom to navigate by page. The following table describes the data available in the Audit table:
Data | Description |
---|---|
Date | Date of activity. |
USER | Username of who performed the activity, including automated system actions. |
STATE | State of the Activity. |
EXTRA DATA | More data from the activity. See Events Type below for a list of all events audited by Lightrun and their metadata. |
Events Type¶
The following table describes a list of events stored by Lightrun and their corresponding metadata.
Event | Actor | Description | Metadata |
---|---|---|---|
create action success | Agent/User | New action creation was successful. | - Action Metadata - Agent Metadata - User Metadata |
create action failure | Agent/User | Action creation failed due to an error_message . | - Action Metadata - Agent Metadata - User Metadata |
create new user | User, System | New user was created successfully or failed due to an error_message . | User Metadata, System Metadata |
delete user | User | User was deleted successfully or failed due to an error_message . | User Metadata |
create agent success | Agent | Action was created successfully. | - Action Metadata - Agent Metadata - User Metadata |
create agent failed | Agent | Action creation failed due to an error_message . | - Action Metadata - Agent Metadata - User Metadata |
remove agent success | Agent | Action was removed successfully. | - Action Metadata - Agent Metadata - User Metadata |
integration added | User | New integration was added successfully. | User Metadata |
daily exception limit reached | System | Daily exception limit reached. | System Metadata |
change company name | User | Organization was renamed successfully or failed due to an error_message . | User Metadata |
tag created | System | New METADATA TAG added to organization’s account. | User Metadata |
authentication Success | User | User was authenticated successfully. | User Metadata |
Events Metadata¶
User Metadata¶
The following table describes the data available in the User metadata.
Data | Description |
---|---|
user_id | User ID value. |
user_name | User name. |
user_types | User type. |
user_group | User group. |
Action Metadata¶
The following table describes the data available in the Action metadata.
Data | Description |
---|---|
action_type | Action type: - Log - Metrics - Snapshot |
action_id | Action ID. |
condition | Action conditions. |
expression | Action expression. |
file_name, line | Action filename and line. |
ignore_qouta | Action ignore_qouta configuration. |
max_hit_count | Action max_hit_count value. |
System Metadata¶
The following table describes the data available in the System metadata.
Data | Description |
---|---|
operation_type | System operation type. |
executor_ip | System IP address. |
message | System operation message. |
operation_result | System operation result. |
actor | Event actor. |
target | Event target. |
Agent Metadata¶
The following table describes the data available in the Agent metadata.
Data | Description |
---|---|
agent_api_version | Agent API version. |
agent_ip | Agent IP address. |
agent_id | Agent ID value. |
agent_name | Agent name. |
agent_os | Agent OS. |
agent_pid | Agent PID value. |
agent_version | Agent version. |
runtime environment | Runtime environment. |
log_piping | Agent configured routing value. |
source | Agent source. |
Exporting audit logs¶
Lightrun captures all events made by every user associated with your organization and stores the event in Amazon S3 buckets in a Syslog file format.
Important
The option to access audit logs in Amazon S3 buckets is not available to every Lightrun account. Please reach out to our support team for more information.
Audit log retention¶
The audit logs S3 buckets are updated daily and have a default retention period of 24 months. Please contact our support team for more information on configuring your organization’s audit logs retention period.
Audit log format¶
Lightrun Audit logs data are stored in Amazon S3 in a Syslog file format. The following code sample describes an example audit log for an agent-removed event.
1 2 3 |
|
Header¶
The following table describes the data in the Header part of the audit log data.
Data | Description |
---|---|
Version | Syslog protocol version |
TimeStamp | The time when the audit log was created in an ISO 8601 format. |
HostName | The machine that sent the events data |
PROCID | The log Process ID which can be used to further identify the sender of the audit log. |
MSGID | Audit log message ID. - authn - creation - access - change - deletion |
Structured Data¶
The following table describes the data in the Structured Data part of the audit log.
Data | Description |
---|---|
Actor type | Event actor, can be: - Agent - System - User |
Actor ID | Event actor ID. For example, User ID, Agent ID, or System ID. |
Event | The event that created the audit log. See Events Type below for a list of all events audited by Lightrun. |
Event Type | Event type, can be: - authentication - creation - access - change - deletion |
Outcome | Event outcome, can be: - success - failure - unknown |
Target | Event target. |
Details | Event details. |
Message¶
Event metadata. See Events Type above for a list of all events audited by Lightrun and their metadata.