Skip to content

Audit system use

Lightrun maintains a record of your organization's Lightrun system usage, which is crucial for observing continuous compliance, performing system audits, and maintaining security.

The stored audit logs include data about activities related to the Management Portal, Lightrun plugins, and agents. With the Lightrun audit logs, you can answer questions such as:

  • How is a specific user in your organization using Lightrun?
  • What changes have been made to your organization’s account, and when?
  • Who made a particular change, and when?
  • Who created an agent or action, and when?

You can view a brief overview of all captured events in your Management portal.

To view audit logs in your Management Portal
  1. Log in to your Lightrun account.
  2. Click Settings on the top right hand side of your screen to navigate to the Settings dashboard.
  3. Select Audit events under Security in the Settings dashboard sidebar.

The Audits page should appear similar to the following image:

Audits list

Use the from and to fields to filter by date and the arrows at the bottom to navigate by page. The following table describes the data available in the Audit table:

Data Description
Date Date of activity.
USER Username of who performed the activity, including automated system actions.
STATE State of the Activity.
EXTRA DATA More data from the activity. See Events Type below for a list of all events audited by Lightrun and their metadata.

Events Type

The following table describes a list of events stored by Lightrun and their corresponding metadata.

Event Actor Description Metadata
create action success Agent/User New action creation was successful. - Action Metadata
- Agent Metadata
- User Metadata
create action failure Agent/User Action creation failed due to an error_message. - Action Metadata
- Agent Metadata
- User Metadata
create new user User, System New user was created successfully or failed due to an error_message. User Metadata, System Metadata
delete user User User was deleted successfully or failed due to an error_message. User Metadata
create agent success Agent Action was created successfully. - Action Metadata
- Agent Metadata
- User Metadata
create agent failed Agent Action creation failed due to an error_message. - Action Metadata
- Agent Metadata
- User Metadata
remove agent success Agent Action was removed successfully. - Action Metadata
- Agent Metadata
- User Metadata
integration added User New integration was added successfully. User Metadata
daily exception limit reached System Daily exception limit reached. System Metadata
change company name User Organization was renamed successfully or failed due to an error_message. User Metadata
tag created System New METADATA TAG added to organization’s account. User Metadata
authentication Success User User was authenticated successfully. User Metadata

Events Metadata

User Metadata

The following table describes the data available in the User metadata.

Data Description
user_id User ID value.
user_name User name.
user_types User type.
user_group User group.

Action Metadata

The following table describes the data available in the Action metadata.

Data Description
action_type Action type:
- Log
- Metrics
- Snapshot
action_id Action ID.
condition Action conditions.
expression Action expression.
file_name, line Action filename and line.
ignore_qouta Action ignore_qouta configuration.
max_hit_count Action max_hit_count value.

System Metadata

The following table describes the data available in the System metadata.

Data Description
operation_type System operation type.
executor_ip System IP address.
message System operation message.
operation_result System operation result.
actor Event actor.
target Event target.

Agent Metadata

The following table describes the data available in the Agent metadata.

Data Description
agent_api_version Agent API version.
agent_ip Agent IP address.
agent_id Agent ID value.
agent_name Agent name.
agent_os Agent OS.
agent_pid Agent PID value.
agent_version Agent version.
runtime environment Runtime environment.
log_piping Agent configured routing value.
source Agent source.

Exporting audit logs

Lightrun captures all events made by every user associated with your organization and stores the event in Amazon S3 buckets in a Syslog file format.

Important

The option to access audit logs in Amazon S3 buckets is not available to every Lightrun account. Please reach out to our support team for more information.

Audit log retention

The audit logs S3 buckets are updated daily and have a default retention period of 24 months. Please contact our support team for more information on configuring your organization’s audit logs retention period.

Audit log format

Lightrun Audit logs data are stored in Amazon S3 in a Syslog file format. The following code sample describes an example audit log for an agent-removed event.

1
2
3
1 2022-08-29T12:19:51Z 10.50.29.9 Lightrun 72850 
[actorId=d885cc7b-344f-44aa-a853-0a261a844d8d eventType=delete event=REMOVED_AGENT_SUCCESS outcome=success]
[runtime_environment=Java agent_id=d885cc7b-344f-44aa-a853-0a261a844d8d agent_name=shiran-Latitude-7410 (pid 72850) api_version=1.7 log_piping=BOTH agent_os=linux agent_pid=72850 agent_version=1.7.0-rc4.de87b07b3]
The Syslog message has the following format:

The following table describes the data in the Header part of the audit log data.

Data Description
Version Syslog protocol version
TimeStamp The time when the audit log was created in an ISO 8601 format.
HostName The machine that sent the events data
PROCID The log Process ID which can be used to further identify the sender of the audit log.
MSGID Audit log message ID.
- authn
- creation
- access
- change
- deletion

Structured Data

The following table describes the data in the Structured Data part of the audit log.

Data Description
Actor type Event actor, can be:
- Agent
- System
- User
Actor ID Event actor ID. For example, User ID, Agent ID, or System ID.
Event The event that created the audit log. See Events Type below for a list of all events audited by Lightrun.
Event Type Event type, can be:
- authentication
- creation
- access
- change
- deletion
Outcome Event outcome, can be:
- success
- failure
- unknown
Target Event target.
Details Event details.

Message

Event metadata. See Events Type above for a list of all events audited by Lightrun and their metadata.


Last update: May 29, 2023