Skip to content

Audit Trail

Coralogix provides you with easy access to monitor the usage events of your team. 

When a team's Audit account is configured, it will gather all internal events that occur within your team.

By observing these events, you will track how your team uses Coralogix.

How does it work?

Under Settings on the right side click Audit Account.

Click on "Create New Audit Team"

Once the team is configured, you will be able to either open the activity of your entire team by clicking on "Open Audit History" or  monitoring the activity of a specific user by clicking on "User Audit History."

The links send you to the logs tab to view the event logs from the audit team.

Within this audit team, you will be able to enjoy all the Coralogix capabilities such as creating custom views, alerting on suspicious activity, creating visualizations, and enriching IP addresses both by security and geo-enrichment to monitor where your teams are gaining access. 

Are you a member of more than one team?

Once you have one audit team, you can attach it to other teams as well. 

Audit Team settings

The audit team has a plan of up to 0.025GB per day and 7 days of retention. 

The audit logs quota should be sufficient for audits, but if you wish to increase it, you can do it, and also, you can move the quota between teams using the quota management CLI.

Configuring an archive will allow you to store audit logs for a long time. As long as your bucket is live, you will be able to query these logs with our archive query feature. 

Admins in your team will automatically be added to the audit team once it is created and can access the data.

Audit Team Management

The audit team and its logs can be managed in the same way like your team. You can switch to the audit team:

You can track actions based on action_details.operation.action. For example, you can track logins with the following query:

action_details.operation.action:"POST:/api/v1/user/login"

A part of actions contain additional information under action_details.operation.operation_payload key.

A log example:

{
  actor:{
    type:user
    username:[email protected]
    account_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  }
  action_details:{
    source_type:HTTP
    ip_address:::ffff:10.1.2.3
    operation:{
      action:POST:/api/v1/logquery
      user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
      operation_payload:{
        queryDef:{
          type:freeText
          pageSize:100
          queryParams:{
            query:{
              text:test query
              type:exact
              templateIds:[]
            }
            templateIds:[]
            metadata:{
              applicationName:[]
              subsystemName:[]
              severity:[
                1
                2
                3
                4
                5
                6
              ]
            }
            jsonObject:{}
            jsonAggFields:[]
            aggregationInterval:1000
            externalFilters:{
              teams:[]
            }
            selectedLogs:[]
          }
          sortModel:[
            {
              field:timestamp
              ordering:desc
              missing:_last
            }
          ]
          endDate:1631256696661
          startDate:1631255796661
          tagId:-1
          selectedViewId:-1
          pageIndex:0
          cacheQueryId:30zpfB11QzT
        }
      }
    }
    result:{
      succeeded:true
      status_code:200
    }
  }
  action_start_timestamp:1631256697042
  action_type:crud
  audit_schema_version:v1
  action:{
    team_id:8868
    team_name:cs-test-medium
    description:get tags
  }
}

Here is the list of the most common actions which include action_details.operation.operation_payload key:

POST:/api/v1/logquery/savedSave log query
POST:/api/v1/logsparser/rules/groupRules - New parsing rule group
POST:/api/v1/logsparser/groups/reorderRules - Rule groups reorder
POST:/api/v1/archiveprovidersArchive - Configure S3 Archive bucket
POST:/api/v1/archiveproviders/editArchive - Edit S3 Archive bucket configuration
POST:/api/v1/inviteInvites - An invitation sent
POST:/api/v1/invite/request/approveInvites - A user was approved
POST:/api/v1/invite/request/declineInvites - A user was declined
POST:/api/v1/user/forgotpassword/:keyPassword - Changes the password from the forgot password email
POST:/api/v1/user/forgotpasswordPassword - Send forgot password email
POST:/api/v1/user/changepasswordPassword - Change password
POST:/api/v1/user/team/switchLog out / switch team
POST:/api/v1/companies/:companyId/rbac/groupsGroups - Get all RBAC groups
POST:/api/v1/companies/:companyId/rbac/groups/:groupId/rolesGroups - Add RBAC group role for group
POST:/api/v1/rbac/:companyId/users/:userId/removeFromGroupGroups - Remove user from RBAC group
POST:/api/v1/rbac/:companyId/users/:userId/moveToGroupGroups - Move user to different RBAC group
POST:/api/v1/rbac/:companyId/users/:userId/addToGroupGroups - Add user to RBAC group
POST:/api/v1/rbac/:companyId/users/:userId/addUserToGroupsGroups - Add user to RBAC groups
POST:/api/v1/rbac/:companyId/users/:userId/removeUserFromGroupsGroups - Remove user to RBAC groups
POST:/api/v1/company/saml/metadataSAML - Update SAML metadata
PUT:/api/v1/company/samlSAML - Get company SAML configuration
POST:/api/v1/alert/:id/snoozeAlerts - Snooze alert
POST:/api/v1/alert/snoozedAlerts - Get all snoozed alert
POST:/api/v1/customenrichments/getUploadUrlCustom Enrichment - Upload custom enrichment csv
POST:/api/v1/cloudsecurity/installCloud Security - Installation
POST:/api/v1/cloudsecurity/getstatusCloud Security - Get installation status
POST:/api/v1/rulesapi/crud/rulesetRules - Create rule-set
PUT:/api/v1/rulesapi/ruleset/reorderRules - Reorder rule set
POST:/api/v1/archivequeriesArchive query - New archive query
POST:/api/v1/archivequeries/:id/reindexArchive query - Create new archive query reindex
POST:/api/v1/archivequeries/:id/reindex/:reindexId/queryArchive query - Cache reindex query
POST:/api/v1/quota-policiesTCO Optimizer - Create quota policy
PUT:/api/v1/quota-policies/reorderTCO Optimizer - Reorder quota policies
PUT:/api/v1/quota-policies/:idTCO Optimizer - Update quota policy
PUT:/api/v1/quota-policies/toggle/:idTCO Optimizer - Toggle quota policy
PUT:/api/v1/quota-overridesTCO Optimizer - Create quota override
POST:/api/v1/external/alertsAlerts - Add new alert
POST:/api/v1/external/alerts/bulkAlerts - Add new alerts
PUT:/api/v1/external/alertsAlerts - Update alert
POST:/api/v1/external/groupRules - Create rule parsing group
PUT:/api/v1/external/group/:parsingThemeIdRules - Update rule parsing group
PUT:/api/v1/external/group/toggle/:parsingThemeIdRules -  Toggle rule parsing group
POST:/api/v1/external/rule/:parsingThemeIdRules - Add parsing rule to parsing group
PUT:/api/v1/external/rule/:ruleId/group/:parsingThemeIdRules - Update parsing rule
POST:/api/v1/external/rules/exportRules - Export rules
POST:/api/v1/external/actions/ruleRules - Add parsing rule group
PUT:/api/v1/external/actions/rule/:groupIdRules - Update parsing rule group
POST:/api/v1/external/action/rule/:groupIdRules - Create parsing rule group
PUT:/api/v1/external/action/:ruleId/rule/:groupIdRules - Update parsing rule
PUT:/api/v1/external/customenrichments/:customEnrichmentIdCustom Enrichment - Update custom enrichment
POST:/api/v1/external/tagsTags - Get new tag
POST:/api/v1/external/bitbucketTags - Get new Bitbucket tag
POST:/api/v1/external/tfsTags - Get new tfs tag
POST:/api/v1/external/gitlabTags - Get new Gitlab tag
POST:/api/v1/external/tco/policiesTCO Optimizer - Create new policy
PUT:/api/v1/external/tco/policies/reorderTCO Optimizer - Reorder policies
PUT:/api/v1/external/tco/policies/:idTCO Optimizer - Update policy
PUT:/api/v1/external/tco/policies/:id/toggleTCO Optimizer - Toggle policy
POST:/api/v1/external/tco/overridesTCO Optimizer - Add new TCO override
POST:/api/v1/external/tco/overrides/bulkTCO Optimizer - Add new TCO overrides
POST:/api/v1/user/settings/es_api_keyAPI Access - Generate new Logs Query Key for user
POST:/api/v1/user/settings/teams_api_keyAPI Access - Generate new Teams API Key for user
POST:/api/v1/payment/subscriberPlan - Subscribe to payment
POST:/api/v1/payment/unsubscribePlan - Unsubscribe to payment
POST:/api/v1/payment/changePlanPlan - Change payment plan

As mentioned, the audit team behavior is the same as any team so you can also set alerts to be notified about particular actions.