Audit Logging

LogScale generates audit log events on many user actions. These events are designed with GDPR requirements in mind and come in two variants: sensitive events and non-sensitive events, to make the audit trail trustworthy by making sensitive actions not mutable through LogScale.

All audit log events are written to the internal repository humio-audit, and to the Log4j2 logger named HUMIOAUDITLOG, which by default writes to the file ${humio.auditlog.dir}/humio-audit.log.

For a detailed list of the format and structure of these events, see The humio-audit Repository.

Retention

The humio-audit repository has special retention rules that depend on the sensitive value. Sensitive logs are deleted only after 200 years.

Non-sensitive logs are deleted according to the regular retention settings for the repository.

Logged Sensitive Events

Sensitive events are audit log entries that record actions with significant security, compliance, or operational impact on the LogScale system. These events are considered sensitive because they:

  • Affect system security: Involve changes to user permissions, access controls, or authentication settings.

  • Impact data integrity: Include actions that could alter, delete, or compromise stored data.

  • Have compliance implications: Must be retained for regulatory requirements (GDPR, SOX, etc.).

  • Require immutable records: Cannot be modified once logged to ensure audit trail integrity.

Sensitive events are automatically tagged with #sensitive="true" and are subject to extended retention policies (200 years) to ensure permanent audit trails for compliance and forensic purposes. The following sensitive events are tracked (for detailed format and structure information, see The humio-audit Repository):

  • Create or delete a repository. Attributes include dataspaceID.

  • Set retention on a repository. Attributes include originalSizeInBytes, sizeInBytes, timeInMillis, backupAfterMillis only listing those that are set.

  • Creating a user.

  • Updating a user.

  • Deleting a user.

  • Group membership changes.

  • Role update or role change for a group in a repository.

  • Configuration of ingest listeners.

  • Adding, removing, or changing ingest tokens.

  • Adding, removing, or changing parsers.

  • Adding, removing, or changing alerts.

  • Adding, removing, or changing scheduled searches.

  • Adding, removing, or changing actions.

  • Managing the cluster nodes.

  • Adding, removing, or changing event forwarders.

  • Adding, removing, or changing event forwarding rules.

  • Changing status of backend feature flags.

  • Changing status of ioc-access on an organization.

  • Adding, removing, or changing ingestion of FDR data.

Logged Non-Sensitive Events

Non-sensitive events are tagged as #sensitive="false". The following non-sensitive event types are logged:

  • Sign in to LogScale: this event is logged in two situations:

    • When using Auth0, this event is logged only once, when the user signs in for the first time and is assigned a local UUID.

    • When using LDAP, LogScale logs every time the user verifies their username/password combination.

  • Query: Every time a query is submitted on behalf of the user, either through the UI or API using the API token of a user.

    Note

    Read-only dashboards are not logged here.

Audit Logging in Falcon LogScale Collector

For information on audit logs when working in Falcon LogScale Collector, see Falcon LogScale Collector.