Audit Logging

LogScale generates audit log events on many user actions. These events are designed with GDPR requirements in mind and come in two variants: sensitive and non-sensitive, to make the audit trail trustworthy, by making the sensitive actions not mutable through LogScale.

Sensitive events include:

  • Assignment of roles to groups on repositories

  • Changing retention settings on repositories

  • Deleting repositories and datasources and similar actions.

They are tagged with #sensitive="true". Non-sensitive events are tagged as #sensitive="false".

All audit log events are written to the internal repository humio-audit, and to the Log4j2 logger named HUMIOAUDITLOG, which by default writes to the file ${humio.auditlog.dir}/humio-audit.log.

Retention

The repository humio-audit has special retention rules that depend on the sensitive value. Sensitive logs are deleted by retention only when they are too old, after 200 years (i.e., basically, to keep forever).

Non-sensitive logs are deleted according to the regular retention settings for the repository.

Logged Sensitive Events

Audit logging tracks the following events; for a detailed list of the format and structure of these events.

  • Create or delete a repository. Attributes include dataspaceID

  • Set Retention on a repository. Attributes include originalSizeInBytes, sizeInBytes, timeInMillis, backupAfterMillis only listing those that are set.

  • Create user

  • Update user

  • Delete user

  • Group membership change

  • Role update or role change for a group in a repository

  • Configuration of ingest listeners

  • Adding, removing, or changing ingest tokens

  • Adding, removing, or changing parsers

  • Adding, removing, or changing alerts

  • Adding, removing, or changing scheduled searches

  • Adding, removing, or changing actions

  • Managing the cluster nodes

  • Adding, removing, or changing event forwarders

  • Adding, removing, or changing event forwarding rules

  • Changing status of backend feature flags

  • Changing status of ioc-access on an organization

  • Adding, removing, or changing ingestion of FDR data

Logged Non-Sensitive Events

The following non-sensitive event types are logged:

  • Sign in to LogScale: this event is logged in two situations:

    • When using Auth0, this event is logged only once, when the user signs in the first time and is assigned a local UUID.

    • When using LDAP, LogScale logs every time the user verifies their username/password combination.

  • Query: Every time a query is submitted on behalf of the user, either trough the UI or API using the API-token of a user.

    Note

    Read-only dashboards are not logged here.

Permissions & Enforce Auditable Mode

Root users are by default allowed to query the data stored in a repository, add and remove users, delete data, and set retention. In other words, unrestricted access to all data in the LogScale cluster.

  • Root users can no longer query the repository unless the user has explicit permission through a group membership.

  • Root users can not set retention on repositories unless the root user has explicit permission through a group membership.

  • Root users can not delete data from repositories unless the root user has explicit permission through a group membership.

Root users can always:

  • Add users to a repository and remove users from a repository, and change their permissions on the repository. This includes adding the root user itself to a repository.

  • Perform cluster related administration tasks, such as adding and deleting servers.

  • Manage ingest listeners and tokens.

Audit Logging in Falcon LogScale Collector

For information on audit logs when working in Falcon LogScale Collector, see Falcon LogScale Collector