Audit Log
Humio generates audit log events on many user actions. These events are designed with GDPR requirements in mind and come in two variants: sensitive and non-sensitive, to make the audit trail trustworthy, by making the sensitive actions not mutable through Humio.
Sensitive events include:
Assignment of roles to groups on repositories
Changing retention settings on repositories
Deleting repositories and datasources and similar actions.
They are tagged with
#sensitive="true"
. Non-sensitive
events are tagged as
#sensitive="false"
.
All audit log events are written to the internal repository
humio-audit
, and to the Log4j2
logger named HUMIOAUDITLOG
, which by
default writes to the file
${humio.auditlog.dir}/humio-audit.log
.
Retention
The repository humio-audit
has
special retention rules that depends on the
sensitive
value. Sensitive logs
are deleted by retention only when they are too old, after 200 years
(i.e., basically, to keep forever).
Non-sensitive logs are deleted according to the regular retention settings for the repository.
Sensitive Events Logged
Create or delete a repository. Attributes include
dataspaceID
Set Retention on a repository. Attributes include originalSizeInBytes,
sizeInBytes
,timeInMillis
,backupAfterMillis
only listing those that are set.Create user
Update user
Delete user
Group membership change
Role update or role change for a group in a repository
Configuration of ingest listeners
Adding, removing, or changing ingest tokens
Adding, removing, or changing parsers
Adding, removing, or changing alerts
Adding, removing, or changing scheduled searches
Adding, removing, or changing actions
Managing the cluster nodes
Adding, removing, or changing event forwarders
Adding, removing, or changing event forwarding rules
Changing status of backend feature flags
Changing status of ioc-access on an organization
Adding, removing, or changing ingestion of FDR data
Non-Sensitive Events Logged
Sign in to Humio: When using Auth0, this event is logged only once, when the user signs in the first time and is assigned a local UUID. When using LDAP, Humio logs every time the user verifies their user name / password combination.
Query: Every time a query is submitted on behalf of the user, either trough the UI or API using the API-token of a user. Note: Read-only dashboards are not logged here.
Permissions & Enforce Auditable Mode
Root users are by default allowed to query the data stored in a repository, add and remove users, delete data, and set retention. In other words, unrestricted access to all data in the Humio cluster.
Root users can no longer query the repository unless the user has explicit permission through a group membership.
Root users can not set retention on repositories unless the root user has explicit permission through a group membership.
Root users can not delete data from repositories unless the root user has explicit permission through a group membership.
Root users can always:
Add users to a repository and remove users from a repository, and change their permissions on the repository. This includes adding the root user itself to a repository.
Perform cluster related administration tasks, such as adding and deleting servers.
Manage ingest listeners and tokens.
Searching Events in the Audit Log
Deprecated: 1.47.1
The restrictions below have been deprecated.
Special access restrictions apply. A user can get access to search the
humio-audit
repo using the same
set of rules as any other repo. But any user who does not have access
through those rules can search the repo while being restricted to
searching only the events that has said user as the "actor" that did the
event.