humio-audit Actor Structure

The humio-audit Actor Structure defines the entity fields that track who or what performed specific operations within the LogScale system, including IP addresses, organization details, session information, and user credentials. The actor fields vary based on the type of entity performing the action, which can range from individual users and API tokens to system-level operations and log collectors.

The actor block within the humio-audit repository defines the entity that performed the audited operation. This could be a user, an API token, or the organization owner. The information is represented within the event as a series of fields with the same actor prefix. The exact list of fields provided depends on the entity that performed the operation.

Fields may include:

  • actor.ip

    The IP address within the cluster where the operation was executed.

  • actor.organizationId

    The organization ID of the corresponding user.

  • actor.orgRoot

    true if the user is root within the organization.

  • actor.proxyRequest

    The request is a proxy operation for the user (running on behalf of the user).

  • actor.sessionId

    For a user request, the session ID created when the user access the cluster. Sessions are unique and in place until the user logs our or their session is terminated.

  • actor.tokenId

    When an API token has been used, the ID of the token.

  • actor.tokenName

    When an API token has been used, the name of the token.

  • actor.type

    The type of the actor:

    • ephemeralUserToken — a users temporary API token

    • invitationToken — an invitation API token

    • logCollector — a Log Collector

    • orgUser — a user in an organization; the expected value for actor.type for a user requester

    • organizatioPermissionToken — a system permission API token

    • organization — the organization (i.e. where a query has been configured to run as an organization)

    • personalUserToken — a users personal API token

    • system — the LogScale system (typically user profile or access)

    • systemPermissionToken — a system level API token

    • viewPermissionToken — a view permission API token

  • actor.user.id

    When a user triggered the audit event, the user ID, as generated by the system when the user was created.

  • actor.user.isRoot

    true if the user is a root user.

  • actor.user.username

    When a user triggered the audit event, the user name as provided in the user configuration.

All fields added to an individual entry are dependent on the type, as different types create a different set of fields. To get a list of action types, see humio-audit Event types.