humio-audit Actor Structure

The actor block within the humio-audit repository defines the entity that performed the audited operation. This could be a user, an API token, or the organization owner. The information is represtented within the event as a series of fields with the same actor prefix. The exact list of fields provided depends on the entity that performed the operation.

Fields may include:

  • actor.ip

    The IP address within the cluster where the operation was executed.

  • actor.organizationId

    The organization ID of the corresponding user.

  • actor.orgRoot

    true if the user is root within the organization.

  • actor.proxyRequest

    The request is a proxy operation for the user (running on behalf of the user).

  • actor.sessionId

    For a user request, the session ID created when the user access the cluster. Sessions are unique and in place until the user logs our or their session is terminated.

  • actor.tokenId

    When an API token has been used, the ID of the token.

  • actor.tokenName

    When an API token has been used, the name of the token.

  • actor.type

    The type of the actor:

    • ephemeralUserToken — a users temporary API token

    • invitationToken — an invitation API token

    • logCollector — a Log Collector

    • orgUser — a user in an organization; the expected value for actor.type for a user requester

    • organizatioPermissionToken — a system permission API token

    • organization — the organization (i.e. where a query has been configured to run as an organization)

    • personalUserToken — a users personal API token

    • system — the LogScale system (typically user profile or access)

    • systemPermissionToken — a system level API token

    • viewPermissionToken — a view permission API token

  • actor.user.id

    When a user triggered the audit event, the user ID, as generated by the system when the user was created.

  • actor.user.isRoot

    true if the user is a root user.

  • actor.user.username

    When a user triggered the audit event, the user name as provided in the user configuration.

All fields added to an individual entry are dependent on the type, as different types create a different set of fields. To get a list of action types, see humio-audit Event types.