Actor Structure

The Actor Structure defines the entity fields that track who or what performed specific operations within the LogScale system, including IP addresses, organization details, session information, and user credentials. The actor fields vary based on the type of entity performing the action, which can range from individual users and API tokens to system-level operations and log collectors.

The actor block within the humio-audit repository defines the entity that performed the audited operation. This could be a user, an API token, or the organization owner. The information is represented within the event as a series of fields with the same actor prefix. The exact list of fields provided depends on the entity that performed the operation.

Fields may include:

Field Availability Description
actor.ip   The IP address within the cluster where the operation was executed.
actor.organizationId   The organization ID of the corresponding user.
actor.orgRoot   true if the user is root within the organization.
actor.proxyRequest   The request is a proxy operation for the user (running on behalf of the user).
actor.sessionId   For a user request, the session ID created when the user access the cluster. Sessions are unique and in place until the user logs our or their session is terminated.
actor.tokenId   When an API token has been used, the ID of the token.
actor.tokenName   When an API token has been used, the name of the token.
actor.type   The type of the actor:

  • ephemeralUserToken — a users temporary API token; often used by organization-owned queries that do not run as a specific user

  • invitationToken — an invitation API token

  • logCollector — a Log Collector

  • orgUser — a user in an organization; the expected value for actor.type for a user requester

  • organizatioPermissionToken — a system permission API token

  • organization — the organization (where a query has been configured to run as an organization)

  • personalUserToken — a users personal API token

  • system — the LogScale system (typically user profile or access)

  • systemPermissionToken — a system level API token

  • viewPermissionToken — a view permission API token

actor.user.id   When a user triggered the audit event, the user ID, as generated by the system when the user was created.
actor.user.isRoot   true if the user is a root user.
actor.user.username   When a user triggered the audit event, the user name as provided in the user configuration.

All fields added to an individual entry are dependent on the type, as different types create a different set of fields. To get a list of action types, see humio-audit Event types.