The humio-audit Repository

The humio-audit repository is a system repository that keeps the Audit Logging of the actions users take in LogScale.

Note

Special access restrictions apply: a user can get access to search this repository using the same set of rules as any other repository. But any user who does not have access through those rules can search this repository, while being restricted to searching only the events that directly relate to other repositories that said user has access to.

By default, a user can only query the humio-audit repository about their own actions. A user must be a member of the humio-audit repository to query about other users. On cloud, the organization owner can query the humio-audit log for the actions of all users in the organization.

Basic Structure

Events within the humio-audit contain a record of the specific activities across the LogScale cluster. For event within the repository contains:

  • Timestamp of the audited activity.

  • The actor, a record containing information about the user or service that triggered the audit event.

  • A type, which defines the type of event and indicates what other fields might included in the audit event.

  • Event specific information, for example for a dataspace.query event, which is a query on an repository or view, the data includes specific data on the query, execution metrics, query range, and query types.

  • A field that indicates whether the audited event was sensitive. Sensitive events include those that update or change the roles or access to resources, change the retention serttings, or delete repositiories or data.

  • Metadata about the event, such as the repository ID and name affected by the activity.

An example of this can be seen in the record below, here represented as a JSON value (how the information is stored within the @rawstring):

json
{
   "actor" : {
      "ip" : "172.17.0.1",
      "orgRoot" : true,
      "organizationId" : "SINGLE_ORGANIZATION_ID",
      "proxyRequest" : false,
      "sessionId" : "RsfWIgfgeXh5sSsIcmhj4DKTyn7IH16G",
      "type" : "orgUser",
      "user" : {
         "id" : "0O7WGPBX9YbvZbKOrBMd5fgH",
         "isRoot" : true,
         "username" : "mc"
      }
   },
   "authPrefix" : "*",
   "cidFilter" : null,
   "dataspaceId" : "dm5BIUWUq1NsbMxCyb1iT5EH",
   "federationId" : null,
   "query" : {
      "allowEventSkipping" : false,
      "end" : "now",
      "includeDeletedEvents" : false,
      "ingestEnd" : 9223372036854775807,
      "ingestStart" : 0,
      "isAlertQuery" : false,
      "isInteractive" : true,
      "isLive" : false,
      "isRepeatingSubquery" : false,
      "languageVersion" : "legacy",
      "noResultUntilDone" : false,
      "queryString" : "",
      "showQueryEventDistribution" : true,
      "start" : "1d",
      "timeZoneOffsetMinutes" : 0,
      "useIngestTime" : false
   },
   "queryParserMetrics" : {
      "caseCount" : 0,
      "fieldTestCount" : 0,
      "freeTextCount" : 0,
      "functionCallCount" : 0,
      "functions" : [],
      "matchCount" : 0,
      "nodeCount" : 1,
      "savedQueryCount" : 0
   },
   "repoId" : "dm5BIUWUq1NsbMxCyb1iT5EH",
   "repoName" : "humio-audit",
   "sensitive" : false,
   "timestamp" : "2023-11-20T10:33:06.981Z",
   "type" : "dataspace.query"
}