humio-audit Actor Structure
The actor block within the humio-audit repository defines the entity that performed the audited operation. This could be a user, an API token, or the organization owner. The information is represtented within the event as a series of fields with the same actor prefix. The exact list of fields provided will depend on the entity that performed the operation.
Fields may include:
actor.ip
The IP address within the cluster where the operation was executed.
actor.organizationId
The organization ID of the corresponding user.
actor.orgRoot
trueif the user is root within the organization.actor.proxyRequest
The request is a proxy operation for the user (running on behalf of the user).
actor.sessionId
For a user request, the session ID created when the user access the cluster. Sessions are unique and in place until the user logs our or their session is terminated.
actor.tokenId
When an API token has been used, the ID of the token.
actor.tokenName
When an API token has been used, the name of the token.
actor.type
The type of the actor:
ephemeralUserToken— a users temporary API tokeninvitationToken— an invitation API tokenlogCollector— a Log CollectororgUser— a user in an organizationorganizatioPermissionToken— a system permission API tokenorganization— the organization (i.e. where a query has been configured to run as an organization)personalUserToken— a users personal API tokensystem— the LogScale system (typically user profile or access)systemPermissionToken— a system level API tokenuser— a userviewPermissionToken— a view permission API token
actor.user.id
When a user triggered the audit event, the user ID, as generated by the system when the user was created.
actor.user.isRoot
trueif the user is a root user.actor.user.username
When a user triggered the audit event, the user name as provided in the user configuration.
All fields added to an individual entry are dependent on the type, as different types create a different set of fields. To get a list of action types, see humio-audit Event types.