LogicMonitor’s audit logs provide insight into recent account activity, such as user logins and configuration changes made to resources in the account. Each audit log entry provides a timestamp for the event, the username associated with the event, the IP address associated with the event, and a description of the event. For example, you could use the audit logs to identify when alerting was disabled for a particular device group, or which user updated a particular resource property, and so on.
The duration of time for which audit log entries are preserved is determined by the “alert history storage” level associated with your LogicMonitor package. For a breakdown of “alert history storage” levels by package, visit the LogicMonitor pricing page.
You can access and query your platform’s audit logs using the following:
- Audit Logs page
- Audit Logs report
- LogicMonitor’s REST API
Note: When reviewing audit logs, it is common to see consecutive login events with no log out—if the user does not explicitly log out, but simply lets the session go idle, then starts using LogicMonitor again (possibly from a different computer), a new login event will be recorded.
Audit Logs Page
Accessible from Settings > Audit Logs, the Audit Logs page provides an interface from which you can view and filter audit logs.
Filtering Audit Log Entries
You can filter the audit log entries according to:
- Time Range: The time range dropdown allows you to select your required time range from the time range dropdown. The default value is Last 24 hours. The other available options are Last hour, Last 2 hours, Last 5 hours, Last 8 hours, Last 12 hours, Last 2 days, Last 7 days, Last 30 days, Last calendar month, Last 3 months, Last year, Custom range.
- User name: The user option allows you to filter one or more specific users. Select to add your required user or users.
Audit log entries can also be searched using keywords found in the User, IP and Description columns. Single keywords are automatically wildcarded on both ends. For example, a search term of “time” could return “time”, “uptime”, and “timeout.” If multiple search terms are entered, they are automatically joined using the AND operator and are wildcarded at the beginning and end of the full search string (e.g. searching on “trigger alert” is the same as searching on “*trigger AND alert*”). Be sure to add additional wildcards when multiple search terms are in use if necessary. For example, if you want “trigger AND alert” to match on logs containing the keyword “trigger” or “triggers,” you’ll need to manually enter one more wildcard (i.e. “trigger* AND alert”). An OR or an AND NOT operator can be used instead of the default AND operator. When using either of these operators, only a single keyword can be on either side of the operator. For example, searching on “trigger OR alert” will return results as expected, but searching on “trigger alert OR SAML” will not. With the exception of manually entered operators (i.e. AND, OR, and AND NOT), keyword searches are not case sensitive. A keyword search is joined with other current active filters using an AND operator.
Note: The Audit Logs page only provides one year worth of audit log entries for dynamic viewing and filtering.
Downloading and Reporting Audit Log Entries
You can download the current display of log entries. Select to download the log entries in CSV format.
Additionally, select to launch the Audit Log report settings dialog. The dialog will be populated with the current filters and search terms. Save the filters as the criteria for a new report and choose to generate its output in CSV, HTML, or PDF format. For more information on the Audit Log report, see Audit Log Report.
Customizing Table Settings
- Navigate to Settings > Audit Logs.
- Select .
- Do the following:
- To order the columns, select and drag to the order you want
- To hide or show columns, select .
Audit Logs Report
As discussed in Audit Log Report, the Audit Log report offers the same filter and search capabilities as the Audit Log page, but expanded capabilities when it comes to output formats, sorting, and duration of historical data available. And, as with all LogicMonitor reports, the Audit Log report can be scheduled to run on a recurring basis.
Audit Logs Retrieval via REST API
Audit log entries can be queried from the LogicMonitor REST API. These results can be further refined for post-processing and analysis. For more information, see Get Audit Log Entries.