Simon Bingham

Alert on specified Audit Log activity

Recommended Posts

We increasingly have the need to be able to determine exactly who did what and when.

For example if alert has been disabled for a host, it would be good if we had a record of who did this. The access log contains all the right information but does not go back far enough. Could we receive and email every time someone undertakes any activity pertaining to the configuration LogicMonitor (preferably), or otherwise could we get a monthly digest before the access logs are lost.

Edited by Mike Suding

Share this post


Link to post
Share on other sites

The access log goes back 60 days and you can already download it by pressing the download button at the top right. This gives you a CSV file of the log.

Edited by Mike Suding

Share this post


Link to post
Share on other sites

I'm aware of the downloading of the access log but we have a requirement for something more akin to to SYSLOG where we can quickly go back years if needs be and find out for for example why and who disabled alerting on a product. It's a difficult conversation with a customer when this cannot be explained.

Edited by Mike Suding

Share this post


Link to post
Share on other sites

I like this feature request, the ability to receive an alert when specific activity is detected. However, the Access Log does not contain all changes made, and certain logged changes lack detail.

Share this post


Link to post
Share on other sites

We have added more access log detail in the release that is being rolled out through the end of January. There is better logging for datasource changes and SDT changes as well as a few others. Take a look and let us know what else is useful. And as Steve mentioned, we do have plans to make this information available scheduled reports in the future.

Share this post


Link to post
Share on other sites

In addition to scheduled reports, we would be excited to see the feature to alert based on selected Access Log event, such as datasource updates, user role updates, agent config updates, Debug facility usage, etc. These and other events can be time-critical and any mistakes made by an administrator should be corrected asap. So having the ability to configure alerts based on specific activities would be very helpful. I see that this Feature Request is marked as Planned- when do we expect to see this? Thank you.

Share this post


Link to post
Share on other sites

You can now set up Audit Log reports that regularly run and send a complete or filtered set of the audit logs to a report that is delivered automatically.

http://www.logicmonitor.com/release-notes/v76/

I'm not sure about the "alert on specific kind of Audit log entry" idea. How would you distinguish between something that was done correctly, and something that wasn't, if every type of action of a certain class triggered an alert?

Share this post


Link to post
Share on other sites

I am creating an EventSource to alert these certain specified events.  I will also look into other types of event. Stay tuned. Send me a PM or email if you are interested in it.

Device add = warning 
Device delete = warning
User create = warning
User delete = warning
User suspend = warning
Threshold changed = warning
DataSource changed = warning
 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.