Forum Discussion

Simon_Bingham's avatar
Simon_Bingham
11 years ago

Alert on specified Audit Log activity

We increasingly have the need to be able to determine exactly who did what and when.

For example if alert has been disabled for a host, it would be good if we had a record of who did this. The access log contains all the right information but does not go back far enough. Could we receive and email every time someone undertakes any activity pertaining to the configuration LogicMonitor (preferably), or otherwise could we get a monthly digest before the access logs are lost.

  • David_Lee's avatar
    David_Lee
    Former Employee
    11 years ago

    The access log goes back 60 days and you can already download it by pressing the download button at the top right. This gives you a CSV file of the log.

  • Simon_Bingham's avatar
    Simon_Bingham
    11 years ago

    I'm aware of the downloading of the access log but we have a requirement for something more akin to to SYSLOG where we can quickly go back years if needs be and find out for for example why and who disabled alerting on a product. It's a difficult conversation with a customer when this cannot be explained.

  • John_Dear's avatar
    John_Dear
    11 years ago

    I like this feature request, the ability to receive an alert when specific activity is detected. However, the Access Log does not contain all changes made, and certain logged changes lack detail.

  • Annie_Dunham's avatar
    Annie_Dunham
    Former Employee
    11 years ago

    We have added more access log detail in the release that is being rolled out through the end of January. There is better logging for datasource changes and SDT changes as well as a few others. Take a look and let us know what else is useful. And as Steve mentioned, we do have plans to make this information available scheduled reports in the future.

  • John_Dear's avatar
    John_Dear
    11 years ago

    In addition to scheduled reports, we would be excited to see the feature to alert based on selected Access Log event, such as datasource updates, user role updates, agent config updates, Debug facility usage, etc. These and other events can be time-critical and any mistakes made by an administrator should be corrected asap. So having the ability to configure alerts based on specific activities would be very helpful. I see that this Feature Request is marked as Planned- when do we expect to see this? Thank you.

  • Steve_Francis's avatar
    Steve_Francis
    Former Employee
    9 years ago

    You can now set up Audit Log reports that regularly run and send a complete or filtered set of the audit logs to a report that is delivered automatically.

    http://www.logicmonitor.com/release-notes/v76/

    I'm not sure about the "alert on specific kind of Audit log entry" idea. How would you distinguish between something that was done correctly, and something that wasn't, if every type of action of a certain class triggered an alert?

  • Mike_Suding's avatar
    Mike_Suding
    Former Employee
    7 years ago

    I am creating an EventSource to alert these certain specified events.  I will also look into other types of event. Stay tuned. Send me a PM or email if you are interested in it.

    Device add = warning 
    Device delete = warning
    User create = warning
    User delete = warning
    User suspend = warning
    Threshold changed = warning
    DataSource changed = warning