Log Management and Analytics

  • Latest Dynatrace
  • Reference
  • Published Sep 09, 2025

Audit Logs

This section contains generic audit log information.

Query

Query audit logs in Grail.

fetch logs | filter isNotNull(audit.action)

Audit log: Metadata

This section contains meta information on the audit log.

AttributeTypeDescriptionExamples
audit.actionstringstable
Audited action.
Access to Azure Resource Manager; New User Created; User added to Group
audit.identitystringstable
User name, service account name, or principal name that executes audited action.
name.surname@example.com
audit.resultstringstable
Result of the audited action.
Succeeded; Failed
audit.statusstringstable
Status of the audited action.
Started; In Progress; Succeeded; Failed; Active; Resolved
audit.timetimestampexperimental
Timestamp of the audited action.
16/01/2025, 10:34 AM
authentication.is_multifactorbooleanexperimental
Reports whether the executant of the audited action has performed a multi-factor authentication.
contentstringstable
Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.
No keepalive from datasource statsd. Restarting
event.typestringstable
The unique type identifier of a given event.
Tags: permission
LOG
log.sourcestringstable
Human-readable attribute that identifies a log stream. 1
Tags: permission
/var/log/messages; Windows Event Log; Docker Container Output; stdout
loglevelstringstable
The log event severity level.
ERROR; INFO; TRACE
statusstringexperimental
Overall significance of log event, derived from log level. Only INFO and NONE values are allowed.
INFO; NONE
timestamptimestampstable
Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.
1649822520123123123
1

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).

Audit log: Result

This section contains information on the audit log result.

AttributeTypeDescriptionExamples
result.codelongexperimental
Error code associated with the result.
0; 50126; 400
result.detailstringexperimental
Further details regarding the result.
The user did not enter the right credentials
result.messagestringexperimental
Brief message attached to the result.
User created successfully; Error validating credentials due to invalid username or password.

Audit log: Client

This section contains information on the client performing the audited action.

AttributeTypeDescriptionExamples
client.app.namestringexperimental
The name of the client application used to perform the request.
MS Outlook
client.ipipAddressexperimental
The IP address of the client that makes the request. This may be IPv4 or IPv6.
Tags: sensitive-spans
194.232.104.141; 2a01:468:1000:9::140

Audit log: Actor

Information regarding the actor who peformed the audited action.

AttributeTypeDescriptionExamples
actor.geo.city.namestringexperimental
Name of the city from which the actor operates.
Rome
actor.geo.country.namestringexperimental
Name of the country from which the actor operates.
Canada
actor.geo.location.latstringexperimental
The approximate WGS84 latitude.
45.505918
actor.geo.location.lonstringexperimental
The approximate WGS84 longitude.
-73.614830
actor.ipsipAddress[]stable
List of the client's IP addresses (IPv4 or IPv6) from which the actor operates.
[168.10.15.23, 2a01:468:1000:9::140]

Audit log: Device

Information regarding the device used by the identity peforming the audited action.

AttributeTypeDescriptionExamples
browser.namestringresource stable
The browser name.
Mozilla
browser.versionstringresource stable
The browser version.
5.0
device.idstringexperimental
GUID that uniquely identifies the device which is used to perform the audited action.
11c1add1-612a-483d-8b24-cccbb35d3306
device.namestringexperimental
The name associated with the device which is used to perform the audited action.
DEVICE-HOFW9324FJN
device.os.namestringexperimental
Human-readable operating system name.
MacOs; Windows

Audit log: Cloud provider

The cloud provider information (if any) associated with the audit logs.

AttributeTypeDescriptionExamples
cloud.providerstringresource experimental
Name of the cloud provider.
alibaba_cloud

Audit log: Azure tenant

The Azure tenant (if any) associated to the audit logs.

AttributeTypeDescriptionExamples
azure.tenant.idstringresource experimental
Unique, immutable identifier assigned to the Azure tenant.
37c4add3-612a-483d-8b24-cccbb35d3306
azure.tenant.namestringresource experimental
Name assigned to the Azure tenant.
MyAzureTenant

Audit log: AWS account

The AWS account (if any) associated to the audit logs.

AttributeTypeDescriptionExamples
aws.account.idstringresource stable
The 12-digit number, such as 123456789012, that uniquely identifies an AWS account.
Tags: permission primary-field
123456789012
aws.account.namestringresource experimental
Name associated with the AWS account.
example.com

Audit log: GCP organization

The GCP organization (if any) associated to the audit logs.

AttributeTypeDescriptionExamples
gcp.organization.idstringresource experimental
Unique, immutable identifier assigned to an organization resource.
123456789012
gcp.organization.namestringresource experimental
Name assigned to the GCP organization.
dynatrace.com

Logs

This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.

Query

Query logs in Grail.

fetch logs

Note on process entity association

The log module, in certain situations, may associate multiple process group instances with a single log. This can occur when more than one process group instance opens a file in write mode or if there are multiple process group instances in a single container. In such cases, the dt.entity.process_group_instance and dt.entity.process_group may be reported as arrays. To prepare queries for such situations, use matchesValue instead of == for equality checks.

AttributeTypeDescriptionExamples
contentstringstable
Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.
No keepalive from datasource statsd. Restarting
dt.entity.process_groupstringresource stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP-E0D8F94D9065F24F
dt.entity.process_group_instancestringresource stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
dt.source_entitystringresource stable
The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. 1
Tags: entity-id
HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
event.typestringstable
The unique type identifier of a given event.
Tags: permission
LOG
log.iostreamstringstable
The I/O stream to which the log was emitted.
stdout; stderr
log.sourcestringstable
Human-readable attribute that identifies a log stream. 2
Tags: permission
/var/log/messages; Windows Event Log; Docker Container Output; stdout
loglevelstringstable
The log event severity level.
ERROR; INFO; TRACE
process.technologystring[]stable
Technologies detected for the process.
[['Java', 'Tomcat'], ['Go', 'Envoy']]
span_idstringexperimental
A unique identifier for a span within a trace. The span_id is an 8-byte id and hex-encoded if shown as a string.
f76281848bd8288c
statusstringexperimental
Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.
ERROR; WARN; INFO; NONE
timestamptimestampstable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
trace_idstringexperimental
A unique identifier for a trace. The trace_id is a 16-byte id and hex-encoded if shown as a string.
357bf70f3c617cb34584b31bd4616af8
1

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

2

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).

Related tags
Log Analytics