Log Management and Analytics

  • Published Jul 29, 2025

Audit Logs

This section contains generic audit log information.

Query

Query audit logs in Grail.

fetch logs | filter isNotNull(audit.action)

Audit log: Metadata

This section contains meta information on the audit log.

Attribute
Type
Description
Examples
audit.action
string
stable
Audited action.
Access to Azure Resource Manager; New User Created; User added to Group
audit.identity
string
stable
User name, service account name, or principal name that executes audited action.
name.surname@example.com
audit.result
string
stable
Result of the audited action.
Succeeded; Failed
audit.status
string
stable
Status of the audited action.
Started; In Progress; Succeeded; Failed; Active; Resolved
audit.time
timestamp
experimental
Timestamp of the audited action.
16/01/2025, 10:34 AM
authentication.is_multifactor
boolean
experimental
Reports whether the executant of the audited action has performed a multi-factor authentication.
content
string
stable
Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.
No keepalive from datasource statsd. Restarting
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
LOG
log.source
string
stable
Human-readable attribute that identifies a log stream. 1
Tags: permission
/var/log/messages; Windows Event Log; Docker Container Output; stdout
loglevel
string
stable
The log event severity level.
ERROR; INFO; TRACE
status
string
experimental
Overall significance of log event, derived from log level. Only INFO and NONE values are allowed.
INFO; NONE
timestamp
timestamp
stable
Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.
1649822520123123123
1

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).

Audit log: Result

This section contains information on the audit log result.

Attribute
Type
Description
Examples
result.code
long
experimental
Error code associated with the result.
0; 50126; 400
result.detail
string
experimental
Further details regarding the result.
The user did not enter the right credentials
result.message
string
experimental
Brief message attached to the result.
User created successfully; Error validating credentials due to invalid username or password.

Audit log: Client

This section contains information on the client performing the audited action.

Attribute
Type
Description
Examples
client.app.name
string
experimental
The name of the client application used to perform the request.
MS Outlook
client.ip
ipAddress
experimental
The IP address of the client that makes the request. This may be IPv4 or IPv6.
Tags: sensitive-spans
194.232.104.141; 2a01:468:1000:9::140

Audit log: Actor

Information regarding the actor who peformed the audited action.

Attribute
Type
Description
Examples
actor.geo.city.name
string
experimental
Name of the city from which the actor operates.
Rome
actor.geo.country.name
string
experimental
Name of the country from which the actor operates.
Canada
actor.geo.location.lat
string
experimental
The approximate WGS84 latitude.
45.505918
actor.geo.location.lon
string
experimental
The approximate WGS84 longitude.
-73.614830
actor.ips
ipAddress[]
stable
List of the client's IP addresses (IPv4 or IPv6) from which the actor operates.
[168.10.15.23, 2a01:468:1000:9::140]

Audit log: Device

Information regarding the device used by the identity peforming the audited action.

Attribute
Type
Description
Examples
browser.name
string
resource stable
The browser name.
Mozilla
browser.version
string
resource stable
The browser version.
5.0
device.id
string
experimental
GUID that uniquely identifies the device which is used to perform the audited action.
11c1add1-612a-483d-8b24-cccbb35d3306
device.name
string
experimental
The name associated with the device which is used to perform the audited action.
DEVICE-HOFW9324FJN
device.os.name
string
experimental
Human-readable operating system name.
MacOs; Windows

Audit log: Cloud provider

The cloud provider information (if any) associated with the audit logs.

Attribute
Type
Description
Examples
cloud.provider
string
resource experimental
Name of the cloud provider.
alibaba_cloud

Audit log: Azure tenant

The Azure tenant (if any) associated to the audit logs.

Attribute
Type
Description
Examples
azure.tenant.id
string
resource experimental
Unique, immutable identifier assigned to the Azure tenant.
37c4add3-612a-483d-8b24-cccbb35d3306
azure.tenant.name
string
resource experimental
Name assigned to the Azure tenant.
MyAzureTenant

Audit log: AWS account

The AWS account (if any) associated to the audit logs.

Attribute
Type
Description
Examples
aws.account.id
string
resource stable
The 12-digit number, such as 123456789012, that uniquely identifies an AWS account.
Tags: permission primary-field
123456789012
aws.account.name
string
resource experimental
Name associated with the AWS account.
example.com

Audit log: GCP organization

The GCP organization (if any) associated to the audit logs.

Attribute
Type
Description
Examples
gcp.organization.id
string
resource experimental
Unique, immutable identifier assigned to an organization resource.
123456789012
gcp.organization.name
string
resource experimental
Name assigned to the GCP organization.
dynatrace.com

Logs

This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.

Query

Query logs in Grail.

fetch logs

Note on process entity association

The log module, in certain situations, may associate multiple process group instances with a single log. This can occur when more than one process group instance opens a file in write mode or if there are multiple process group instances in a single container. In such cases, the dt.entity.process_group_instance and dt.entity.process_group may be reported as arrays. To prepare queries for such situations, use matchesValue instead of == for equality checks.

Attribute
Type
Description
Examples
content
string
stable
Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.
No keepalive from datasource statsd. Restarting
dt.entity.process_group
string
resource stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP-E0D8F94D9065F24F
dt.entity.process_group_instance
string
resource stable
The entity ID of the process group that has emitted the log.
Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.
Tags: entity-id
PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
dt.source_entity
string
resource stable
The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. 1
Tags: entity-id
HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
LOG
log.iostream
string
stable
The I/O stream to which the log was emitted.
stdout; stderr
log.source
string
stable
Human-readable attribute that identifies a log stream. 2
Tags: permission
/var/log/messages; Windows Event Log; Docker Container Output; stdout
loglevel
string
stable
The log event severity level.
ERROR; INFO; TRACE
process.technology
string[]
stable
Technologies detected for the process.
[['Java', 'Tomcat'], ['Go', 'Envoy']]
span_id
string
experimental
A unique identifier for a span within a trace. The span_id is an 8-byte id and hex-encoded if shown as a string.
f76281848bd8288c
status
string
experimental
Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed.
ERROR; WARN; INFO; NONE
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
trace_id
string
experimental
A unique identifier for a trace. The trace_id is a 16-byte id and hex-encoded if shown as a string.
357bf70f3c617cb34584b31bd4616af8
1

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

2

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).