This section contains generic audit log information.
Query audit logs in Grail.
fetch logs | filter isNotNull(audit.action)
This section contains meta information on the audit log.
| Attribute | Type | Description | Examples |
|---|---|---|---|
audit.action | string | stable Audited action. | Access to Azure Resource Manager; New User Created; User added to Group |
audit.identity | string | stable User name, service account name, or principal name that executes audited action. | name.surname@example.com |
audit.result | string | stable Result of the audited action. | Succeeded; Failed |
audit.status | string | stable Status of the audited action. | Started; In Progress; Succeeded; Failed; Active; Resolved |
audit.time | timestamp | experimental Timestamp of the audited action. | 16/01/2025, 10:34 AM |
authentication.is_multifactor | boolean | experimental Reports whether the executant of the audited action has performed a multi-factor authentication. | |
content | string | stable Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source. | No keepalive from datasource statsd. Restarting |
event.type | string | stable The unique type identifier of a given event. Tags: permission | LOG |
log.source | string | stable Human-readable attribute that identifies a log stream. 1 Tags: permission | /var/log/messages; Windows Event Log; Docker Container Output; stdout |
loglevel | string | stable The log event severity level. | ERROR; INFO; TRACE |
status | string | experimental Overall significance of log event, derived from log level. Only INFO and NONE values are allowed. | INFO; NONE |
timestamp | timestamp | stable Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace. | 1649822520123123123 |
Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).
This section contains information on the audit log result.
| Attribute | Type | Description | Examples |
|---|---|---|---|
result.code | long | experimental Error code associated with the result. | 0; 50126; 400 |
result.detail | string | experimental Further details regarding the result. | The user did not enter the right credentials |
result.message | string | experimental Brief message attached to the result. | User created successfully; Error validating credentials due to invalid username or password. |
This section contains information on the client performing the audited action.
| Attribute | Type | Description | Examples |
|---|---|---|---|
client.app.name | string | experimental The name of the client application used to perform the request. | MS Outlook |
client.ip | ipAddress | experimental The IP address of the client that makes the request. This may be IPv4 or IPv6. Tags: sensitive-spans | 194.232.104.141; 2a01:468:1000:9::140 |
Information regarding the actor who peformed the audited action.
| Attribute | Type | Description | Examples |
|---|---|---|---|
actor.geo.city.name | string | experimental Name of the city from which the actor operates. | Rome |
actor.geo.country.name | string | experimental Name of the country from which the actor operates. | Canada |
actor.geo.location.lat | string | experimental The approximate WGS84 latitude. | 45.505918 |
actor.geo.location.lon | string | experimental The approximate WGS84 longitude. | -73.614830 |
actor.ips | ipAddress[] | stable List of the client's IP addresses (IPv4 or IPv6) from which the actor operates. | [168.10.15.23, 2a01:468:1000:9::140] |
Information regarding the device used by the identity peforming the audited action.
| Attribute | Type | Description | Examples |
|---|---|---|---|
browser.name | string | resource stable The browser name. | Mozilla |
browser.version | string | resource stable The browser version. | 5.0 |
device.id | string | experimental GUID that uniquely identifies the device which is used to perform the audited action. | 11c1add1-612a-483d-8b24-cccbb35d3306 |
device.name | string | experimental The name associated with the device which is used to perform the audited action. | DEVICE-HOFW9324FJN |
device.os.name | string | experimental Human-readable operating system name. | MacOs; Windows |
The cloud provider information (if any) associated with the audit logs.
| Attribute | Type | Description | Examples |
|---|---|---|---|
cloud.provider | string | resource experimental Name of the cloud provider. | alibaba_cloud |
The Azure tenant (if any) associated to the audit logs.
| Attribute | Type | Description | Examples |
|---|---|---|---|
azure.tenant.id | string | resource experimental Unique, immutable identifier assigned to the Azure tenant. | 37c4add3-612a-483d-8b24-cccbb35d3306 |
azure.tenant.name | string | resource experimental Name assigned to the Azure tenant. | MyAzureTenant |
The AWS account (if any) associated to the audit logs.
| Attribute | Type | Description | Examples |
|---|---|---|---|
aws.account.id | string | resource stable The 12-digit number, such as 123456789012, that uniquely identifies an AWS account. Tags: permission primary-field | 123456789012 |
aws.account.name | string | resource experimental Name associated with the AWS account. | example.com |
The GCP organization (if any) associated to the audit logs.
| Attribute | Type | Description | Examples |
|---|---|---|---|
gcp.organization.id | string | resource experimental Unique, immutable identifier assigned to an organization resource. | 123456789012 |
gcp.organization.name | string | resource experimental Name assigned to the GCP organization. | dynatrace.com |
This section contains general log information. There can be additional records added both resource attributes describing source as well as log record attributes to add structured log record data.
Query logs in Grail.
fetch logs
The log module, in certain situations, may associate multiple process group instances with a single log.
This can occur when more than one process group instance opens a file in write mode or if there are multiple
process group instances in a single container. In such cases, the
dt.entity.process_group_instance and dt.entity.process_group
may be reported as arrays. To prepare queries for such situations, use matchesValue
instead of == for equality checks.
| Attribute | Type | Description | Examples |
|---|---|---|---|
content | string | stable Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source. | No keepalive from datasource statsd. Restarting |
dt.entity.process_group | string | resource stable The entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.Tags: entity-id | PROCESS_GROUP-E0D8F94D9065F24F |
dt.entity.process_group_instance | string | resource stable The entity ID of the process group that has emitted the log. Note that the log module may report multiple values as an array if a file is opened by multiple processes or multiple processes are run in a single container. To prepare queries for such situations, use matchesValue instead of == for equality checks.Tags: entity-id | PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F |
dt.source_entity | string | resource stable The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. 1 Tags: entity-id | HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F |
event.type | string | stable The unique type identifier of a given event. Tags: permission | LOG |
log.iostream | string | stable The I/O stream to which the log was emitted. | stdout; stderr |
log.source | string | stable Human-readable attribute that identifies a log stream. 2 Tags: permission | /var/log/messages; Windows Event Log; Docker Container Output; stdout |
loglevel | string | stable The log event severity level. | ERROR; INFO; TRACE |
process.technology | string[] | stable Technologies detected for the process. | [['Java', 'Tomcat'], ['Go', 'Envoy']] |
span_id | string | experimental A unique identifier for a span within a trace. The span_id is an 8-byte id and hex-encoded if shown as a string. | f76281848bd8288c |
status | string | experimental Overall significance of log event, derived from log level. Only INFO, WARN, ERROR and NONE values are allowed. | ERROR; WARN; INFO; NONE |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
trace_id | string | experimental A unique identifier for a trace. The trace_id is a 16-byte id and hex-encoded if shown as a string. | 357bf70f3c617cb34584b31bd4616af8 |
The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.
Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).