Operation Audit¶
This refers to operation audit events generated by user actions within the workspace, which can record in real-time the usage of projects within the workspace, user behavior, and resource changes. This includes but is not limited to:
- Workspace management events: such as modifications to basic settings, changes to member permissions, deletion of notification targets, license expiration, etc.;
- Events related to feature and service usage: such as creating/modifying/deleting views, creating application monitoring, disabling a monitoring library, setting host mute, generating metrics, etc.;
- Billing project events: such as when project usage approaches the free quota;
- ...
Managing Audit Events¶
Go to Manage > Audit Events to view all user operation events generated by the workspace.
- In the list, you can perform operations like searching and grouping/aggregating events;
- Use the time component at the top of the page to view operation events within different time ranges;
- Click on settings to directly create monitors for audit events or export the current audit event list to CSV.
Grouping and Aggregation¶
Group and aggregate events by operator to see the total number of aggregated events triggered by users on the Guance platform within a certain time range.
Grouping and Aggregation Details Page¶
In grouping and aggregation mode, you can view aggregated events, and on the details page, you can see all audit events triggered by a specific user (operator).
Audit Event Details¶
Click on a single event in the operation event list to slide out the event's details page, where you can view the trigger time, label attributes, operator, event content, etc.
You can also use the following fields for independent query and analysis:
Field Name |
Type | Required | Description |
|---|---|---|---|
date |
Integer | Yes | Generation time, Unix timestamp, unit ms |
df_date_range |
Integer | Yes | Time range, unit s |
df_source |
String | Yes | Data source, operation events take the value "audit" |
df_status |
String | Yes | Status, default value for operation events is "info" |
df_origin |
String | Yes | Operation origin, used to record the current operation entry point. Reference values include: |
df_menu |
String | Yes | Menu path accessed by the user, e.g., Logs-Explorer |
df_event_id |
String | Yes | Unique event ID |
df_title |
String | Yes | Title |
df_message |
String | Yes | Description |
df_user_id |
String | Yes | User ID |
df_user_name |
String | Yes | User name |
df_user_email |
String | Yes | User email, corresponding to the id, name, and email in [Member Management] |
df_user_team |
String | Yes | User's current team |
df_role_scope |
String | Yes | User's current role scope |
df_operation_id |
Str | Yes | Unique ID of the actual operation item corresponding to the current audit |
df_operation_name |
Str | Yes | The menu name corresponding to the operation item that generated the current audit. For example, if an audit event corresponds to a notification strategy operation, this field would be the current notification strategy name |
df_query_typeDQL |
String | Yes | Query type |
df_query |
String | Yes | DQL query |
df_query_range |
String | Yes | DQL query duration, unit ms |
df_cost |
String | Yes | DQL query execution time |
df_hit_count |
String | Yes | Number of hits from the query |
Audit Event Data Storage¶
Operation audit data is stored according to the event storage policy. You can view and adjust the event storage policy under Manage > Settings > Change Data Storage Policy.
