Skip to content

Operation Audit


This refers to operation audit events generated by user actions within the workspace, which can record in real-time the usage of projects within the workspace, user behavior, and resource changes. This includes but is not limited to:

  1. Workspace management events: such as modifications to basic settings, changes to member permissions, deletion of notification targets, license expiration, etc.;
  2. Events related to feature and service usage: such as creating/modifying/deleting views, creating application monitoring, disabling a monitoring library, setting host mute, generating metrics, etc.;
  3. Billing project events: such as when project usage approaches the free quota;
  4. ...

Audit

Managing Audit Events

Go to Manage > Audit Events to view all user operation events generated by the workspace.

  1. In the list, you can perform operations like searching and grouping/aggregating events;
  2. Use the time component at the top of the page to view operation events within different time ranges;
  3. Click on settings to directly create monitors for audit events or export the current audit event list to CSV.

Grouping and Aggregation

Group and aggregate events by operator to see the total number of aggregated events triggered by users on the Guance platform within a certain time range.

Audit 2

Grouping and Aggregation Details Page

In grouping and aggregation mode, you can view aggregated events, and on the details page, you can see all audit events triggered by a specific user (operator).

Audit 3

Audit Event Details

Click on a single event in the operation event list to slide out the event's details page, where you can view the trigger time, label attributes, operator, event content, etc.

Audit 1

You can also use the following fields for independent query and analysis:

Field Name
Type Required Description
date Integer Yes Generation time, Unix timestamp, unit ms
df_date_range Integer Yes Time range, unit s
df_source String Yes Data source, operation events take the value "audit"
df_status String Yes Status, default value for operation events is "info"
df_origin String Yes Operation origin, used to record the current operation entry point.
Reference values include:
  • front: Front-end user operation
  • openapi: Operation via OpenAPI
  • manage: Operation via management backend
  • inner: Operation via internal trusted system
  • df_menu String Yes Menu path accessed by the user, e.g., Logs-Explorer
    df_event_id String Yes Unique event ID
    df_title String Yes Title
    df_message String Yes Description
    df_user_id String Yes User ID
    df_user_name String Yes User name
    df_user_email String Yes User email, corresponding to the id, name, and email in [Member Management]
    df_user_team String Yes User's current team
    df_role_scope String Yes User's current role scope
    df_operation_id Str Yes Unique ID of the actual operation item corresponding to the current audit
    df_operation_name Str Yes The menu name corresponding to the operation item that generated the current audit. For example, if an audit event corresponds to a notification strategy operation, this field would be the current notification strategy name
    df_query_typeDQL String Yes Query type
    df_query String Yes DQL query
    df_query_range String Yes DQL query duration, unit ms
    df_cost String Yes DQL query execution time
    df_hit_count String Yes Number of hits from the query

    Audit Event Data Storage

    Operation audit data is stored according to the event storage policy. You can view and adjust the event storage policy under Manage > Settings > Change Data Storage Policy.

    Audit 4

    Further Reading

    Feedback

    Is this page helpful? ×