Audit logging

The audit log provides Administrators with a high level overview of actions that have taken place, when they occurred, and which user initiated the action. The log is output in JSON format which allows for post-processing and further analysis. For example, it can be read by the JSON Data node.

The following actions are audited:

All login attempts, both successful and unsuccessful.
Run and save a data flow.
Node execution.
Create, update and delete schedules.
Execute a scheduled run.
Change schedule system settings.
LDAP/AD import.
Change of LDAP/AD system settings.
Create, update, and delete a user.
Create workspaces.
Add or remove a user role.
Change password.
Create, update, and delete group.
Create, update and delete folders.
Logout and UI session timeout.
Start and completion of backup.

Note: Sensitive data such as passwords are not included in the audit log. The actual features that are available on your system depend on your license.

The audit log is located at: <Data360Analyze site configuration directory>/logs/lae-audit.log

For example, C:/Users/<username>/Data360Analyze/site-7731/logs

Every day that the application is used, a new audit log file is created. Log files for previous days are saved in the same folder with the creation date as a suffix, for example lae-audit.log.2018-10-31.

The first section in this topic gives an overview of the elements that make up the audit log, see Understanding the audit log.

The final section gives details of how to map specific actions to log entries, see Identifying and tracing actions.

Understanding the audit log

In general, log entries are made up of the following pieces of information:

Log entry information	Description	Example
`timestamp`	Indicates the time and date of the audited action. Each new timestamp indicates a new audit log entry.	`"timestamp":"2018-08-03T12:53:00.163+01:00"`
`auditCode`	The name of the action.	`"auditCode":"executionSessionService.execute"`
`userID`	The `userID` can be used to identify the user that initiated the action. Generally, this is the user who has signed in to the application, but in some cases it is the system user. For example, the system user takes the authentication action.	`"userId":"b9469ceb-65bd-472c-b8fa-d71a63be6929"`
`username`	The `username` can be used to identify the user that initiated the action. Generally, this is the user who has signed in to the application, but in some cases it is the system user. For example, the system user takes the authentication action.	`"username":"user1234"`
`tenantName`	The name of the deployment — with the currently supported model, this will always be set to `defaultTenant`.	`"tenantName":"defaultTenant"`
`success`	A true or false statement that indicates if the action completed successfully or not.	`"success":true`
`arguments`	The arguments passed in the API request.	`"arguments": { "taskProperties": { "executionPlanLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:lavastorm~directory:shared~scheduled-task:23ffaaaf-3993-42b6-bfaa-24ec9729f303~execution-plan:fc0e522c-ca12-4890-847c-39376703f8ed" }, "scheduledTaskId":"23ffaaaf-3993-42b6-bfaa-24ec9729f303", "scheduledTaskName":"sc" },`
`response`	The API response to the action. Contains defined error fields.	`"response": { "execution": { "stopAtNode":"object:!tenant:defaultTenant~directory:__Root__~directory:lavastorm~directory:shared~graph:7ea22fc9-6f1a-4dbd-b4d7-6b04b673642c~element:91f4d3d0-3b99-4f20-92ce-040d196ca995", "executionSession":"object:!tenant:defaultTenant~directory:__Root__~directory:lavastorm~directory:shared~execution-session:e83a5a5c-e7be-45a8-9882-9b6a1d3e9418", "id":"1c0b8513-9237-6659-8dcc-a076578b2adb" } }`

Tip: See the API documentation for more information on the API arguments and responses.

Identifying and tracing actions

By understanding the information tags within an audit log, you can follow the trail of actions undertaken by a specific user, or trace the changes to a given data flow.

For example, a new data flow is created with the following ID: 6ca06e21-73d0-4816-b44d-238903d3768f

{"timestamp":"2018-11-05T10:20:29.411Z","auditCode":"executionSessionService.create","userId":"b9469ceb-65bd-472c-b8fa-d71a63be6929","username":"User1234","tenantName":"defaultTenant","success":true,"arguments":{"executionSession":{"id":"49486f20-96ca-4a70-8f32-f738b15e59fc","graphLocator":"object:!tenant:defaultTenant~workspace:908ee33e-5eee-1694-4284-63aea9310e8c~edit-session:c833d293-c2e8-4dea-b129-60630f38558a~graph:6ca06e21-73d0-4816-b44d-238903d3768f","lxsId":null,"runtimeProperties":{},"valid":false,"runBy":"User1234","runDate":null,"runState":null,"lastExecutionCandidates":[],"allExecutionCandidates":[],"executionLogId":null,"interfaces":["ExecutionSession"]},"workspaceLocator":"object:!tenant:defaultTenant~workspace:908ee33e-5eee-1694-4284-63aea9310e8c"},"response":"object:!tenant:defaultTenant~workspace:908ee33e-5eee-1694-4284-63aea9310e8c~execution-session:49486f20-96ca-4a70-8f32-f738b15e59fc"}

Later, a new schedule is created based on this data flow:

{"timestamp":"2018-11-05T14:09:14.478Z","auditCode":"simpleScheduledTaskService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"containerLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462","simpleScheduledTaskDto":{"id":"6e140249-5b0d-4428-9913-c19672336633","name":"schedule test","description":null,"enabled":true,"triggerProperties":{"cronExpression":"0 09 14 1 1/1 ? *","startDateTime":"2018-11-05T14:09:06Z","interval":"monthly","monthlyScheduleOption":"day-of-week"},"runAs":null,"dataflowId":"6ca06e21-73d0-4816-b44d-238903d3768f","runProperties":{},"searchPath":["object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462"]}},"response":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462~scheduled-task:6e140249-5b0d-4428-9913-c19672336633"}

Some examples of common audit log entries are listed in the tables below, along with a description of how the log entry relates to a user action in Data360 Analyze:

Log entry Description

Log entry	Description
`"auditCode":"authenticationSuccess"`	Indicates that a user has successfully signed in to Data360 Analyze. When a user signs in to the application, you will also see the following log entry: `securityConfigurationService.getSecurityConfig` `{"timestamp":"2018-11-05T09:57:38.705Z","auditCode":"authenticationSuccess","userId":"_system_","username":"system","tenantName":"defaultTenant","success":true,"arguments":{"remoteHost":null,"username":"User1234"},"response":"User1234"}`

"auditCode":"authenticationSuccess"

Indicates that a user has successfully signed in to Data360 Analyze.

When a user signs in to the application, you will also see the following log entry:

securityConfigurationService.getSecurityConfig

{"timestamp":"2018-11-05T09:57:38.705Z","auditCode":"authenticationSuccess","userId":"_system_","username":"system","tenantName":"defaultTenant","success":true,"arguments":{"remoteHost":null,"username":"User1234"},"response":"User1234"}

Create or update user or group

In the following examples, all actions except groupService.create and groupService.updateGroup are logged as a result of a single create user request. You can identify a user by their ID, for example, 21fad3f0-f8a2-4d66-846e-240dca92b16f, which you can trace through the various actions.

Log entry User action and example

"auditCode":"userService.<action>"

"auditCode":"userService.create" indicates that a role has been created for the user or group's permissions.

{"timestamp":"2018-11-05T11:28:18.664Z","auditCode":"userService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"containerLocator":"object:!tenant:defaultTenant","user":{"tenant":"defaultTenant","name":"NewUser","id":"21fad3f0-f8a2-4d66-846e-240dca92b16f","imported":false,"principalimportDetails":null,"state":"ACTIVE","active":true}},"response":"object:!tenant:defaultTenant~user:21fad3f0-f8a2-4d66-846e-240dca92b16f"}

"auditCode":"userService.update" indicates that the user's profile has been changed, e.g. the user's role has been changed.

{"timestamp":"2018-11-05T11:48:02.419Z","auditCode":"update","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"locator":"object:!tenant:defaultTenant~user:21fad3f0-f8a2-4d66-846e-240dca92b16f","user":{"tenant":"defaultTenant","name":"Example user","id":"21fad3f0-f8a2-4d66-846e-240dca92b16f","imported":false,"principalimportDetails":null,"state":"ACTIVE","active":true}}}

userService.deleteUser indicates that the user has been deleted. Note that users are never completely removed from the system, rather the user "state" is set to "DEACTIVATED".

{"timestamp":"2018-11-05T11:38:06.296Z","auditCode":"userService.deleteUser","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"userLocator":"object:!tenant:defaultTenant~user:21fad3f0-f8a2-4d66-846e-240dca92b16f","force":false,"obliterate":false},"response":true}

"auditCode":"roleService.<action>"

roleService.updateWithSecurity indicates that the user or group has been added to a specific role, or that the role has changed. The following example shows that a user was added to the "Administrator" role:

{"timestamp":"2018-11-05T11:28:19.218Z","auditCode":"updateWithSecurity","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"locator":"object:!tenant:defaultTenant~role:administrator","object":{"id":"administrator","name":"Administrator","description":"Administrator","members":["admin","21fad3f0-f8a2-4d66-846e-240dca92b16f","admins"],"type":"GENERAL"}}}

roleService.removeMemberFromAllRoles indicates that all user roles have been removed from a user. This entry is added to the audit log when a user is deleted from the system.

{"timestamp":"2018-11-05T11:38:06.249Z","auditCode":"roleService.removeMemberFromAllRoles","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"tenantLocator":"object:!tenant:defaultTenant","memberId":"21fad3f0-f8a2-4d66-846e-240dca92b16f"}}

"auditCode":"workspaceService.create"

workspaceService.create indicates that the user's workspaces have been created. For each user, two workspaces are created, one for the My Documents folder and one temporary workspace.

{"timestamp":"2018-11-05T21:47:14.254Z","auditCode":"workspaceService.createWorkspace","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"containerLocator":"object:!tenant:defaultTenant","name":"user temp","description":"user's Temporary Workspace","directoryLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Temp__~directory:a1cee974-1864-ac55-2d80-aefd8c5f7a12"},"response":"object:!tenant:defaultTenant~workspace:37be5c8b-08d7-6401-5a7d-3bd019c7c419"}

"auditCode":"userCredentialService.<action>"

userCredentialService.createOrUpdate indicates that the user's password has been stored.

{"timestamp":"2018-11-05T21:47:14.359Z","auditCode":"userCredentialService.createOrUpdate","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"password":"[NOT OUTPUT]","userLocator":"object:!tenant:defaultTenant~user:19e5d5c7-a7ab-4bc0-b571-c90c57b53a8e"}}

userCredentialService.updateCurrentUserPassword indicates that the user's password has been updated and stored.

{"timestamp":"2018-11-05T13:37:24.613Z","auditCode":"userCredentialService.updateCurrentUserPassword","userId":"21fad3f0-f8a2-4d66-846e-240dca92b16f","username":"User1234","tenantName":"defaultTenant","success":true,"arguments":{"userLocator":"object:!tenant:defaultTenant~user:21fad3f0-f8a2-4d66-846e-240dca92b16f","oldPassword":"[NOT OUTPUT]","newPassword":"[NOT OUTPUT]"}}

"auditCode":"groupService.<action>"

groupService.create indicates that the group's profile has been created.

groupService.updateGroup indicates that the group's profile has been changed, e.g. a member has been added or the group has been deleted. Note that groups are never completely removed from the system, rather the group "state" is set to "DEACTIVATED". The following example shows a log entry for the action of adding a member to a group:

{"timestamp":"2018-11-05T12:20:21.206Z","auditCode":"groupService.updateGroup","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"groupLocator":"object:!tenant:defaultTenant~group:734e6428-64f0-4c5a-9bed-10582c1ef71f","group":{"tenant":"defaultTenant","name":"Group yellow","id":"734e6428-64f0-4c5a-9bed-10582c1ef71f","imported":false,"members":["441dd465-66ba-4cad-910c-021a817b5383","d4a3a96b-03be-4063-863c-0789565e4141"],"principalimportDetails":null,"state":"ACTIVE","active":true},"validate":true}}

Create, update and delete a folder

Log entry User action and example

"auditCode":"directoryService.<action>"

directoryService.create indicates that a new folder has been created.

{"timestamp":"2018-11-05T22:04:22.163Z","auditCode":"directoryService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"containerLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:ee6adb52-ba73-5a61-cce7-f9e5523fb733","directory":{"id":"5355c000-0a2a-453c-9b3b-02a6837e7157","name":"createdDirectoryName","description":""}},"response":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:ee6adb52-ba73-5a61-cce7-f9e5523fb733~directory:5355c000-0a2a-453c-9b3b-02a6837e7157"}

directoryService.update indicates that a folder has been updated.

{"timestamp":"2018-11-05T22:04:32.764Z","auditCode":"directoryService.update","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"locator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:ee6adb52-ba73-5a61-cce7-f9e5523fb733~directory:5355c000-0a2a-453c-9b3b-02a6837e7157","directory":{"id":"5355c000-0a2a-453c-9b3b-02a6837e7157","name":"updatedDirectoryName","description":""}}}

directoryService.delete indicates that a folder has been deleted.

{"timestamp":"2018-11-05T22:26:09.784Z","auditCode":"directoryService.delete","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"locator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:ee6adb52-ba73-5a61-cce7-f9e5523fb733~directory:5355c000-0a2a-453c-9b3b-02a6837e7157~directory:5355c000-0a2a-453c-9b3b-02a6837e7157"}}

Create, save, run or delete a data flow

When a data flow is created, an edit session is opened to track data flow and node edits, and an execution session is opened to track the state of the data flow.

Log entry User action and example

Log entry	User action and example
`"auditCode":"executionSessionService.<action>"`	`executionSessionService.create` indicates that an execution session has been created. When a data flow is created, an execution session is opened to track the state of the data flow, for example node states and run property values. `executionSessionService.update` indicates that a data flow has been saved or deleted or that a user has initiated a change in state of the data flow, for example clearing node state, adding or removing nodes or updating run property values. {"timestamp":"2018-11-05T14:03:39.676Z","auditCode":"executionSessionService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"executionSession":{"id":"77ae5ef3-35c2-4202-b6ec-608b9a6d634f","graphLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:fad8ae33-5db9-4309-9206-b81cbcbcd79b~graph:067b1366-488e-4854-b938-0593bc365937","lxsId":null,"runtimeProperties":{},"valid":false,"runBy":"admin","runDate":null,"runState":null,"lastExecutionCandidates":[],"allExecutionCandidates":[],"executionLogId":null,"interfaces":["ExecutionSession"]},"workspaceLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c"},"response":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~execution-session:77ae5ef3-35c2-4202-b6ec-608b9a6d634f"} `executionSessionService.execute` is logged when a user runs a data flow.
`"auditCode":"editSessionService.<action>"`	`editSessionService.save` is logged when a data flow is saved. {"timestamp":"2018-11-05T14:07:18.306Z","auditCode":"editSessionService.save","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"saveOptions":{"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:125e63ec-b57e-430c-a392-500120f4467b~graph:067b1366-488e-4854-b938-0593bc365937":{"saveAsName":null,"destination":"object:!tenant:defaultTenant~workspace:88f20806-8bec-69d6-9c21-c20c1172b651","overwrite":true,"retainId":false,"includeTargetWorkspaceInSearchPath":true}},"editSessionLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:125e63ec-b57e-430c-a392-500120f4467b"}}

"auditCode":"executionSessionService.<action>"

executionSessionService.create indicates that an execution session has been created. When a data flow is created, an execution session is opened to track the state of the data flow, for example node states and run property values.

executionSessionService.update indicates that a data flow has been saved or deleted or that a user has initiated a change in state of the data flow, for example clearing node state, adding or removing nodes or updating run property values.

{"timestamp":"2018-11-05T14:03:39.676Z","auditCode":"executionSessionService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"executionSession":{"id":"77ae5ef3-35c2-4202-b6ec-608b9a6d634f","graphLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:fad8ae33-5db9-4309-9206-b81cbcbcd79b~graph:067b1366-488e-4854-b938-0593bc365937","lxsId":null,"runtimeProperties":{},"valid":false,"runBy":"admin","runDate":null,"runState":null,"lastExecutionCandidates":[],"allExecutionCandidates":[],"executionLogId":null,"interfaces":["ExecutionSession"]},"workspaceLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c"},"response":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~execution-session:77ae5ef3-35c2-4202-b6ec-608b9a6d634f"}

executionSessionService.execute is logged when a user runs a data flow.

"auditCode":"editSessionService.<action>"

editSessionService.save is logged when a data flow is saved.

{"timestamp":"2018-11-05T14:07:18.306Z","auditCode":"editSessionService.save","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"saveOptions":{"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:125e63ec-b57e-430c-a392-500120f4467b~graph:067b1366-488e-4854-b938-0593bc365937":{"saveAsName":null,"destination":"object:!tenant:defaultTenant~workspace:88f20806-8bec-69d6-9c21-c20c1172b651","overwrite":true,"retainId":false,"includeTargetWorkspaceInSearchPath":true}},"editSessionLocator":"object:!tenant:defaultTenant~workspace:42cb5309-5e17-2489-9b08-9502bbec394c~edit-session:125e63ec-b57e-430c-a392-500120f4467b"}}

Node execution

Log entry User action and example

Log entry	User action and example
`"auditCode":"nodeProcessing"` and `"auditCode":"nodeProcessed"`	When a node is executed, two entries are added to the log: `nodeProcessing` is logged when node execution is initiated, then when the run is complete, `nodeProcessed` is logged, indicating whether the run was successful or not. The reference to the node that is being executed is logged in the following format: `node=<Data flow name>.<node>` e.g. `node=Untitled Data Flow.Create Data` `{"timestamp": "2020-06-05T06:30:00.193-07:00","auditCode":"nodeProcessing","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"node":"Spinner.Create Data","nodeLocator":"object:element:27c4ad3e-ae40-4457-babf-bc97f0716859~child:e325f4fe-447f-4f64-a25c-e7c66e383eee","runState": "IN_PROGRESS","graph": "Spinner"}}` `{"timestamp": "2020-06-05T06:25:01.739-07:00","auditCode": "nodeProcessed","userId": "admin","username": "admin","tenantName": "defaultTenant","success": true,"arguments": {"node": "Spinner.Create Data","outputRecordCounts": "Sample Data:20","nodeLocator": "object:element:27c4ad3e-ae40-4457-babf-bc97f0716859~child:e325f4fe-447f-4f64-25c-e7c66e383eee","startTime": "2020-06-05T06:25:01.473-07:00","runState": "PASSED","elapsedTimeMS": 266,"graph": "Spinner"}}`

"auditCode":"nodeProcessing"

and

"auditCode":"nodeProcessed"

When a node is executed, two entries are added to the log:

nodeProcessing is logged when node execution is initiated, then when the run is complete, nodeProcessed is logged, indicating whether the run was successful or not.

The reference to the node that is being executed is logged in the following format: node=<Data flow name>.<node> e.g. node=Untitled Data Flow.Create Data

{"timestamp": "2020-06-05T06:30:00.193-07:00","auditCode":"nodeProcessing","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"node":"Spinner.Create Data","nodeLocator":"object:element:27c4ad3e-ae40-4457-babf-bc97f0716859~child:e325f4fe-447f-4f64-a25c-e7c66e383eee","runState": "IN_PROGRESS","graph": "Spinner"}}

{"timestamp": "2020-06-05T06:25:01.739-07:00","auditCode": "nodeProcessed","userId": "admin","username": "admin","tenantName": "defaultTenant","success": true,"arguments": {"node": "Spinner.Create Data","outputRecordCounts": "Sample Data:20","nodeLocator": "object:element:27c4ad3e-ae40-4457-babf-bc97f0716859~child:e325f4fe-447f-4f64-25c-e7c66e383eee","startTime": "2020-06-05T06:25:01.473-07:00","runState": "PASSED","elapsedTimeMS": 266,"graph": "Spinner"}}

Create, update or run a schedule

Log entry	User action and example
`"auditCode":" simpleScheduledTaskService.<action>"` and `"auditCode":"scheduledTaskService.<action>"`	When a user creates a schedule, several entries are added to the audit log including `scheduledTaskService.create` and `scheduledTaskService.update`. The entry of particular interest is the `simpleScheduledTaskService.create` method as this entry contains the data flow ID. {"timestamp":"2018-11-05T14:09:14.478Z","auditCode":"simpleScheduledTaskService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"containerLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462","simpleScheduledTaskDto":{"id":"6e140249-5b0d-4428-9913-c19672336633","name":"schedule test","description":null,"enabled":true,"triggerProperties":{"cronExpression":"0 09 14 1 1/1 ? ","startDateTime":"2018-11-05T14:09:06Z","interval":"monthly","monthlyScheduleOption":"day-of-week"},"runAs":null,"dataflowId":"067b1366-488e-4854-b938-0593bc365937","runProperties":{},"searchPath":["object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462"]}},"response":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462~scheduled-task:6e140249-5b0d-4428-9913-c19672336633"} When a schedule is updated, two entries are added to the audit log: `scheduledTaskService.update` and `simpleScheduledTaskService.update`. The `simpleScheduledTaskService.update` method is the most useful as this contains the data flow ID. {"timestamp":"2018-11-05T14:38:48.707Z","auditCode":"simpleScheduledTaskService.update","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"scheduledTaskResourceLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462~scheduled-task:d4dfbeca-b5b6-42af-b961-a646ae39b002","simpleScheduledTaskDto":{"id":"d4dfbeca-b5b6-42af-b961-a646ae39b002","name":"red schedule","description":"edit","enabled":true,"triggerProperties":{"cronExpression":"0 36 14 1 1/1 ? ","startDateTime":"2018-11-05T14:38:44Z","interval":"monthly","monthlyScheduleOption":"day-of-week"},"runAs":null,"dataflowId":"7cb915b2-696c-4247-8aab-6cba41f3af45","runProperties":{},"searchPath":["object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462"]}}} The `simpleScheduledTaskService.runNow` method indicates that a user has triggered a schedule to run immediately. Note that as a result of this action, you will also see the following run data flow audit log entries: `executionSessionService.create`, `executionSessionService.update` and `executionSessionService.execute`. {"timestamp":"2018-11-05T14:45:15.865Z","auditCode":"simpleScheduledTaskService.runNow","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"scheduledTaskLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462~scheduled-task:d4dfbeca-b5b6-42af-b961-a646ae39b002","simpleScheduledTaskRunNowDto":{"executionPlanStateLocator":null,"overriddenRunProperties":{},"concurrentExecutionStrategy":"SKIP"}}} When a user deletes a schedule, the following audit entries are logged: `scheduledTaskService.delete` `simpleScheduledTaskService.delete` `executionSessionService.delete` `executionSessionService.update`
`"auditCode":"executionPlanExecute"`	`executionPlanExecute` is logged when an automated schedule runs. Additional log entries are also created for this action, similar to those that are created when a user triggers a schedule to run immediately. Tip: Unlike when a user triggers a data flow to run immediately, when the system runs a schedule, `scheduledTaskId` and `scheduledTaskName` attributes are logged in place of `userid` and `username`. {"timestamp":"2018-11-05T14:49:00.536Z","auditCode":"executionPlanExecute","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"taskProperties":{"executionPlanLocator":"object:!tenant:defaultTenant~directory:__Root__~directory:__Users__~directory:c5eb280e-773f-d5bc-679a-455d6d702462~scheduled-task:4930fcfe-2e64-49db-a5c2-bb67bdf7bcf3~execution-plan:3730329e-f1b4-4948-a36d-eabf4bd2ea0b"},"scheduledTaskId":"4930fcfe-2e64-49db-a5c2-bb67bdf7bcf3","scheduledTaskName":"new schedule"},"response":""}
`"auditCode":"dataflowProcessing"`	`dataflowProcessing` is logged when a scheduled data flow begins to execute. `{"timestamp": "2020-06-05T06:20:00.254-07:00","auditCode": "dataflowProcessing","userId": "admin","username": "admin","tenantName": "defaultTenant","success": true,"arguments": {"graphLocator": "object:!tenant:defaultTenant~workspace:8e6bbf00-578e-446c-be67-6d247c8118d6~graph:3d767b3f-f4cd-4d5d-bbb4-8dcd755952f9~element:27c4ad3e-ae40-4457-babf-bc97f0716859","graph": "Spinner"}}`
`"auditCode":"dataflowProcessed"`	`dataflowProcessed` is logged when the scheduled execution of a data flow is complete. `{"timestamp": "2020-06-05T06:20:02.358-07:00","auditCode": "dataflowProcessed","userId": "admin","username": "admin","tenantName": "defaultTenant","success": true,"arguments": {"duration": "00:00:01:210","graphLocator": "object:!tenant:defaultTenant~workspace:8e6bbf00-578e-446c-be67-6d247c8118d6~graph:3d767b3f-f4cd-4d5d-bbb4-8dcd755952f9~element:27c4ad3e-ae40-4457-babf-bc97f0716859","graph": "Spinner","status": "SUCCEEDED"}}`

Run clean up settings

Log entry User action and example

Log entry	User action and example
`"auditCode":"scheduledTaskService.create"` and `"auditCode":"scheduledTaskConfigurationService.create"`	The following entries are logged when a new schedule setting is set, for example if a user chooses to delete temporary data after a successful run or specifies a number of recent scheduled runs to keep: `scheduledTaskConfigurationService.create` and `scheduledTaskService.create`. {"timestamp":"2018-11-05T13:53:34.314Z","auditCode":"scheduledTaskConfigurationService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"adb57e53-3e1c-4476-928b-320cc6c3bace","name":"scheduler configuration","type":"scheduler-task-configuration","properties":{"clearTemporaryFilesSuccessfulRuns":{"name":"clearTemporaryFilesSuccessfulRuns","value":"false","type":null,"encrypted":null,"encrypted":null},"disabledExecutionPlanStatesToKeep":{"name":"disabledExecutionPlanStatesToKeep","value":"2","type":null,"encrypted":null,"encrypted":null}}},"containerLocator":"object:!tenant:defaultTenant"},"response":"object:!tenant:defaultTenant~configuration:adb57e53-3e1c-4476-928b-320cc6c3bace"} When a schedule setting is changed, for example if a user modifies the period of time for which they want to keep scheduled runs, the following entries are logged: `scheduledTaskConfigurationService.update` `scheduledTaskService.update`

"auditCode":"scheduledTaskService.create"

and

"auditCode":"scheduledTaskConfigurationService.create"

The following entries are logged when a new schedule setting is set, for example if a user chooses to delete temporary data after a successful run or specifies a number of recent scheduled runs to keep:

scheduledTaskConfigurationService.create and scheduledTaskService.create.

{"timestamp":"2018-11-05T13:53:34.314Z","auditCode":"scheduledTaskConfigurationService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"adb57e53-3e1c-4476-928b-320cc6c3bace","name":"scheduler configuration","type":"scheduler-task-configuration","properties":{"clearTemporaryFilesSuccessfulRuns":{"name":"clearTemporaryFilesSuccessfulRuns","value":"false","type":null,"encrypted":null,"encrypted":null},"disabledExecutionPlanStatesToKeep":{"name":"disabledExecutionPlanStatesToKeep","value":"2","type":null,"encrypted":null,"encrypted":null}}},"containerLocator":"object:!tenant:defaultTenant"},"response":"object:!tenant:defaultTenant~configuration:adb57e53-3e1c-4476-928b-320cc6c3bace"}

When a schedule setting is changed, for example if a user modifies the period of time for which they want to keep scheduled runs, the following entries are logged:

scheduledTaskConfigurationService.update

scheduledTaskService.update

LDAP/AD integration

Log entry User action and example

Log entry	User action and example
`"auditCode":"authenticationConfigurationService.<action>"`	`authenticationConfigurationService.create` indicates that LDAP/AD authentication configuration has been initiated. As a result of a user configuring LDAP/AD authentication settings, you will also see `authenticationConfigurationService.validate` and `authenticationConfigurationService.update` log entries where the submitted authentication configuration is validated and updated. {"timestamp":"2018-11-05T08:26:47.281-05:00","auditCode":"authenticationConfigurationService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"c8d7eb00-c9ba-4539-84fa-0c2e2bc324df","name":"default-ldap-authentication","type":"authentication-provider-configuration","properties":{"netBiosDomain":{"encrypted":null,"encrypted":null,"name":"netBiosDomain","value":null,"type":null},"referral":{"encrypted":null,"encrypted":null,"name":"referral","value":"follow","type":null},"userSearchFilter":{"encrypted":null,"encrypted":null,"name":"userSearchFilter","value":null,"type":null},"name":{"encrypted":null,"encrypted":null,"name":"name","value":"default-ad-provider","type":null},"type":{"encrypted":null,"encrypted":null,"name":"type","value":"ad-ldap","type":null},"url":{"encrypted":null,"encrypted":null,"name":"url","value":"ldap://aws-dc1.lavastorm.local.com:389/dc=lavastorm,dc=local,dc=com","type":null},"bindPrincipalAttribute":{"encrypted":null,"encrypted":null,"name":"bindPrincipalAttribute","value":"sAMAccountName","type":null}}}},"response":{"referral":"follow","testMode":false,"securityLevel":"simple"}}
`"auditCode":"userimportService.<action>"`	`userimportService.importUsers` indicates that LDAP/AD users have been imported. There would also be corresponding entries for each user and group created or updated as a result of the import. {"timestamp":"2018-11-05T08:14:20.27-05:00","auditCode":"userimportService.importUsers","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configurationLocator":"object:!tenant:defaultTenant~configuration:ui-ldap-import-config-item"},"response":{"totalUsers":2,"usersCreated":2,"usersRemoved":0,"usersNotUpdated":0,"usersUpdated":0,"invalidUsers":0,"totalGroups":2,"groupsCreated":2,"groupsRemoved":0,"groupsNotUpdated":0,"groupsUpdated":0,"invalidGroups":0}}
`"auditCode":"userimportConfigurationService.<action>"`	`userimportConfigurationService.create` indicates that LDAP/AD user import settings have been configured. `userimportConfigurationService.update` indicates that the LDAP/AD import settings have been modified. Note that has a result of configuring or editing LDAP/AD user import settings, you will also see a `"auditCode":"securityConfigurationService.setSecurityConfig"` log entry. {"timestamp":"2018-11-05T09:01:32.453-05:00","auditCode":"create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"ui-ldap-import-config-item","name":"ldap import config","type":"user-import-configuration","properties":{"groupRetrievalStrategy":{"encrypted":null,"encrypted":null,"name":"groupRetrievalStrategy","value":"DO_NOT_RETRIEVE_GROUPS","type":null},"importUsersAsLowercase":{"encrypted":null,"encrypted":null,"name":"importUsersAsLowercase","value":"true","type":null},"userNameAttribute":{"encrypted":null,"encrypted":null,"name":"userNameAttribute","value":"userPrincipalName","type":null},"searchTimeLimit":{"encrypted":null,"encrypted":null,"name":"searchTimeLimit","value":"0","type":null},"url":{"encrypted":null,"encrypted":null,"name":"url","value":"ldap://aws-dc1.lavastorm.local.com:389/dc=lavastorm,dc=local,dc=com","type":null},"searchSubTree":{"encrypted":null,"encrypted":null,"name":"searchSubTree","value":"true","type":null},"password":{"encrypted":"LAVASTORM_SECURE_STORE","encrypted":true,"name":"password","value":"[NOT OUTPUT]","type":"Password"},"referral":{"encrypted":null,"encrypted":null,"name":"referral","value":"follow","type":null},"searchCountLimit":{"encrypted":null,"encrypted":null,"name":"searchCountLimit","value":"0","type":null},"pagingLimit":{"encrypted":null,"encrypted":null,"name":"pagingLimit","value":"0","type":null},"defaultRoles":{"encrypted":null,"encrypted":null,"name":"defaultRoles","value":"explorer","type":null},"ignorePartialResultError":{"encrypted":null,"encrypted":null,"name":"ignorePartialResultError","value":"false","type":null},"userFilter":{"encrypted":null,"encrypted":null,"name":"userFilter","value":"(&(objectClass=person)(\|(userPrincipalName=adminuser@example.com)(userPrincipalName=auser@example.com)))","type":null},"username":{"encrypted":null,"encrypted":null,"name":"username","value":"cn=laeldap,ou=Warrington Service Accounts,dc=lavastorm,dc=local,dc=com","type":null}}},"containerLocator":"object:!tenant:defaultTenant"},"response":"object:!tenant:defaultTenant~configuration:ui-ldap-import-config-item"}

"auditCode":"authenticationConfigurationService.<action>"

authenticationConfigurationService.create indicates that LDAP/AD authentication configuration has been initiated.

As a result of a user configuring LDAP/AD authentication settings, you will also see authenticationConfigurationService.validate and authenticationConfigurationService.update log entries where the submitted authentication configuration is validated and updated.

{"timestamp":"2018-11-05T08:26:47.281-05:00","auditCode":"authenticationConfigurationService.create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"c8d7eb00-c9ba-4539-84fa-0c2e2bc324df","name":"default-ldap-authentication","type":"authentication-provider-configuration","properties":{"netBiosDomain":{"encrypted":null,"encrypted":null,"name":"netBiosDomain","value":null,"type":null},"referral":{"encrypted":null,"encrypted":null,"name":"referral","value":"follow","type":null},"userSearchFilter":{"encrypted":null,"encrypted":null,"name":"userSearchFilter","value":null,"type":null},"name":{"encrypted":null,"encrypted":null,"name":"name","value":"default-ad-provider","type":null},"type":{"encrypted":null,"encrypted":null,"name":"type","value":"ad-ldap","type":null},"url":{"encrypted":null,"encrypted":null,"name":"url","value":"ldap://aws-dc1.lavastorm.local.com:389/dc=lavastorm,dc=local,dc=com","type":null},"bindPrincipalAttribute":{"encrypted":null,"encrypted":null,"name":"bindPrincipalAttribute","value":"sAMAccountName","type":null}}}},"response":{"referral":"follow","testMode":false,"securityLevel":"simple"}}

"auditCode":"userimportService.<action>"

userimportService.importUsers indicates that LDAP/AD users have been imported. There would also be corresponding entries for each user and group created or updated as a result of the import.

{"timestamp":"2018-11-05T08:14:20.27-05:00","auditCode":"userimportService.importUsers","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configurationLocator":"object:!tenant:defaultTenant~configuration:ui-ldap-import-config-item"},"response":{"totalUsers":2,"usersCreated":2,"usersRemoved":0,"usersNotUpdated":0,"usersUpdated":0,"invalidUsers":0,"totalGroups":2,"groupsCreated":2,"groupsRemoved":0,"groupsNotUpdated":0,"groupsUpdated":0,"invalidGroups":0}}

"auditCode":"userimportConfigurationService.<action>"

userimportConfigurationService.create indicates that LDAP/AD user import settings have been configured.

userimportConfigurationService.update indicates that the LDAP/AD import settings have been modified.

Note that has a result of configuring or editing LDAP/AD user import settings, you will also see a "auditCode":"securityConfigurationService.setSecurityConfig" log entry.

{"timestamp":"2018-11-05T09:01:32.453-05:00","auditCode":"create","userId":"admin","username":"admin","tenantName":"defaultTenant","success":true,"arguments":{"configuration":{"id":"ui-ldap-import-config-item","name":"ldap import config","type":"user-import-configuration","properties":{"groupRetrievalStrategy":{"encrypted":null,"encrypted":null,"name":"groupRetrievalStrategy","value":"DO_NOT_RETRIEVE_GROUPS","type":null},"importUsersAsLowercase":{"encrypted":null,"encrypted":null,"name":"importUsersAsLowercase","value":"true","type":null},"userNameAttribute":{"encrypted":null,"encrypted":null,"name":"userNameAttribute","value":"userPrincipalName","type":null},"searchTimeLimit":{"encrypted":null,"encrypted":null,"name":"searchTimeLimit","value":"0","type":null},"url":{"encrypted":null,"encrypted":null,"name":"url","value":"ldap://aws-dc1.lavastorm.local.com:389/dc=lavastorm,dc=local,dc=com","type":null},"searchSubTree":{"encrypted":null,"encrypted":null,"name":"searchSubTree","value":"true","type":null},"password":{"encrypted":"LAVASTORM_SECURE_STORE","encrypted":true,"name":"password","value":"[NOT OUTPUT]","type":"Password"},"referral":{"encrypted":null,"encrypted":null,"name":"referral","value":"follow","type":null},"searchCountLimit":{"encrypted":null,"encrypted":null,"name":"searchCountLimit","value":"0","type":null},"pagingLimit":{"encrypted":null,"encrypted":null,"name":"pagingLimit","value":"0","type":null},"defaultRoles":{"encrypted":null,"encrypted":null,"name":"defaultRoles","value":"explorer","type":null},"ignorePartialResultError":{"encrypted":null,"encrypted":null,"name":"ignorePartialResultError","value":"false","type":null},"userFilter":{"encrypted":null,"encrypted":null,"name":"userFilter","value":"(&(objectClass=person)(|(userPrincipalName=adminuser@example.com)(userPrincipalName=auser@example.com)))","type":null},"username":{"encrypted":null,"encrypted":null,"name":"username","value":"cn=laeldap,ou=Warrington Service Accounts,dc=lavastorm,dc=local,dc=com","type":null}}},"containerLocator":"object:!tenant:defaultTenant"},"response":"object:!tenant:defaultTenant~configuration:ui-ldap-import-config-item"}

Audit logging - 3.12

Data360 Analyze Server Help

Understanding the audit log

Identifying and tracing actions