Audit

The Audit Log records every operation made across your entire Shoreline fleet.

The Audit Log stores every single event within your Shoreline cluster, including:

View Audit Logs

Audit UI

The Audit UI is accessible from the Configuration UI by clicking the Audit card under Administration.

audit-card
The Audit UI displays the full Audit Log in a sortable, filterable, paginated, interactive table.
audit-log
Open the Period dropdown in the top left to limit the period of Audit Log events you'd like to view.
period-dropdown

Download as CSV

Click the download icon at the top-right to download all currently loaded Audit Log events in CSV format.

Event Properties

Each Audit Log event records vital information related to it and stores it as event object properties.

Timestamp

The timestamp is when the event occurred.

In the Audit UI this value is displayed as Operation start time.

By default, the Audit Log is sorted in inverse chronological order, displaying the most recent events at the top.

Click on the Operation start time column name to sort by timestamp.

filter/timestamp

Details

The details property contains a detailed description of the event. Some examples include:

Create File file_26394446492254e0547e7d39a86c7379
Update File file_5fbc2cc72a7d8a4237374b46d7918615
Delete Alarm high_cpu_alarm
Trigger Alarm high_disk_usage_alarm

In many cases, details entries related to a core object such as an Alarm or Bot display a clickable link that takes you to the details page for that object event.

  • Linux command execution

  • User permission changes via Access Control, e.g.: Update User permission gabe@shoreline.io

  • Action, Alarm, and Bot actions, e.g.:

    details-example

The Audit UI displays this value in the Details column.

Click the Details column header to sort and filter by details.

filter/details

The filterable options include all Audit Log event types currently loaded in the Audit UI table.

Select one or more event types then click the Apply button to filter by event details.

Status

The status property indicates the status of the event. The possible values are:

  • SUCCESS
  • FAILED
  • CANCELED
  • EXECUTING

The Audit UI displays this value in the Operation status column.

Click the Operation status column header to sort and filter by status.

filter/status
Select a value the filter list then click the Apply button to filter by status.

User

The user property indicates the authenticated Shoreline user that triggered the event. This value typically displays the primary identifier of the user, such as their email address.

For events invoked by Shoreline and not caused by a person, the user property displays a Shoreline value.

The User column in the Audit UI displays the triggering user. Click the User column header to sort and filter by user.

filter/user
Select one or more user entries then click the Apply button to filter by user.

Resource Type

The resourceType property shows the type of Resource affected by this event. The resourceType property is only populated when a known Resource was impacted; otherwise, it is empty.

Possible values are:

  • HOST
  • POD
  • CONTAINER

The Audit UI displays resourceType in the Resource type column. Click the Resource type column header to sort and filter by resourceType.

filter/resource-type
Select one or more Resource types then click the Apply button to filter by resourceType.

Resource Name

The resourceName property returns all Resources affected by the event.

The Resource type column displays the resourceType property within the Audit UI.

If only a single Resource was impacted by the event then clicking on the Resource type link automatically forwards you to the Resources UI with that specific Resource filtered in the view. When multiple Resources have been affected, a Multiple link is displayed.

links
Clicking on the Multiple link opens a RESOURCE NAMES dialog with details about the event and the full list of impacted Resources.
resource-names-dialog

Information

The information property returns any extra details about the Audit Log event.

For Linux command events, for example, the information property shows the command that executed and its status, e.g.:

Command `ls /tmp/scripts` succeeded.
Command `ls /tmp/scripts` exited with status 2. Stderr: ls: cannot access '/tmp/scripts': No such file or directory

The Audit entry details column displays information values in the Audit UI. Clicking on the Audit entry details link opens the EVENT DETAILS dialog and shows a bit of information about the event and the full command text.

event-details-dialog