SaaS Deployment Audit Log

This page describes how to schedule and manage a SaaS deployment Controller Tenant Audit Log.

Splunk AppDynamics refers to a Controller Tenant as the Controller in some portions of the Controller Tenant UI. Consider them one and the same.

This audit capability creates an audit.log file that serves to monitor user activities and configuration changes in the Controller Tenant. Be aware that Cisco AppDynamics customers do not have access to the audit.log file as it is held on the Splunk AppDynamics Controller Tenant server. To retrieve information, you must schedule the report and configure retrieval.

Create an Audit Report

You can use this report to view changes made to the user information, Controller Tenant configuration, and application properties. The Controller Tenant Audit reports on the following attributes:

  • Date and time range
  • ObjectType
  • UserName
  • ObjectName
  • AccountName
  • ApiKeyId (if applicable)
  • Action
  • ApiKeyName (if applicable)
  • ApplicationName
Attention: You must have Company Admin permissions to view and configure scheduled reports.
  1. Click Dashboards & Reports > Reports > Add Report.
  2. Enter Report Title and Report Subtitle. You can label a report CONFIDENTIAL using Report Subtitle.
  3. Optional: Select Show Title Page to include a title page at the beginning of your report file.
  4. Click the Report Type dropdown and select Controller Audit to define the fields in the Reports Data tab.
  5. Configure the Schedule for the report.
  6. Select Report Data or click Next.
  7. Click the Timerange dropdown to set Standard or Custom the time ranges. Custom time range options are available for all the Report Types.
  8. Select your report file format as PDF, JSON, or CSV.
  9. Optional: Uncheck the Show Diff box to remove the Object Changes column from your report file.
  10. Click the Filters dropdown to select the data to include or exclude.
  11. Enter the attribute value.
  12. Click + Add to select more filters.
  13. Select Recipients or click Next.
  14. Enter a recipient email.
    Click Add to send to more than one recipient.
  15. Click Save.
    Right-click anywhere in the Reports page for additional options as well as a Send Report Now option for an immediate look at the audit details.

Retrieve the Audit Log Report

The Audit Log Report is sent by email according to the addresses set up when creating the report. It captures the following information:

  • User logins and information changes

  • Controller Tenant configuration changes

  • Application properties and object changes such as policies, health rules, and entities listed in the above table.

  • Environment properties changes

Splunk AppDynamics supports PDF, JSON, and CSV output formats.

Retrieve Audit History via API

You can retrieve audit history through the ControllerAuditHistory API method, which returns the configuration and user activities record in a JSON or CSV file for the time range specified. This information is the same as that found in the file.

Format

GET /controller/ ControllerAuditHistory?startTime=<start-time>&endTime=<end-time>&include=<field>:<value>&exclude=<field>:<value>

For example:

http://localhost:8080/controller/ControllerAuditHistory?startTime=yyyy-MM-dd&&endTime=yyyy-MM-dd&include=filterName1:filterValue1&include=filterName1:filterValue1&exclude=filterName1:filterValue1&exclude=filterName1:filterValue1
curl --user user1@customer1:welcome "http://demo.appdynamics.com:8090/controller/ControllerAuditHistory?startTime=2015-12-19T10:50:03.607-0700&endTime=2015-12-19T17:50:03.607-0700&timeZoneId=America&Francisco&include=userName:user1&include=action:LOGIN&exclude=accountName:system&exclude=action:OBJECT_UPDATE"
  
[{"timeStamp":1450569821811,"auditDateTime":"2015-12-20T00:03:41.811+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN"},{"timeStamp":1450570234518,"auditDateTime":"2015-12-20T00:10:34.518+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN"},{"timeStamp":1450570273841,"auditDateTime":"2015-12-20T00:11:13.841+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"OBJECT_CREATED","objectType":"AGENT_CONFIGURATION"},
...
{"timeStamp":1450570675345,"auditDateTime":"2015-12-20T00:17:55.345+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"OBJECT_DELETED","objectType":"BUSINESS_TRANSACTION"},{"timeStamp":1450570719240,"auditDateTime":"2015-12-20T00:18:39.240+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"APP_CONFIGURATION","objectType":"APPLICATION","objectName":"ACME Book Store Application"},{"timeStamp":1450571834835,"auditDateTime":"2015-12-20T00:37:14.835+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action
 
curl --user user1@customer1:welcome "http://127.0.0.1:8080/controller/ControllerAuditHistory?startTime=2019-05-28T08:00:03.607-0700&endTime=2019-05-28T11:32:03.607-0700&timeZoneId=America%2FSan%20Francisco&include=applicationName:ACME"
[{"timeStamp":1559066415823,"auditDateTime":"2019-05-28T18:00:15.823+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN","objectId":0,"applicationName":"ACME"}]

Input parameters

Parameter Name Parameter Type Value Mandatory
start-time

Query

Start time in the format: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"

Yes
end-time

Query

End time in the format: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"

Yes
time-zone-id

Query

Time zone

No
include

Query

Restricted information in the audit history

No
exclude

Query

Restricted information in the audit history

No
Warning: To control the size of the output, the range between the start-time and end-time cannot exceed 24 hours. For periods longer than 24 hours, use multiple queries with consecutive time parameters.

  • Multiple filters of the same type are allowed.

  • The backend API treats include filters with the same <field> and relationship as "OR", and filters with different <field> and relationship as "AND".

  • There is no direct interaction between include and exclude filters.

  • Each filter needs to be a parameter, e.g., include=filterName1:filterValue1&include=filterName2:filterValue2. See the below examples.

Audit Log Default Configuration Settings

This table shows the default settings for your Tenant. Contact your Splunk AppDynamics Support to edit these settings.
Name Description Value
audit.enabled Enable or disable audit logging true
audit.log.changes.persisted Enable or disable audit log state change data persistence true
audit.log.file.count The number of log files for rotation once exceeding the size limit 1
audit.log.file.enabled Enable logging audit information into a file true
audit.log.file.location Audit log file locations <empty value means $CONTROLLER_HOME/logs/audit.log>
audit.log.file.size Maximum log file size (in bytes) for audit logging 500000000
audit.log.retention.period Audit log retention period in hours (30 days) 720
Warning: Splunk AppDynamics only retains audit logs for 30 days. If you wish to retain them longer, contact your account manager or download your scheduled reports regularly.

Entries Being Audited

The following entries are audited:

Entries Audited

ACCOUNT

ACCOUNT_ROLE

ACTION_SUPPRESSION_WINDOW

AGENT_CONFIGURATION

ANALYTICS_AGENT_SCOPE

ANALYTICS_API_KEY

ANALYTICS_BUSINESS_JOURNEY

ANALYTICS_DYNAMIC_SERVICE_HIERARCHICAL_CONFIGURATION

ANALYTICS_LOG_SOURCE

ANALYTICS_METRIC

ANALYTICS_SAVED_SEARCH

ANALYTICS_XLM

APPLICATION

APPLICATION_COMPONENT

APPLICATION_COMPONENT_NODE

APPLICATION_CONFIGURATION

APPLICATION_DIAGNOSTIC_DATA

ASYNC_TRANSACTION_CONFIG

BACKEND_DISCOVERY_CONFIG

BUSINESS_TRANSACTION

BUSINESS_TRANSACTION_CONFIG

BUSINESS_TRANSACTION_GROUP

CALL_GRAPH_CONFIGURATION

CUSTOM_ACTION

CUSTOM_CACHE_CONFIGURATION

CUSTOM_EMAIL_ACTION_PLAN_CONFIG

CUSTOM_EXIT_POINT_DEFINITION

CUSTOM_MATCH_POINT_DEFINITION

DASHBOARD

DIAGNOSTIC_SESSION_ACTION

DOT_NET_ERROR_CONFIGURATION

EMAIL_ACTION

ERROR_CONFIGURATION

EUM_CONFIGURATION

EVENT_REACTOR

GLOBAL_CONFIGURATION

GROUP

HTTP_REQUEST_ACTION

HTTP_REQUEST_ACTION_MEDIA_TYPE_CONFIG

HTTP_REQUEST_ACTION_PLAN_CONFIG

HTTP_REQUEST_DATA_GATHERER_CONFIG

INFO_POINT

JIRA_ACTION

JMX_CONFIG

MEMORY_CONFIGURATION

METRIC_BASELINE

MOBILE_APPLICATION

NODEJS_ERROR_CONFIGURATION

NOTIFICATION_CONFIG

OBJECT_INSTANCE_TRACKING

PHP_ERROR_CONFIGURATION

POJO_DATA_GATHERER_CONFIG

POLICY

PYTHON_ERROR_CONFIGURATION

RULE

RUN_LOCAL_SCRIPT_ACTION

SCHEDULED_REPORT

SERVICE_ENDPOINT_DEFINITION

SERVICE_ENDPOINT_MATCH_CONFIG

SMS_ACTION

SQL_DATA_GATHERER_CONFIG

THREAD_DUMP_ACTION

TRANSACTION_MATCH_POINT_CONFIG

USER

WORKFLOW

WORKFLOW_ACTION
Note: The Audit report supports Application Name for the above entities when applicable.

Supported Audit Actions

Below is the list of actions supported in auditing.

Note: Not all of these actions are supported for all of the Audit Entries in the table above.

ACCOUNT_REENABLED

ACCOUNT_ROLE_ADD_PERMISSION

ACCOUNT_ROLE_REMOVE_PERMISSION

ACKNOWLEDGE_GDPR_DATA_PRIVACY

ANOMALY_DETECTION_CONFIG_CHANGED

FLOW_ICON_MOVED

GROUP_ADD_ACCOUNT_ROLE

GROUP_REMOVE_ACCOUNT_ROLE

LDAP_CONFIG_CREATED

LDAP_CONFIG_DELETED

LDAP_CONFIG_UPDATED

LOG_LEVEL_CHANGED

LOGIN

LOGIN_FAILED

LOGOUT

LOGOUT_FAILED

OBJECT_CREATED

OBJECT_DELETED

OBJECT_UPDATED

SAML_AUTHENTICATION_CONFIG_CREATED

SAML_AUTHENTICATION_CONFIG_DELETED

SAML_AUTHENTICATION_CONFIG_UPDATED

USER_ADD_ACCOUNT_ROLE

USER_ADD_TO_GROUP

USER_EMAIL_CHANGED

USER_PASSWORD_CHANGED

USER_PASSWORD_RESET

USER_PASSWORD_RESET_COMPLETED

USER_REMOVE_ACCOUNT_ROLE

USER_REMOVE_FROM_GROUP