As an administrator or security team member, you can use Audit Logs to see who is using Datadog within your organization and the context in which they are using Datadog. As an individual, you can see a stream of your own actions, too.
There are two types of events that can occur within an audit log: request events, which translate all requests made to Datadog’s API into customer records, or product-specific events.
For example, track request events such as breaking events so you can see what API calls led up to the event. Or, if you’re an enterprise or billing admin, use audit logs to track user events that change the state of your infrastructure.
In this circumstance, audit logs are helpful when you want to know product-specific events such as:
When someone changed the retention of an index because the log volume changed and, therefore, the monthly bill has changed.
Who modified processors or pipelines, and when they were modified, as a dashboard or monitor is now broken and needs to be fixed.
Who modified an exclusion filter because the indexing volume has increased or decreased and logs are unable to be found or your bill went up.
For security admins or InfoSec teams, audit logs help with compliance checks and maintaining audit trails of who did what, and when, for your Datadog resources. For example, maintaining an audit trail:
Of anytime someone updates or deletes critical dashboard, monitors, and other Datadog resources.
For user logins, account, or role changes in your organization.
To enable Audit Logs, navigate to your Organization Settings and select Audit Logs Settings under Security. Click the Enable button.
Event types are a collection of audit events. For example, the Authentication event type contains all logs related to authentication and the Dashboards event type contains all the logs related to interacting with the dashboards product. To enable an event type, navigate to the Audit Logs Settings section of your Organization Settings and toggle on event types that are relevant to you.
Archiving is an optional feature for Audit Logs. You can use archiving to write to Amazon S3, Google Cloud Storage, or Azure Storage and have your SIEM system read events from it. After creating or updating your archive configurations, it can take several minutes before the next archive upload is attempted. Logs are uploaded to the archive every 15 minutes, so check back on your storage bucket in 15 minutes to make sure the archives are successfully being uploaded from your Datadog account.
To enable archiving for Audit Logs, navigate to your Organization Settings and select Audit Logs Settings under Security. Scroll down to Archiving and click the Store logs toggle to enable.
Retaining logs is an optional feature for Audit Logs. To enable, navigate to your Organization Settings and select Audit Logs Settings under Security. Scroll down to Retention and click the Retain logs toggle to enable.
The default retention period for an audit log is seven days. You can set a retention period between three and 90 days.
Note: Audit Logs are priced as retained logs, and there is no cost for ingestion or archiving. See the Log Management pricing page for more information.
Audit Logs have the same functionality as logs within the Datadog Logs Explorer:
Filter to inspect audit logs by Event Names (Dashboards, Monitors, Authentication, etc), Authentication Attributes (Actor, API Key ID, User email, etc),
Info), Method (
DELETE), and other facets.
Inspect related audit logs by selecting a log and navigating to the event attributes tab. Select a specific attribute to filter by or exclude from your search, such as
To create a monitor on a type of audit log or by specific log attributes, see the Audit Logs Monitor documentation. For example, set a monitor that triggers when a specific user logs in, or set a monitor for anytime a dashboard is deleted.
Give more visual context to your audit logs with dashboards. To create an Audit Logs dashboard: