Humio generates audit log events on many user actions. These events are designed with GDPR requirements in mind and come in two variants: sensitive and non-sensitive, to make the audit trail trustworthy, by making the sensitive actions not mutable through Humio.
Sensitive events include
They are tagged with
#sensitive="true". Non-sensitive events are tagged as
All audit log events are written to the internal repository
humio-audit, and to the Log4j2 logger named
HUMIOAUDITLOG, which by default writes to the file
humio-audit has special retention rules that depends on the
sensitive value. Sensitive logs are deleted by retention only when they are too old, controlled by the system configuration option
AUDITLOG_SENSITIVE_RETENTION_DAYS. The default is 200 years. Changing this setting requires a systems operator to change the configuration of the servers running Humio, and then to restart Humio.
Non-sensitive logs are deleted according to the regular retention settings for the repository. The default retention setting for this repository is to keep the log forever. Please configure according to your requirements.
backupAfterMillisonly listing those that are set.
Sign in to Humio. When using Auth0, this event is logged only once, when the user signs in the first time and is assigned a local UUID. When using LDAP, Humio logs every time the user verifies their user name / password combination.
Query. Every time a query is submitted on behalf of the user, either trough the UI or API using the API-token of a user. Note: Read-only dashboards are not logged here.
Root users are by default allowed to query the data stored in a repository, add and remove users, delete data, and set retention. In other words, unrestricted access to all data in the Humio cluster.
Setting the configuration option
ENFORCE_AUDITABLE=true restricts root users
Regardless of the value of
ENFORCE_AUDITABLE root users can always:
Special access restrictions apply. A user can get access to search the
humio-audit repo using the same set of rules as any other repo. But any user who does not have access through those rules can search the repo while being restricted to searching only the events that has said user as the “actor” that did the event.