About the Audit app

Events such as user logins, command execution, and configuration changes happen daily across ITRS Analytics. These events must be recorded so that when something goes wrong, or when compliance, security, or operations teams need evidence, you can determine what happened, who was involved, and whether the action succeeded.

The Audit app allows administrators to view the ITRS Analytics audit trail in a read-only interface, providing comprehensive visibility into system activity. Use it to search and filter audit events stored by the platform audit service for routine audits, security reviews, or incident response.

Use cases Copied

The Audit app is primarily for system admins, security teams, and operators who need evidence of platform activity for compliance, access review, or incident response.

Prerequisites Copied

Audit ingestion Copied

Events are stored and available for querying only when audit ingestion is enabled on the ITRS Analytics platform. Audit ingestion is enabled by default, so the platform automatically deploys the required audit ingestion components and stores incoming audit event data for querying through the Audit app.

To disable audit event ingestion, set ingestion.audit.enabled to false in the Helm Chart Values Override section of the Admin Console:

Audit app Helm values override

If the Audit app is installed but platform audit ingestion is disabled, or the platform audit service is unavailable, the Audit app displays a Required Service Not Installed message instead of the audit events table. It indicates that the platform is not configured to collect or serve audit data.

Permissions in the IAM app Copied

Access to the Audit app is controlled by your organization’s IAM configuration. To access the app, you must have an ITRS Analytics user account with the admin role. For information about configuring access, see IAM configuration.

Audit events Copied

An event appears in the Audit app when a component publishes it to the platform audit service.

Events may originate from:

Note

Not all platform activity is automatically audited. Metrics, logs, traces, and routine browsing in other apps are not recorded unless a component explicitly publishes an audit event.

Audit event data retention Copied

How long audit events are kept is controlled by platform data retention policies configured in the Ingestion app. By default, audit events are stored for 30 days. Events outside the retention window are no longer available.

Audit app interface Copied

To access the Audit app:

  1. Log in to the Web Console.
  2. From the side panel, click Admin.
  3. Click the Audit tab. The Audit app has a single screen that displays the filter and search area and the audit events table.

Filter audit events Copied

Use filters to narrow results within the selected time range. In the Field dropdown, select which audit field to filter on.

Field Description
User User who performed the action.
Outcome Result of the action.
Action Type of action performed.
Reporter Name Name of the component that published the event.
Reporter Namespace Namespace of the publishing component.
Context Filter on entries in the event context map.
Source Dimension Filter on source dimension key and value.
Target Dimension Filter on target dimension key and value.

Filters on different fields are combined with AND logic where all conditions must match, while multiple values on the same field are combined with OR logic.

Each applied filter appears as a removable chip below the filter bar.

Audit app filters

You can also add filters from the audit table. Hover over a cell in the User, Action, Outcome, Reporter Name, or Reporter Namespace column and click the filter icon to add that value as a filter chip. The table refreshes with the updated criteria.

Search audit events Copied

Use the Search bar for global text search across audit event data within the selected time range. Search matches user, action, outcome, source dimensions, target dimensions, and context values. Global search is combined with any active field filters.

View audit events table Copied

The table displays matching audit events for the selected time range and filters. Results are sorted by timestamp, displaying the newest first events first. The table shows 50 events per page. Use the pagination controls at the bottom of the table to move through additional pages.

Audit app events table

Column Description
Timestamp When the event occurred, formatted according to your user date, time, and timezone settings.
User User responsible for the event.
Action What action was performed. Hover to preview Context values in a tooltip.
Outcome Result of the action.
Reporter Name Component that published the event.
Reporter Namespace Namespace of the publishing component.
Event ID Unique identifier for the event.

View event details Copied

Click any row in the audit events table to open the event detail drawer on the right side of the screen.

Audit app event details

The drawer title uses the format Event Action: {action}, where {action} is the action value for that event.

Section Contents
Event Details Event ID, Outcome, User, and Timestamp.
Context Key-value context data, or a message indicating that no context is available.
Event Reporter Reporter name and namespace .
Source Dimensions Ordered key-value pairs for the event source.
Target Dimensions Ordered key-value pairs for the event target.

Close the drawer using the Close button or the close control at the top of the panel.

Common workflows Copied

The following examples show how the Audit app can support common audit investigation workflows:

Compliance audit Copied

Review configuration changes and identify who made them.

Audit app config changes

  1. Set the time range to the period under review.
  2. In Field, select Action or use the Search bar with terms related to the configuration change (for example, the component or setting that changed).
  3. In Field, select User to narrow results to a specific administrator.
  4. Click matching rows to review Source Dimensions, Target Dimensions, and Context in the event detail drawer.

Security review Copied

Investigate login activity, access denials, and administrative actions.

Audit app login activity

  1. Set the time range.
  2. In Field, select Action and filter on the action type relevant to your environment (for example, login).
  3. In Field, select Outcome and filter specific values (for example, access denied).
  4. Open individual events to review Context and dimension data in the event detail drawer.

Change tracking Copied

Link operational incidents to recent user or system actions, or monitor the actions of a particular user over a set period.

Audit app change tracking

To investigate activity around an incident:

  1. Set the time range to the incident window.
  2. Optionally filter on Reporter Name to focus on a specific component.
  3. Use the Search bar or quick-filters from the table to pivot on users or outcomes of interest.

To monitor a particular user’s activity:

  1. Set the time range to cover the period you are reviewing.
  2. In Field, select User.
  3. In Filter, select or enter the user name.
  4. Review the table and click a row to inspect full event details.

Geneos operations Copied

Review the Gateway-published audit trail alongside ITRS Analytics-native events.

Audit app Geneos operations

  1. Set the time range for the period you want to review.
  2. In Field, select Reporter Name or Reporter Namespace and filter on the Geneos Gateway reporter for your environment.
  3. You can combine this with filters on User, Action, or Outcome to narrow the results further.
  4. Review events in the table and open rows in the event detail drawer to compare Gateway-published activity with other audit events in the same time window.
["ITRS Analytics"] ["ITRS Analytics > Audit"] ["User Guide"]

Was this topic helpful?