About the Audit app
Events such as user logins, command execution, and configuration changes happen daily across ITRS Analytics. These events must be recorded so that when something goes wrong, or when compliance, security, or operations teams need evidence, you can determine what happened, who was involved, and whether the action succeeded.
The Audit app allows administrators to view the ITRS Analytics audit trail in a read-only interface, providing comprehensive visibility into system activity. Use it to search and filter audit events stored by the platform audit service for routine audits, security reviews, or incident response.
Use cases Copied
The Audit app is primarily for system admins, security teams, and operators who need evidence of platform activity for compliance, access review, or incident response.
- Compliance audit — centralized evidence of system configuration changes and who made them.
- Security review — investigate login activity and access denials and administrative actions in one place.
- Change tracking — link operational incidents to recent user or system actions and monitor the actions of a particular user over a set period.
- Geneos operations — review Gateway-published audit trail alongside ITRS Analytics-native events.
Prerequisites Copied
Audit ingestion Copied
Events are stored and available for querying only when audit ingestion is enabled on the ITRS Analytics platform. Audit ingestion is enabled by default, so the platform automatically deploys the required audit ingestion components and stores incoming audit event data for querying through the Audit app.
To disable audit event ingestion, set ingestion.audit.enabled to false in the Helm Chart Values Override section of the Admin Console:
If the Audit app is installed but platform audit ingestion is disabled, or the platform audit service is unavailable, the Audit app displays a Required Service Not Installed message instead of the audit events table. It indicates that the platform is not configured to collect or serve audit data.
Permissions in the IAM app Copied
Access to the Audit app is controlled by your organization’s IAM configuration. To access the app, you must have an ITRS Analytics user account with the admin role. For information about configuring access, see IAM configuration.
Audit events Copied
An event appears in the Audit app when a component publishes it to the platform audit service.
Events may originate from:
- ITRS Analytics platform and apps — for example, configuration changes and IAM-related actions where the publishing component emits an audit event.
- Geneos Gateway — the Gateway audit trail is published to ITRS Analytics alongside metrics and severity events.
- Custom integrations — applications that publish events through the Audit API (
POST /v1/audit-events).
Note
Not all platform activity is automatically audited. Metrics, logs, traces, and routine browsing in other apps are not recorded unless a component explicitly publishes an audit event.
Audit event data retention Copied
How long audit events are kept is controlled by platform data retention policies configured in the Ingestion app. By default, audit events are stored for 30 days. Events outside the retention window are no longer available.
Audit app interface Copied
To access the Audit app:
- Log in to the Web Console.
- From the side panel, click Admin.
- Click the Audit tab. The Audit app has a single screen that displays the filter and search area and the audit events table.
Filter audit events Copied
Use filters to narrow results within the selected time range. In the Field dropdown, select which audit field to filter on.
| Field | Description |
|---|---|
| User | User who performed the action. |
| Outcome | Result of the action. |
| Action | Type of action performed. |
| Reporter Name | Name of the component that published the event. |
| Reporter Namespace | Namespace of the publishing component. |
| Context | Filter on entries in the event context map. |
| Source Dimension | Filter on source dimension key and value. |
| Target Dimension | Filter on target dimension key and value. |
Filters on different fields are combined with AND logic where all conditions must match, while multiple values on the same field are combined with OR logic.
Each applied filter appears as a removable chip below the filter bar.
You can also add filters from the audit table. Hover over a cell in the User, Action, Outcome, Reporter Name, or Reporter Namespace column and click the filter icon to add that value as a filter chip. The table refreshes with the updated criteria.
Search audit events Copied
Use the Search bar for global text search across audit event data within the selected time range. Search matches user, action, outcome, source dimensions, target dimensions, and context values. Global search is combined with any active field filters.
View audit events table Copied
The table displays matching audit events for the selected time range and filters. Results are sorted by timestamp, displaying the newest first events first. The table shows 50 events per page. Use the pagination controls at the bottom of the table to move through additional pages.
| Column | Description |
|---|---|
| Timestamp | When the event occurred, formatted according to your user date, time, and timezone settings. |
| User | User responsible for the event. |
| Action | What action was performed. Hover to preview Context values in a tooltip. |
| Outcome | Result of the action. |
| Reporter Name | Component that published the event. |
| Reporter Namespace | Namespace of the publishing component. |
| Event ID | Unique identifier for the event. |
View event details Copied
Click any row in the audit events table to open the event detail drawer on the right side of the screen.
The drawer title uses the format Event Action: {action}, where {action} is the action value for that event.
| Section | Contents |
|---|---|
| Event Details | Event ID, Outcome, User, and Timestamp. |
| Context | Key-value context data, or a message indicating that no context is available. |
| Event Reporter | Reporter name and namespace . |
| Source Dimensions | Ordered key-value pairs for the event source. |
| Target Dimensions | Ordered key-value pairs for the event target. |
Close the drawer using the Close button or the close control at the top of the panel.
Common workflows Copied
The following examples show how the Audit app can support common audit investigation workflows:
Compliance audit Copied
Review configuration changes and identify who made them.
- Set the time range to the period under review.
- In Field, select Action or use the Search bar with terms related to the configuration change (for example, the component or setting that changed).
- In Field, select User to narrow results to a specific administrator.
- Click matching rows to review Source Dimensions, Target Dimensions, and Context in the event detail drawer.
Security review Copied
Investigate login activity, access denials, and administrative actions.
- Set the time range.
- In Field, select Action and filter on the action type relevant to your environment (for example,
login). - In Field, select Outcome and filter specific values (for example,
access denied). - Open individual events to review Context and dimension data in the event detail drawer.
Change tracking Copied
Link operational incidents to recent user or system actions, or monitor the actions of a particular user over a set period.
To investigate activity around an incident:
- Set the time range to the incident window.
- Optionally filter on Reporter Name to focus on a specific component.
- Use the Search bar or quick-filters from the table to pivot on users or outcomes of interest.
To monitor a particular user’s activity:
- Set the time range to cover the period you are reviewing.
- In Field, select User.
- In Filter, select or enter the user name.
- Review the table and click a row to inspect full event details.
Geneos operations Copied
Review the Gateway-published audit trail alongside ITRS Analytics-native events.
- Set the time range for the period you want to review.
- In Field, select Reporter Name or Reporter Namespace and filter on the Geneos Gateway reporter for your environment.
- You can combine this with filters on User, Action, or Outcome to narrow the results further.
- Review events in the table and open rows in the event detail drawer to compare Gateway-published activity with other audit events in the same time window.