Cloud Identity Event Logs
Download Cloud Identity event logs for critical visibility into authentication, authorization, and administrative events within Cribl.Cloud.
Cloud Identity event logs centralize and standardize events that record authentication, authorization, and administrative actions within Cribl.Cloud. Use these logs to enhance system security, meet compliance requirements, and facilitate troubleshooting.
Cloud Identity event logs are available to download in CSV format. Cribl stores Cloud Identity event logs, and they are encrypted at rest.
Only Organization Owners with a Cribl.Cloud Enterprise license can download Cloud Identity event logs.
Download Cloud Identity Event Logs
To download Cloud Identity event logs:
Log in to Cribl.Cloud Enterprise as an Organization Owner.
On the top bar, select Products.
In the sidebar, under Cribl, select Organization.
On the Organization page, under Security, select
Download Last 30 days of Logs.
Captured Events
Cloud Identity event logs capture events that are categorized into either the auth or audit channel, as listed in the table below. The auth channel includes authentication events, and the audit channel includes authorization and administrative events.
| Channel | Action | Description |
|---|---|---|
auth | user_login | Events that are captured when a user authenticates to a Cribl.Cloud Organization, whether successfully or unsuccessfully. |
auth | password_change | Events that are captured when users update the password credential associated with their Cribl.Cloud account. |
audit | add_user_to_organization | Events that are captured when users become a Member of a Cribl.Cloud Organization. |
audit | remove_user_from_organization | Events that are captured when users are removed from a Cribl.Cloud Organization. |
audit | update_principal_permissions | Events that are captured when the Permissions associated with users (or API clients) change, including Permission addition and removal. |
Event Details
Captured events in Cloud Identity event logs include the fields listed in the table below.
All logs include a timestamp of when the event occurred, the Source IP address, and the User Agent of the initiator of the event. Logs can include personal data, including email addresses.
| Field | Description |
|---|---|
id | Unique identifier for the log entry. |
timestamp | UTC date when the logged event occurred. |
channel | Logical category for the event: auth (authentication events) or audit (authorization and administrative events). For details, see Captured Events. |
organization | Cribl.Cloud Organization that the log applies to. |
workspace | Workspace that the event applies to. Empty unless the event is scoped to a specific Workspace. |
principal | ID of the user who the event applies to. |
action | Specific action that the event records. For details, see Captured Events. |
result | Outcome of the event: success or failure. |
requestor | ID of the user who performed the action that is captured in the event. For some events, the requestor might be identical to the principal. |
src | Upstream system that the event originated from. |
provider | Internal detail about the system that generated the event. |
targetResource | ID of the resource that was affected by the action that the event records. |
targetResourceName | Name of the resource that was affected by the action that the event records. |
targetResourceType | Type of resource that was affected by the action that the event records: user, organization_membership, organization_access, workspace_access, or product_access. |
userAgent | HTTP user agent string of the requestor. |
metadata | Additional metadata about the action that the event records. Shape not enforced. |
Log Latency
Events are listed in Cloud Identity event logs as they occur, but it can take up to 1 hour for events to appear.
Log Retention
Cloud Identity event logs include the last 30 days of events.