This audit capability creates an audit.log file and is used to monitor user activities and configuration changes in the Controller. The information is retrieved through the following actions. 

Schedule a Controller Audit Report

You must have account-level permissions to view and configure scheduled reports. Use this report to view changes made to the user information, controller configuration, and application properties. 

  1. Click Dashboards & Reports > Reports > Add Report.

  2. Enter Report Title and Report Subtitle.

    1. You can label a report CONFIDENTIAL using Report Subtitle.

    2. Optionally, select Show Title Page to include a title page at the beginning of your report file.

  3. Select Report Type > Controller Audit to define the fields in the Reports Data tab.

  4. Set the time ranges. You can create and manage custom time range if required.

    1. Note: Custom time range options are available for all the Report Types.

  5. Select your report file format as PDF, JSON, or CSV.

    1. Optionally, uncheck the Show Diff box to remove the Object Changes column from your report file.

  6. Choose the data to include or exclude from the drop-down list.

    1. Repeat as necessary with the following options:

  7. Enter the attribute value.

  8. Click + Add.

You can create new, duplicate existing, or modify current reports as well as set an email delivery schedule to a defined list of recipients. You can also choose the Send Report Now right-click option for an immediate look at the audit details.

The Controller Audit reports on the following attributes:

Date and time range

ObjectType

UserName

ObjectName

AccountName

ApiKeyId (if applicable)

Action

ApiKeyName (if applicable)

ApplicationName



Retrieve Controller Audit Log Report

The Controller Audit Log Report is sent by email according to the addresses added to the configurations page. This report captures the following information:

  • User logins and information changes

  • Controller configuration changes

  • Application properties and object changes such as policies, health rules, and entities listed in the above table

  • Environment properties changes

Splunk AppDynamics supports PDF, JSON, and CSV output formats. 

Retrieve Controller Audit History via API

You can retrieve Controller audit history through the ControllerAuditHistory API method, which returns the configuration and user activities record in a JSON or CSV file for the time range specified. This information is the same as that found in the file.

Format

GET /controller/ ControllerAuditHistory?startTime=<start-time>&endTime=<end-time>&include=<field>:<value>&exclude=<field>:<value>

For example:

http://localhost:8080/controller/ControllerAuditHistory?startTime=yyyy-MM-dd&&endTime=yyyy-MM-dd&include=filterName1:filterValue1&include=filterName1:filterValue1&exclude=filterName1:filterValue1&exclude=filterName1:filterValue1
CODE 
curl --user user1@customer1:welcome "http://demo.appdynamics.com:8090/controller/ControllerAuditHistory?startTime=2015-12-19T10:50:03.607-0700&endTime=2015-12-19T17:50:03.607-0700&timeZoneId=America&Francisco&include=userName:user1&include=action:LOGIN&exclude=accountName:system&exclude=action:OBJECT_UPDATE"
  
[{"timeStamp":1450569821811,"auditDateTime":"2015-12-20T00:03:41.811+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN"},{"timeStamp":1450570234518,"auditDateTime":"2015-12-20T00:10:34.518+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN"},{"timeStamp":1450570273841,"auditDateTime":"2015-12-20T00:11:13.841+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"OBJECT_CREATED","objectType":"AGENT_CONFIGURATION"},
...
{"timeStamp":1450570675345,"auditDateTime":"2015-12-20T00:17:55.345+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"OBJECT_DELETED","objectType":"BUSINESS_TRANSACTION"},{"timeStamp":1450570719240,"auditDateTime":"2015-12-20T00:18:39.240+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"APP_CONFIGURATION","objectType":"APPLICATION","objectName":"ACME Book Store Application"},{"timeStamp":1450571834835,"auditDateTime":"2015-12-20T00:37:14.835+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action
 
curl --user user1@customer1:welcome "http://127.0.0.1:8080/controller/ControllerAuditHistory?startTime=2019-05-28T08:00:03.607-0700&endTime=2019-05-28T11:32:03.607-0700&timeZoneId=America%2FSan%20Francisco&include=applicationName:ACME"
[{"timeStamp":1559066415823,"auditDateTime":"2019-05-28T18:00:15.823+0000","accountName":"customer1","securityProviderType":"INTERNAL","userName":"user1","action":"LOGIN","objectId":0,"applicationName":"ACME"}]
CODE


Input parameters

Parameter Name
Parameter Type
Value

Mandatory

start-time

Query

Start time in the format: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"

Yes

end-time

Query

End time in the format: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"

Yes

time-zone-id

Query

Time zone

No

include

Query

Restricted information in the Controller audit history

No

exclude

Query

Restricted information in the Controller audit history

No

To control the size of the output, the range between the start-time and end-time cannot exceed twenty-four hours. For periods longer than 24 hours, use multiple queries with consecutive time parameters.

  • Multiple filters of the same type are allowed.

  • The backend API treats include filters with the same <field> and relationship as "OR", and filters with different <field> and relationship as "AND".

  • There is no direct interaction between include and exclude filters.

  • Each filter needs to be a parameter, e.g., include=filterName1:filterValue1&include=filterName2:filterValue2. See the below examples.

Controller Audit Log Default Configuration Settings 

This table shows default settings for your controller. Contact customer support to edit these settings.

Name

Description

Value

audit.enabled

Enable or disable audit logging

true

audit.log.changes.persisted

Enable or disable audit log state change data persistence

true

audit.log.file.count

The number of log files for rotation once exceeding size limit.

1

audit.log.file.enabled

Enable logging audit information into a file.

true

audit.log.file.location

Audit log file locations <empty value means $CONTROLLER_HOME/logs/audit.log>


audit.log.file.size

Maximum log file size (in bytes) for audit logging.

500000000

audit.log.retention.period

Audit log retention period in hours (30 days).

720

Be aware that Splunk AppDynamics only retains Controller Audit Logs for 30 days. If you wish to retain them longer, contact your account manager or download your scheduled reports regularly.

What is Audited

The following entries are audited:

ACCOUNT

ACCOUNT_ROLE

ACTION_SUPPRESSION_WINDOW

AGENT_CONFIGURATION


ANALYTICS_DYNAMIC_SERVICE_HIERARCHICAL_CONFIGURATION


APPLICATION

APPLICATION_COMPONENT

APPLICATION_COMPONENT_NODE

APPLICATION_CONFIGURATION

APPLICATION_DIAGNOSTIC_DATA

ASYNC_TRANSACTION_CONFIG

BACKEND_DISCOVERY_CONFIG

BUSINESS_TRANSACTION

BUSINESS_TRANSACTION_CONFIG

BUSINESS_TRANSACTION_GROUP

CALL_GRAPH_CONFIGURATION

CUSTOM_ACTION

CUSTOM_CACHE_CONFIGURATION

CUSTOM_EMAIL_ACTION_PLAN_CONFIG

CUSTOM_EXIT_POINT_DEFINITION

CUSTOM_MATCH_POINT_DEFINITION

DASHBOARD

DIAGNOSTIC_SESSION_ACTION

DOT_NET_ERROR_CONFIGURATION

EMAIL_ACTION

ERROR_CONFIGURATION

EUM_CONFIGURATION

EVENT_REACTOR

GLOBAL_CONFIGURATION

GROUP

HTTP_REQUEST_ACTION

HTTP_REQUEST_ACTION_MEDIA_TYPE_CONFIG

HTTP_REQUEST_ACTION_PLAN_CONFIG

HTTP_REQUEST_DATA_GATHERER_CONFIG

INFO_POINT

JIRA_ACTION

JMX_CONFIG

MEMORY_CONFIGURATION

METRIC_BASELINE

MOBILE_APPLICATION

NODEJS_ERROR_CONFIGURATION

NOTIFICATION_CONFIG

OBJECT_INSTANCE_TRACKING

PHP_ERROR_CONFIGURATION

POJO_DATA_GATHERER_CONFIG

POLICY

PYTHON_ERROR_CONFIGURATION

RULE

RUN_LOCAL_SCRIPT_ACTION

SCHEDULED_REPORT

SERVICE_ENDPOINT_DEFINITION

SERVICE_ENDPOINT_MATCH_CONFIG

SMS_ACTION

SQL_DATA_GATHERER_CONFIG

THREAD_DUMP_ACTION

TRANSACTION_MATCH_POINT_CONFIG

USER

WORKFLOW

WORKFLOW_ACTION



The Audit report now supports Application Name for the above entities when applicable.

Supported Audit Actions 

Below is the list of actions supported in auditing.

Note that not all of these actions are supported for all of the Audit Entries in the table above.

ACCOUNT_REENABLED

ACCOUNT_ROLE_ADD_PERMISSION

ACCOUNT_ROLE_REMOVE_PERMISSION

ACKNOWLEDGE_GDPR_DATA_PRIVACY

ANOMALY_DETECTION_CONFIG_CHANGED

FLOW_ICON_MOVED

GROUP_ADD_ACCOUNT_ROLE

GROUP_REMOVE_ACCOUNT_ROLE

LDAP_CONFIG_CREATED

LDAP_CONFIG_DELETED

LDAP_CONFIG_UPDATED

LOG_LEVEL_CHANGED

LOGIN

LOGIN_FAILED

LOGOUT

LOGOUT_FAILED

OBJECT_CREATED

OBJECT_DELETED

OBJECT_UPDATED

SAML_AUTHENTICATION_CONFIG_CREATED

SAML_AUTHENTICATION_CONFIG_DELETED

SAML_AUTHENTICATION_CONFIG_UPDATED

USER_ADD_ACCOUNT_ROLE

USER_ADD_TO_GROUP

USER_EMAIL_CHANGED

USER_PASSWORD_CHANGED

USER_PASSWORD_RESET

USER_PASSWORD_RESET_COMPLETED

USER_REMOVE_ACCOUNT_ROLE

USER_REMOVE_FROM_GROUP