This article will discuss the data available to you at no additional cost and will show a useful audit dashboard. The Scalyr Metalog is focused on ingestion and auditing user activity, while the Monitor log captures logs related to monitors that have been implemented, like CloudWatch. There are also Alert Logs, which are documented here.
The Scalyr Metalog & Monitor Log
The easiest way to see what data is available to you within the metalog is to filter for
$serverHost = "scalyr-metalog" OR $serverHost = "monitor"
From there, if you expand the tag
facet, you will see the data that is available. Out of the box, the Scalyr metalog will report on logVolume, ingestion status, and user activity like logins, user page access, searches, and modifying files. The Monitor log content will vary based on features and integrations that have been implemented such as RDS or cloudwatch in this example.
The following table will explain detailed information regarding each tag and action.
Metalog Reference:
Field: tag
Value |
Description |
logVolume |
Will return information about the log volume ingested in the account. Two metrics are collected: logVolume and logBytes. Narrow down by logBytes to see the number of bytes collected by source. This can be directly tied to billing. See the Log Volume dashboard for this data rolled up into a graph and a report for each service. It will return logBytes for each host and logfile. There is also a detailed breakdown of k8s controllers and clusters |
ingestionSuccess |
Will measure the max, median, mean, and p90 latency values of agent ingestion |
audit |
Utilizes the action field to store multiple audit level logs. See the action facet for more detailed info. And see tag.audit for a list of default options |
Action field in tag="audit" (current UI)
Default |
Description |
check file |
Logs user interactions with files |
getPageData |
Measures API data returned when accessing a page or a search in the DataSet UI including the user and endpoint |
addUsers |
Logs when a user is added to the account. |
saveFile |
Measures changes to a file |
deleteFile |
Config file deleted |
addKey |
API key added |
setAccountPassword |
Password changes |
Monitor Reference:
Integrations |
Description |
cloudwatchMonitor |
When you setup CloudWatch, you can use this to check if there are errors and measure successful requests. Success: |
httpMonitor |
When you setup an http monitor you can determine any issues with the response much like the return body of a curl command and provide data like, statusLine, body, headers, latency, status and size. |
rdsLogMonitor |
Will return metadata about the RDS database and important info like errorType, error message, region, database, latency, bytesFetched, and/or linesFetched |
archive |
Batch export to s3 will return information about batch jobs to s3 and return info like latency, bytes, errors, and successes |
S3BucketMonitor |
When importing S3 bucket access logs, this will return Status Code, AWS Service, AmazonSQS, AWS Request ID, AWS Error Code, AWS Error Message |
Audit Dashboard
{
duration: "24h",
graphs: [
{
query: "($filter == *) && $serverHost contains \"scalyr-metalog\" | group Searches=count(filter) by userEmail,user | columns User=(userEmail ? userEmail : user), Searches | sort -Searches | limit 20",
title: "Top Count of Searches by User"
},
{
query: "$tag = 'audit' $path matches '^\/(events|dash|alerts|logStart|query|keys|linkAccount|files)$' | group requests=count() by path, user | sort -requests | limit 20",
title: "Top Page Loads by User"
},
{
query: "$tag == 'queryOutcome'|group total=count(),newest_filter=newest(filter),avgElapsedTimeMs=average(elapsedTimeMs),timestamp=newest(timestamp) by userEmail| columns timestamp,userEmail,newest_filter,avgElapsedTimeMs |sort -timestamp|limit 50",
title: "Last search by User"
},
{
query: "$tag == 'audit' $path=* !($path matches '^\/(events|dash|alerts|logStart|query|keys|linkAccount|files)$') |group Modified=count((action = 'saveFile' && updateFile = 'true') || (action='createFile')), Read = count(action='getPageData') by user, path | sort -Modified,-Read | limit 50",
title: "Config File Monitor"
},
{
query: "$tag = * $tag == \"alertStateChange\" newState = *\n|group resolved = count(newState = 2), triggered = count(newState = 1),state = newest(newState) by Name = description, Trigger = trigger\n|let t = (state=2)\n|columns Name, Trigger, \"Currently Triggered\" = t, \"Count Resolved\" = resolved, \"Count Triggered\" = triggered",
title: "Alerts Status"
},
],
graphSize: "medium"
}
Comments
0 comments
Please sign in to leave a comment.