This article will discuss the data available to you at no additional cost and will show a useful audit dashboard. The Scalyr Metalog is focused on ingestion and auditing user activity, while the Monitor log captures logs related to monitors that have been implemented, like CloudWatch. There are also Alert Logs, which are documented here.

The Scalyr Metalog & Monitor Log

The easiest way to see what data is available to you within the metalog is to filter for

$serverHost = "scalyr-metalog" OR $serverHost = "monitor"

From there, if you expand the tag facet, you will see the data that is available. Out of the box, the Scalyr metalog will report on logVolume, ingestion status, and user activity like logins, user page access, searches, and modifying files. The Monitor log content will vary based on features and integrations that have been implemented such as RDS or cloudwatch in this example.

The following table will explain detailed information regarding each tag and action.

Metalog Reference:

Field: tag

Value	Description
logVolume	Will return information about the log volume ingested in the account. Two metrics are collected: logVolume and logBytes. Narrow down by logBytes to see the number of bytes collected by source. This can be directly tied to billing. See the Log Volume dashboard for this data rolled up into a graph and a report for each service. It will return logBytes for each host and logfile. There is also a detailed breakdown of k8s controllers and clusters
ingestionSuccess	Will measure the max, median, mean, and p90 latency values of agent ingestion
audit	Utilizes the action field to store multiple audit level logs. See the action facet for more detailed info. And see tag.audit for a list of default options

Action field in tag="audit" (current UI)

Default	Description
check file	Logs user interactions with files
getPageData	Measures API data returned when accessing a page or a search in the DataSet UI including the user and endpoint
addUsers	Logs when a user is added to the account.
saveFile	Measures changes to a file
deleteFile	Config file deleted
addKey	API key added
setAccountPassword resetAccountPassword	Password changes

Monitor Reference:

Integrations	Description
cloudwatchMonitor	When you setup CloudWatch, you can use this to check if there are errors and measure successful requests. Errors: `errorType` ,`errorMessage`, `time`, and `region` - errorMessage will give you troubleshooting info about your error. Success: `latency`. and `valuesFetched` (count of values written to DataSet).
httpMonitor	When you setup an http monitor you can determine any issues with the response much like the return body of a curl command and provide data like, statusLine, body, headers, latency, status and size.
rdsLogMonitor	Will return metadata about the RDS database and important info like errorType, error message, region, database, latency, bytesFetched, and/or linesFetched
archive	Batch export to s3 will return information about batch jobs to s3 and return info like latency, bytes, errors, and successes
S3BucketMonitor	When importing S3 bucket access logs, this will return Status Code, AWS Service, AmazonSQS, AWS Request ID, AWS Error Code, AWS Error Message

Audit Dashboard

{

   duration: "24h",

  

  graphs: [

    {

      query: "($filter == *) && $serverHost contains \"scalyr-metalog\" | group Searches=count(filter) by userEmail,user | columns User=(userEmail ? userEmail : user), Searches | sort -Searches | limit 20",

      title: "Top Count of Searches by User"

    },

    {

      query: "$tag = 'audit' $path matches '^\/(events|dash|alerts|logStart|query|keys|linkAccount|files)$' | group requests=count() by path, user | sort -requests | limit 20",

      title: "Top Page Loads by User"

    },

    {

      query: "$tag == 'queryOutcome'|group total=count(),newest_filter=newest(filter),avgElapsedTimeMs=average(elapsedTimeMs),timestamp=newest(timestamp) by userEmail| columns timestamp,userEmail,newest_filter,avgElapsedTimeMs  |sort -timestamp|limit 50",

      title: "Last search by User"

    },

    {

      query: "$tag == 'audit' $path=* !($path matches '^\/(events|dash|alerts|logStart|query|keys|linkAccount|files)$') |group Modified=count((action = 'saveFile' && updateFile = 'true') || (action='createFile')), Read = count(action='getPageData')  by user, path | sort -Modified,-Read | limit 50",

      title: "Config File Monitor"

    },

    {

      query: "$tag = *  $tag == \"alertStateChange\" newState = *\n|group resolved = count(newState = 2), triggered = count(newState = 1),state = newest(newState) by Name = description, Trigger = trigger\n|let t = (state=2)\n|columns Name, Trigger, \"Currently Triggered\" = t, \"Count Resolved\" = resolved, \"Count Triggered\" = triggered",

      title: "Alerts Status"

    },

  ],

  graphSize: "medium"

}