Cloud Identity Event Logs
Download and forward Cloud Identity event logs for critical visibility into authentication, authorization, and administrative events within Cribl.Cloud.
Cloud Identity event logs centralize and standardize events that record authentication, authorization, and administrative actions within Cribl.Cloud. Use these logs to enhance system security, meet compliance requirements, and facilitate troubleshooting.
Cribl stores Cloud Identity event logs, and they are encrypted at rest.
Cloud Identity event logs are available to download in CSV format. You can also send Cloud Identity event logs to an HTTP/S (Bulk API) or Raw HTTP/S Source in Cribl Stream so that the logs can be sent to any Destination, including for Security Information and Event Management (SIEM) processing.
Download Cloud Identity Event Logs
Only Organization Owners with a Cribl.Cloud Enterprise license can download Cloud Identity event logs.
To download Cloud Identity event logs:
Log in to Cribl.Cloud Enterprise as an Organization Owner.
On the top bar, select Products.
In the sidebar, select Cribl > Identity Event Logs.
On the Cloud Identity Event Logs page, under Security, select
Download Last 30 Days of Logs.
Send Cloud Identity Event Logs to Cribl Stream
Only Organization Owners and Admins with a Cribl.Cloud Enterprise license can configure forwarding for Cloud Identity event logs.
To configure a forwarder that sends Cloud Identity event logs to an HTTP/S (Bulk API) or Raw HTTP/S Source in Cribl Stream:
Log in to Cribl.Cloud Enterprise as an Organization Owner or Admin.
On the top bar, select Products.
In the sidebar, select Cribl > Identity Event Logs.
On the Cloud Identity Event Logs page, select Add Forwarder.
On the Create Forwarder page, enter the following information:
Workspace: The name of the Workspace that contains the target Source.
Worker Group: The name of the Worker Group that contains the target Source.
Port: The port number that the target Source is listening on. Must match the Port value in the target Source configuration.
- For an HTTP/S (Bulk API) Source, the Port value is
10080. To use a different port, the target Source must be Raw HTTP/S.
- For an HTTP/S (Bulk API) Source, the Port value is
Path: The absolute path that the target Source is listening on. The default path is
/.- For an HTTP/S (Bulk API) Source, enter
/cribl/_bulkto match the supported Cribl HTTP event API value. - For a Raw HTTP/S Source, enter a path that matches the Allowed URI paths value in the target Source.
- For an HTTP/S (Bulk API) Source, enter
Use HTTPS: Toggle on (default) to forward requests using HTTPS to encrypt data in transit and securely transmit Cloud Identity event logs. Requires configuring TLS in the target HTTP/S (Bulk API) or Raw HTTP/S Source.
Auth Token (optional but recommended): The value of the authentication token for the
Authorizationheader of each forwarding request. This option requires a Token in the target Source to use as the forwarder’s Auth Token value.
Select Save.
When you save the forwarder, Cribl sends a test event to confirm the configuration and displays a warning message if the test event fails.
Captured Events
Cloud Identity event logs capture events that are categorized into either the auth or audit channel, as listed in the table below. The auth channel includes authentication events, and the audit channel includes authorization and administrative events.
| Channel | Action | Description |
|---|---|---|
auth | user_login | Events that are captured when a user authenticates to a Cribl.Cloud Organization, whether successfully or unsuccessfully. |
auth | password_change | Events that are captured when users update the password credential associated with their Cribl.Cloud account. |
audit | add_user_to_organization | Events that are captured when users become a Member of a Cribl.Cloud Organization. |
audit | remove_user_from_organization | Events that are captured when users are removed from a Cribl.Cloud Organization. |
audit | update_principal_permissions | Events that are captured when the Permissions associated with users (or API clients) change, including Permission addition and removal. |
Event Details
Captured events in Cloud Identity event logs include the fields listed in the table below.
All logs include a timestamp of when the event occurred, the Source IP address, and the User Agent of the initiator of the event. Logs can include personal data, including email addresses.
| Field | Description |
|---|---|
id | Unique identifier for the log entry. |
timestamp | UTC date when the logged event occurred. |
channel | Logical category for the event: auth (authentication events) or audit (authorization and administrative events). For details, see Captured Events. |
organization | Cribl.Cloud Organization that the log applies to. |
workspace | Workspace that the event applies to. Empty unless the event is scoped to a specific Workspace. |
principal | ID of the user who the event applies to. |
action | Specific action that the event records. For details, see Captured Events. |
result | Outcome of the event: success or failure. |
requestor | ID of the user who performed the action that is captured in the event. For some events, the requestor might be identical to the principal. |
src | Upstream system that the event originated from. |
provider | Internal detail about the system that generated the event. |
targetResource | ID of the resource that was affected by the action that the event records. |
targetResourceName | Name of the resource that was affected by the action that the event records. |
targetResourceType | Type of resource that was affected by the action that the event records: user, organization_membership, organization_access, workspace_access, or product_access. |
userAgent | HTTP user agent string of the requestor. |
metadata | Additional metadata about the action that the event records. Shape not enforced. |
Log Latency
Events are listed in Cloud Identity event logs as they occur, but it can take up to 1 hour for events to appear.
Log Retention
Cloud Identity event logs include the last 30 days of events.