As an additional security measure for using and managing New Relic, you can use the NrAuditEvent event to view audit logs that show changes in your New Relic organization.
What is the NrAuditEvent?
The NrAuditEvent is created to record some important types of configuration changes you and your users make in your New Relic organization. Data gathered includes the type of account change, what actor made the change, a human-readable description of the action taken, and a timestamp for the change. Reported information includes:
To see all the attributes reported by this event, see NrAuditEvent.
To be notified about these types of changes, you can use alerts.
Caveats and details on using NrAuditEvent
All New Relic accounts can query up to 13 months of account changes.
If your New Relic organization and accounts were created using the Partnership API, NrAuditEvent won't return information about creating or editing accounts.
Audit logging is different than configuring audit mode for an agent. APM audit mode records information about all data being transmitted from your app.
Example queries
Here are some examples of querying the NrAuditEvent using NRQL.
Note that the query builder in the UI can only query one account at a time. If you have the right permissions, you can run cross-account queries with NerdGraph.
General account changes
To view all changes to your New Relic account for a specific time frame, run this basic NRQL query:
SELECT*
FROM NrAuditEvent
SINCE 1day ago
To query what type of change to the account users was made the most frequently during a specific time frame, include the actionIdentifier attribute in your query. For example:
SELECTcount(*)AS Actions
FROM NrAuditEvent
FACET actionIdentifier
SINCE 1 week ago
To query for information about created accounts and who created them, you can use something like:
SELECT actorEmail, actorId, targetId
FROM NrAuditEvent
WHERE actionIdentifier ='account.create'
SINCE 1month ago
When you include TIMESERIES in a NRQL query, the results are shown as a line graph. For example:
SELECTcount(*)
FROM NrAuditEvent
TIMESERIES facet actionIdentifier since 1 week ago
Note that your users' user model will impact these queries. If your users are on our original user model, you can only query per account. If your users are on our newer user model, you should query the top-level account in your New Relic organization.
To see all the changes made to users, you could use:
SELECT*
FROM NrAuditEvent
WHERE targetType ='user'
SINCE this month
If you wanted to narrow that down to see changes to user type, you could use:
SELECT*FROM NrAuditEvent
WHERE targetType ='user'
AND actionIdentifier IN('user.self_upgrade','user.change_type')
SINCE this month
To query updates for your synthetic monitors during a specific time frame, include the actionIdentifier attribute in your query. For example:
SELECTcount(*)FROM NrAuditEvent
WHERE actionIdentifier ='synthetics_monitor.update_script'
To query what configuration changes were made to any workload, use the query below. The targetId attribute contains the GUID of the workload that was modified, which you can use for searches. Since changes on workloads are often automated, you might want to include the actorType attribute to know if the change was done directly by a user through the UI or through the API.
The targetType attribute describes the object that changed, such as account, role, user, alert conditions or notifications, and logs.
To generate a list of targetType values for your account, run the query below. Note that this query will only show targetTypes that have been touched.
SELECT uniques(targetType)
FROM NrAuditEvent
SINCE 90 days ago
Changes made by specific users
To see detailed information about any user who made changes to the account during a specific time frame, include actorType = 'user' in the query. For example:
To query account activities made by a specific person during the selected time frame, you must know their actorId. For example:
SELECT actionIdentifier
FROM NrAuditEvent
WHERE actorId =829034 SINCE 1 week ago
To identify who (actorType) has made the most changes to the account, include the actorEmail attribute in your query. For example:
SELECTcount(*)as Users
FROM NrAuditEvent
WHERE actorType ='user'
FACET actorEmail SINCE 1 week ago
To query updates from your synthetic monitors made by a specific user, include the actionIdentifier and actorEmail attribute in your query. For example:
SELECTcount(*)FROM NrAuditEvent
WHERE actionIdentifier ='synthetics_monitor.update_script'
FACET actorEmail, actionIdentifier, description
SINCE 1 week ago LIMIT1000
Changes made using the API
To see detailed information about changes to the account that were made using an API key during a specific time frame, include actorType = 'api_key' in the query. For example: