NrAuditEvent event data and query examples

To view changes made in your New Relic account, you can query NrAuditEvent events.

Available events and attributes

The NrAuditEvent is created by New Relic services to record configuration changes made in New Relic products. The data gathered for this event includes the type of account change, actor (user or API key) that made the change, a human-readable description of the action taken, and a timestamp for the change.

To see the attributes available on this event, see NrAuditEvent.

Example NRQL queries for accounts

These examples show some of the ways you can use standard NRQL syntax (COUNT, SINCE, FACET, etc.) with NrAuditEvent attributes in NRQL queries.

What changes have been made to the New Relic account?

To view all changes to your New Relic account users for a specific time frame, run this basic NRQL query:

SELECT * from NrAuditEvent SINCE 1 day ago
What type of account change was made the most?

To query what type of change to the account users was made the most frequently during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) AS Actions FROM NrAuditEvent 
FACET actionIdentifier SINCE 1 week ago
What trends appear in account changes?

When you include TIMESERIES in the NRQL query, Insights automatically shows the results as a line graph. For example:

SELECT count(*) from NrAuditEvent TIMESERIES facet actionIdentifier since 1 week ago
What roles have been updated for users?

To query what roles have been added, changed, or removed for users in the account during a specific time frame, include the actionIdentifier attribute in the NRQL query. For example:

SELECT * FROM NrAuditEvent WHERE actionIdentifier = 'user.add_roles' 
SINCE '2018-06-19' UNTIL 30 minutes ago
Synthetics: What changes have been made to a monitor?

To query Synthetics monitor updates during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actionIdentifier, description, actorEmail 
SINCE 1 week ago LIMIT 1000

For more information about this Synthetics feature, see Synthetics audit log.

Workloads: What changes were made to any workload configuration?

To query what configuration changes were made to any workload, use the query below. The targetId attribute contains the GUID of the workload that was modified, which you can use for searches. Since changes on workloads are often automated, you might want to include the actorType attribute to know if the change was done directly by a user through the UI or through the API.

SELECT timestamp, actorEmail, actorType, description, targetId 
FROM NrAuditEvent WHERE targetType = 'workload' 
SINCE 1 week ago LIMIT MAX
What account changes have been made by any user?

To see detailed information about any user who made changes to the account during a specific time frame, include actorType = 'user' in the query. For example:

SELECT actionIdentifier, description, actorEmail, actorId, targetType, targetId 
FROM NrAuditEvent WHERE actorType = 'user' 
SINCE 1 week ago
What account changes have been made by a specific user?

To query account activities made by a specific person during the selected time frame, you must know their actorId. For example:

SELECT actionIdentifier FROM NrAuditEvent 
WHERE actorId = 829034 SINCE 1 week ago
Who made the most changes to the account?

To identify who (actorType) has made the most changes to the account, include the actorEmail attribute in your query. For example:

SELECT count(*) as Users FROM NrAuditEvent 
WHERE actorType = 'user' 
FACET actorEmail SINCE 1 week ago
Synthetics: What monitors were created by a specific user?

To query Synthetics monitor updates made by a specific user, include the actionIdentifier and actorEmail attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actorEmail, actionIdentifier, description 
SINCE 1 week ago LIMIT 1000
What account changes have been made using an API key?

To see detailed information about changes to the account that were made using an API key during a specific time frame, include actorType = 'api_key' in the query. For example:

SELECT actionIdentifier, description, targetType, targetId, actorAPIKey, actorId, actorEmail 
FROM NrAuditEvent WHERE actorType = 'api_key' SINCE 1 week ago

For more help

If you need more help, check out these support and learning resources: