Synthetics audit log: Track changes made by users

New Relic Synthetics lets you see a 13-month history of Synthetics audit events.

Feature description

When you take specific actions in New Relic Synthetics like creating or editing a monitor, an Insights event NrAuditEvent is generated. This event includes details about the action taken and which user took that action. This data is stored for 13 months. This historical data may be helpful if you'd like to investigate how a problem with your account was created and who made that change.

Synthetics changes tracked include:

  • Monitors
    • Creation
    • Edits (including location change, mute/unmute, and enable/disable)
    • Script creation, edits, validation (including secure credentials used)
    • Deletion
  • Monitor downtimes
    • Creation
    • Edits
    • Deletion
  • Secure credentials
    • Creation
    • Edits
    • Views
    • Deletion
  • Private locations
    • Creation
    • Edits (including clearing queues)
    • Deletion

For details on how to query this data, see Query details.

Query details

To query changes, go to New Relic Insights and make NRQL queries of the NrAuditEvent event and its associated attributes. For an introduction to using the NrAuditEvent event, see Query account audit logs.

Supported actionIdentifier events currently include:

  • Monitors
    • synthetics_monitor.create
    • synthetics_monitor.update
    • synthetics_monitor.create_script
    • synthetics_monitor.update_script
    • synthetics_monitor.validate_script
    • synthetics_monitor.delete
  • Monitor downtimes
    • synthetics_monitor_downtime.create
    • synthetics_monitor_downtime.update
    • synthetics_monitor_downtime.delete
  • Secure credentials
    • synthetics_secure_credential.create
    • synthetics_secure_credential.update
    • synthetics_secure_credential.view
    • synthetics_secure_credential.delete
  • Private locations​
    • synthetics_private_location.create​
    • synthetics_private_location.update​
    • synthetics_private_location.delete

How the change was made:

  • The actorAPIKey attribute indicates if the change was made via the API or by a user via the UI. When this value is null, it's a user update; when not null, it's an API update.

For examples of Synthetics audit log queries, see:

Example use case: Finding changes made by a user

Here's an example of using the Synthetics audit log to solve a common problem:

You are a manager at a company that uses New Relic Synthetics. A new employee has been playing with your company's Synthetics accounts to learn how Synthetics works. Unfortunately, this employee was accidentally given full access to the production Synthetics accounts, instead of the pre-production account.

You want to determine what Synthetics monitors this employee created, deleted, and updated, so that you will know which monitors need to be fixed. Instead of having to review every monitor in the account, you open New Relic Insights and run the following NRQL query of the NrAuditEvent event:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' AND
actorEmail = 'EMPLOYEE_EMAIL'
FACET actionIdentifier, description 
SINCE 1 week ago LIMIT 1000

The query will return all the Synthetics monitors that the employee has updated, deleted, created, disable, or muted. One by one, you and the employee review the list and update the edited monitors.

For more help

Recommendations for learning more: