Synthetic monitoring audit log: Track changes made by users

New Relic lets you see a 13-month history of synthetic monitoring audit events.

Feature description

When you take specific actions in synthetic monitoring like creating or editing a monitor, an NrAuditEvent is generated. This event includes details about the action taken and which user took that action. This data is stored for 13 months. This historical data may be helpful if you'd like to investigate how a problem with your account was created and who made that change.

Synthetic monitoring's changes tracked include:

  • Monitors
    • Creation
    • Edits (including location change, mute/unmute, and enable/disable)
    • Script creation, edits, validation (including secure credentials used)
    • Deletion
  • Monitor downtimes
    • Creation
    • Edits
    • Deletion
  • Secure credentials
    • Creation
    • Edits
    • Views
    • Deletion
  • Private locations
    • Creation
    • Edits (including clearing queues)
    • Deletion

For details on how to query this data, see Query details.

Query details

To query changes, use the query builder to explore the NrAuditEvent and its associated attributes. For an introduction to using the NrAuditEvent event, see Query account audit logs.

Supported actionIdentifier events currently include:

  • Monitors
    • synthetics_monitor.create
    • synthetics_monitor.update
    • synthetics_monitor.create_script
    • synthetics_monitor.update_script
    • synthetics_monitor.validate_script
    • synthetics_monitor.delete
  • Monitor downtimes
    • synthetics_monitor_downtime.create
    • synthetics_monitor_downtime.update
    • synthetics_monitor_downtime.delete
  • Secure credentials
    • synthetics_secure_credential.create
    • synthetics_secure_credential.update
    • synthetics_secure_credential.view
    • synthetics_secure_credential.delete
  • Private locations​
    • synthetics_private_location.create​
    • synthetics_private_location.update​
    • synthetics_private_location.delete

How the change was made:

  • The actorAPIKey attribute indicates if the change was made via the API or by a user via the UI. When this value is null, it's a user update; when not null, it's an API update.

For examples of synthetic monitoring's audit log queries, see:

Example use case: Finding changes made by a user

Here's an example of using the synthetic monitoring audit log to solve a common problem:

You are a manager at a company that uses synthetic monitoring. A new employee has been playing with your company's accounts to learn how synthetic monitoring works. Unfortunately, this employee was accidentally given full access to the production accounts, instead of the pre-production accounts.

You want to determine what synthetic monitors this employee created, deleted, and updated, so that you will know which monitors need to be fixed. Instead of having to review every monitor in the account, you open the query builder and run the following NRQL query of the NrAuditEvent event:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' AND
actorEmail = 'EMPLOYEE_EMAIL'
FACET actionIdentifier, description 
SINCE 1 week ago LIMIT 1000

The query will return all the synthetic monitors that the employee has updated, deleted, created, disable, or muted. One by one, you and the employee review the list and update the edited monitors.

For more help

If you need more help, check out these support and learning resources: