Logs

Defender generates log trails of every potentially relevant event in the system. This includes manual actions, such as modifying an Action or Monitor, as well as automated activity, such as sending a transaction or firing a notification. Logs can be optionally forwarded to Datadog and Splunk for aggregation or exported.

Use cases

  • Track user actions on your team by monitoring sign ins and activity across the application

  • Detect potential attacks on your infrastructure from failed sign in attempts

  • Follow relayer activity to understand the transactions being sent from your accounts

  • Keep an audit trail of all module configuration changes

  • Filter by severity, type, user, module, time, and more

Log Entries

Every log entry is structured with the following format:

  • Module: The origin of the log entry, such as Monitor, Actions, Workflows, Deploy, etc.

  • Date and Time: The day and time the log entry was generated with the format Day Month Year and 12-hour clock format in the browser local timezone

  • Severity: The severity level of the log entry, ranging from trace to error

  • Subject: The trigger/cause that generated the log. If contract related, the contract name is displayed

  • Event: Type of acitivty logged. For example, Created, Added, Deledated, Updated, etc.

  • Description: Details on the event. For example, Contract was updated, Address book entry was updated, etc.

  • User: Team user that generated the log entry, directly or indirectly

Logs Page

You can click on each log entry to get a detailed view, which includes the tenant id, user id, activity response, request, log id, timestamp, and more.

Logs Detailed View

Log Forwarding

Generated logs can be forwarded to Datadog and Splunk, or any other service that supports API Key authentication. You can use this to aggregate all logs across your infrastructure in a single place.

Setup Log Forwarding Destination

To set up a log forwarding destination, open the Logs page and click the 'Send Logs to an External Service' button.

Form fields:

  • URL field is a required field. All logs are forwarded to this URL address using HTTP POSTs.

  • API Header Name is optional. This is the name of the request header that contains the API Key value. Most log management services require it. Please refer to your log management service documentation to determine if you need it.

  • API Key is an optional field. API Key is sent with every request for authentication purposes. Most log management services require it. Please refer to your log management service documentation to determine if you need it.

  • Log Types lets you specify which subset of Defender generated logs you want to have forwarded based on Defender components.

  • Log Levels lets you specify which subset of Defender generated logs you want to have forwarded based on the log levels. For example debug logs can be used for Autotasks debugging purposes and they can contain data that should not be exported to external systems.

In the next section we will cover how to setup Log Forwarding with Splunk and Datadog but it is worth noting that Log Forwarding works with any other service that supports API Key authentication.

Splunk

Forwarding logs to Splunk is done by using Splunk HEC(HTTP Event Collector). Documentation for setting up logging with Splunk HEC can be found here.

Log Forwarding does not work with Splunk trial accounts because of Splunk internals.

Example:

  • URL: https://username.splunkcloud.com/services/collector/raw

  • API Header Name: Authorization

  • API Key: Splunk xxxxxxxxxxxxxxxxxxxxxxxxxxx

URL value is dynamic as URL includes account username.
API Key should contain Splunk prefix.

Datadog

Documentation for setting up logging on Datadog can be found here.

Example:

  • URL: https://http-intake.logs.datadoghq.com/api/v2/logs

  • API Header Name: DD-API-KEY

  • API Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Datadog uses different sites around the world. For example, if you are relying on an EU server the URL field value should be https://http-intake.logs.datadoghq.eu/api/v2/logs
API Key value can be obtained from Datadog site by opening Logs section from the left menu. Go to Cloud section and select AWS provider. After following those steps, the API Key value is displayed in the bottom section of the page.