Using the Audit Log

April 18, 2024 at 11:39 PM UTC

Audit Log RCON

Do you want to see what your admins are up to? Concerned about a breach of your organization’s data security? Audit logs are for you.

Many aren’t aware that the audit log exists.

Audit logs are available for any information that belongs to an organization. Our API uses a unique resource name and id for information returned to a client. We log the action taken, the resource type, and id for every resource a user interacts with along with some other useful information.

Viewing the Audit Log

The audit log can be accessed in two main ways.

You can view an unfiltered audit log by going to your organization and clicking “Audit Log”.

You will also find audit log links throughout the BattleMetrics interface. These links will take you to the audit log page already filtered to only show the resources related to what you are looking at. This is the easiest way to find something specific in the audit log. Look for the following symbol on one of the RCON pages (bans, player pages, organization, etc):

Log Storage

Audit logs are stored for every organization for three (3) days. For Enterprise users, that period is increased to thirty (30) days.

Exemptions

Some resources are exempt from audit logging.

  • Data that is associated with an organization but created by and only available to a specific user is exempt. Personal player notes, triggers, and tags are the most common examples.
  • Information that is required for loading a user’s account. This includes basic information like an organizations name and it’s ban lists that the user has permissions for.
  • RCON commands are also exempt from audit logging to avoid duplication. Command logs are available on a server’s activity log. See here: https://www.battlemetrics.com/rcon/activity?filter[adminLog]=true

Permissions

Audit logs are only available to an organization’s owner by default. The “View Organization Audit Log” permission found under “Organization Management” may be granted to other members.

Data Sharing and Logging Rules

Audit log messages are associated with a single organization. Here are some general rules:

  • If a user’s action impacts multiple organizations, multiple audit log messages will be created.

  • If an audit log message is created for an organization that the user does not belong to then the organization the user was acting on behalf of will be used instead.

  • If a user views data and belongs to the organization(s) that own it only those organization(s) see the audit log messages.

  • If a user modifies data that is shared (flags, notes, and bans), all organizations with access will see the log.

  • If a user views data and doesn’t belong to the controlling organization then the controlling organization will see the audit log for that “view” in addition to the viewing user’s organizations, assuming the data is shared with those other organizations.

  • If it helps make it clearer how this works, this is the if/else statement used for this analysis:

    if (user has direct access) then
      Log action to the organization(s) the user belongs to
    else
      Log action to the organization(s) the user belongs to
      Log action to the organization(s) the data belongs to
    end
    

Information Available

The following information is logged with every audit log message.

  • Request ID: This is a unique ID that is generated for every HTTP request made to the BattleMetrics API.
  • Request Route: This is the internal API route name that is associated with the request.
  • Instance ID: When a user loads the BattleMetrics website, a unique ID is generated for that window/tab. That ID is included and logged for every request made from that window or tab.
  • History ID: When a user navigates to a page on the BattleMetrics website a unique ID is generated for that event. The unique ID is included and logged for every request made from that page.
  • Path: This is the BattleMetrics website URL path name the user was on when the API request was made.
  • Action: The action taken. The available actions are: Create, Read, Update, or Delete
  • Timestamp: The time the action took place (as recorded by our server) in UTC. The timestamp will be displayed based on your time zone and location settings.
  • Resource: The type of resource and its ID. Resources are things like servers, player identifiers, and bans.
  • Relationships: Many resource types have common relationships. A player identifier would have a relationship to a player, a ban could be related to a player, and so on.
  • Organization: An audit log message will be associated with a single organization. If a user belongs to multiple organizations and each organization has access to the same resource, multiple log messages will be generated.
  • Actor: The user or organization that is responsible for this action.
  • Location: If the user has consented to GeoIP sharing and the organization has turned on GeoIP information, the user’s location will be included.