Transform Logs into Knowledge with Directory Insights

Written by Paul Nguyen on October 16, 2020

Share This Article

Understanding end user activities across a myriad of resources is a challenging task for IT administrators, often requiring hours of searching through different logs in vastly different formats. It’s no small chore to collect logs, search through them, coalesce them, and finally interpret them to reach a conclusion.

IT teams use many different solutions within their technology stack, each with their own logging data formats, making it time consuming to create a cohesive audit trail. When time is of the essence to find a critical event, this process can feel even more frustrating and burdensome.

But event logs are not all created equal: their data schema, or how data is presented for analysis, is a key distinction in event logging solutions that shouldn’t be overlooked.

We told you about Directory Insights™ and how it transforms logs into knowledge. This blog will tell you more about why this feature’s schema is its superpower — and how a recent update to the schema makes it even easier to find an event’s root cause.

What Does a Standard Schema Do?

Imagine if libraries today didn’t use the Dewey Decimal System to organize the thousands or millions of books within their buildings. How would you find that particular zombie-filled mystery book you’re looking for? Without a known system to use, it would be impossible to find anything at libraries in a reasonable amount of time and effort.

Whether you’re an avid reader searching for that book or an IT administrator looking for an event, the structure of how information is presented is paramount to the process.

Directory Insights surfaces JumpCloud® directory data to provide ready-to-use visibility across nearly every event in your environment, which allows IT teams and MSPs to troubleshoot user issues and meet compliance from a single activity log (or via API and the JumpCloud PowerShell Module). 

When you look at Directory Insights in your JumpCloud Admin Portal, the feature’s interface centralizes activities or events from across JumpCloud-managed resources in a single, clean view. You can track events in a consistent format across SSO applications, LDAP, RADIUS, the User Portal and Admin Portals, and all Windows®, Mac®, and Linux® devices you manage.

This is thanks to Directory Insights’ data schema, which was purpose-built to present aggregated and indexed data points that can be filtered and viewed in clicks so finding information to make decisions takes minutes, not hours. Directory Insights’ schema, or its uniquely structured log format, makes it easier for admins to see what took place, when, and by whom when they’re looking into an individual event or preparing an audit.

The feature’s activity data chart, filters and columns, and templated quick views allow JumpCloud admins to drill down into the data they need fast. This means that admins can help end users more quickly, for instance if a user is locked out of resource access and requires assistance to regain access to the right things.

Radius ldap Schema

How Directory Insights Shows User Behavior Across the Identity, Access, and Device

Directory Insights’ schema got a recent update to make it even easier for admins to search for and identify a specific user-initiated event from the JumpCloud Admin Portal and API. 

The RADIUS, LDAP, and system login_attempt events use a username field to identify the end user who initiated the event whereas the SSO, User Portal, and Admin Portal use an initiated_by object. The initiated_by object contains an additional level of detail including the username, the id for the user, and the type of resource that initiated the event. If an admin were to search for a user by only the username field they could mistakenly think they’re seeing all events for that user but actually be missing SSO and User Portal events. 

“initiated_by”: {
    “id”: “5ce5acf31686a34d9c0ce6e9”,
    “type”: “user”,
    “username”: “bill”

Directory Insights’ schema improvement extends the initiated_by object to all event types, including the RADIUS, LDAP, and system login_attempt events, standardizing the way you can search across services and event types. This means that the initiated_by object contains more detailed information about a user which provides greater search flexibility.

For example, if you want to see all events by admins in your JumpCloud organization, you could search for where initiated_by.type equals “admin.” If you wanted all the events for the admin named “Bill,” you could search for initiated_by.username equals “Bill.” The more ways the feature can standardize the schemas across events types, the easier it will be to search across events types in the portal or with the API.

The “User” filter available in the JumpCloud Admin Portal leverages these schemas to gather all events related to a user, whether they are authentications or changes to the user’s personal information. This filter lets you narrow down your events view and search by username and see only the user(s) events you want, within a specified time range.

Try JumpCloud Directory Insights for Free

Directory Insights’ schema centralizes multiple services and protocols in an immediately usable format which you won’t find in any other event logging solution. IT admins can save hours of time auditing and troubleshooting with Directory Insights’ single aggregated view containing every data insight that matters, including user-initiated events across cloud and on-premises resources.

Get more technical details in this Knowledge Base article, and get hands-on with Directory Insights with a JumpCloud Free account and test it with up to 10 users and 10 devices.

Paul Nguyen

A product manager for JumpCloud. Paul has an affinity for data and being a voice for the customer. With degrees in data science and illustration, he adds a unique creative analytical perspective to IT solutions.

Continue Learning with our Newsletter