The Directory Insights Activity Log includes an event frequency chart and a table with individual events for the selected time range. Directory Insights data is useful for auditing & compliance or for troubleshooting issues like user lockouts.
Considerations:
- JumpCloud stores Directory Data for 90 days. Any views in the admin console will only reflect the previous 90 days of activity. If you need to store data longer than 90 days, consider the JumpCloud Directory Insights AWS Serverless Application or export the logs directory using the Directory Insights API.
- You can export Directory Insights data in JSON or CSV format.
Prerequisites:
- Directory Insights has to be enabled for your account. Email your Account Manager to get this enabled.
Chart View
The Activity Log chart shows a graph of the number of events that occurred during the selected time range. You can click a bar in the chart to view data for that bar's time range.
List View
The Activity Log list shows event data in the following default columns:
- Timestamp: When the event happened; the date and time on which the event occurred.
- Event Type: The event type. Events are gathered from the following services: All, Directory, LDAP, MDM, Password Manager, RADIUS, SSO, Software, and Devices.
- Result: The result of the logged activity, such as, "Device login successful" or "Policy created."
- Initiated By: Who initiated the event; the username of the JumpCloud user that initiated the event. If no username is available, the user's email address is shown. If neither a username nor an email address is available, "--" is shown.
- Client IP: Where the event happened; the IP address of the requesting client.
To add or change the columns:
- From the JumpCloud Admin Portal, go to Insights > Directory.
- On the Events list, click the columns menu. You can either search, or select from the list of Available events. You can select up to eight columns to display. You can always click Revert to default columns if needed.
Refining Data
Use the service, event type, and user filters to refine log data. You can view data for the following services:
- All
- Directory
- LDAP
- RADIUS
- Password Manager
- SSO
- Software
- Systems
- MDM
You can view data for one or more different event types. You can also view data for either all or specific users.
Use the Time Range to filter data from 15 minutes to 90 days ago.
To select a time range:
- From the JumpCloud Admin Portal, go to Insights > Directory.
- Click the Time Range and select from the easy Quick Picks, or define a range with the Specific Dates fields.
- Click apply.
- Click clear all to go back to default settings.
To add a filter:
- From the JumpCloud Admin Portal, go to Insights > Directory.
- Next to the Search bar, there are four filter menus you can apply; Service, Event Type, User and Device.
- Click add filter to select a different filter to apply. You can filter by the following field names listed in DI Activity Log Filters.
- Click the ( X ) next to the filter, or clear all to go back to the default settings.
- If you want to see all of the same event types in the Activity Log list, under the columns Event Type and Client IP, you can click any event type or client IP to filter only that type.
- For example: Click admin_login_attempt to see all login attempts.
- Click clear all to go back to default settings.
View current data by clicking refresh in the top right corner of the Activity Log.
View summary details and JSON by clicking the down arrow to the left of an event date.
Export event data in JSON or CSV by clicking export in the right corner.
Activity Log Views
Use the Views list to see pre-filtered Quick Views or to create and save custom views.
Activity Log Data Availability
- The Activity Log can show data for up to the last 90 days.
- Keep in mind that your org may not have data available for the previous 90 days.
- Free accounts can see data for the last 15 days.
Using Saved & Quick Views
Considerations:
- If you choose a specific date for a view and then save it, the view defaults to the previous hour of data the next time you load the Saved View. Choose a different Quick Picks time range to view data for a longer time period.
- If you choose a Quick Pick time range for a view and then save it, data for the Quick Pick time range you saved is shown each time you load the Saved View.
- Saved Views are available to all administrator accounts on a JumpCloud org. All administrators can view, modify, and delete any Saved Views.
- There is a maximum of 1,000 saved views per organization.
Creating and Saving Views
To create a saved view:
- Apply columns and filters for the data you want to see.
- Apply a Quick Picks time range.
- To the right of the Views list, click save view.
- Give the view a unique name.
- Click save.
To create a saved view from a quick view:
- Select Quick View from the View list.
- Modify the Quick View.
- Click save as.
- Give the view a unique name.
- Click save.
Modifying Saved Views
Considerations:
- When you modify a saved view, it’s updated for all admins in your org.
- Currently you can't rename a Saved View. If you need to rename a view, you can delete a view, then create a new one with the name you want.
To modify an existing saved view:
- In the Views list, click select view ... .
- Select Saved View.
- Modify the filters applied to the view by adding new or removing existing columns and filters.
- Click save view.
- Confirm you want to save over the existing view
To create a new saved view from an existing saved view:
- In the Views list, click select view ... .
- Select a saved view.
- Modify the filters applied to the view by adding new or removing existing columns and filters.
- Click save as.
Deleting Saved Views
Considerations:
- When you delete a saved view, it’s deleted for all Admins in your org.
- You can’t undo a delete action.
To delete a saved view:
- In the Views list, click select view ... .
- Hover over a saved view, then click the trash can icon to the right of the view name.
- To confirm that you want to delete the view, click delete.
Using Quick Views
Quick Views are shortcuts to pre-filtered views.
If you select a Quick View that has no data for the time period you've chosen, you can increase your time range to see data for the view.
To choose a Quick View:
- In the Views list, click select view ... .
- Select a view from the list of available Quick Views.
- (Optional) Click clear view to remove the view from the Activity Log.
Using Search
Considerations:
- When exporting Directory Insights data, any search terms in use to filter the list view will not be applied to the export.
The DI Search is a full text query that enables you to narrow the table view of individual events in the activity log based on the terms entered.
- Spaces are treated as AND
- Underscores are treated as AND
- OR, NOT operators are not supported
- Exact phrase search with quotations is not supported
Search works in conjunction with applied Saved Views, Time Range, and filters to search within those results for something more specific. You can also apply Saved Views, Time Range, and filters after performing a text search to further narrow results.
See the table below to see which database fields are searched for each Service selected from the Service drop-down menu.
DI Search
Service | Database Fields Searched |
---|---|
Directory |
|
LDAP |
|
RADIUS |
|
Password Manager |
|
SSO |
|
Software |
|
Systems |
|
MDM |
|
View Old API Keys Actively Being Used
The Directory Insights event ‘admin_old_api_key_attempt’ can be used to identify any old admin API key that’s still being used. When an admin API key is rotated, you’ll see these events until you replace all instances of your old admin API key with the newly rotated key value. Each attempted usage of an old admin API key will generate a new instance of this event detailing the extent of its usage.
To view old API Keys:
- Log in to the JumpCloud Admin Portal.
- In the left hand navigation, click INSIGHTS > Directory.
- Select a Time Range. Only events within that Time Range will be displayed.
- In the Event Type dropdown menu, select admin_old_api_key_attempt to filter the events.
- A list of results will populate if there are any old API keys being actively used for the selected Time Range.
- You can also pinpoint usage by searching your code base for the specific JumpCloud API Path value ‘console.jumpcloud.com’ endpoint or for the following ‘api.jumpcloud.com’ path snippets:
- ‘/insights/directory/v1’
- ‘/reports’
- ‘/import/users’
- You can also pinpoint usage by searching your code base for the specific JumpCloud API Path value ‘console.jumpcloud.com’ endpoint or for the following ‘api.jumpcloud.com’ path snippets:
- Click the dropdown arrow next to the timestamp of an event to see a Summary.
- Click the JSON tab to see the event details to identify the source of where the old API key is being used. The following details are provided:
- initiated_by: Identifies the admin who’s API key is being used.
- client_ip: The IP Address from which the API call was sourced to JumpCloud.
- geoip: Identifies the geography associated with the client IP address.
- Resource: Identifies the base URL for the JumpCloud API being called.
- A URL of `console.jumpcloud.com` will also have a Path value, which specifies the API endpoint being called.
- A URL of `api.jumpcloud.com` will be any endpoint in the Directory Insights API or SCIM Server API.
- useragent: Standard information about the program making the api call.
- Now, your old API key might be coming from various integrations with JumpCloud. You will have to generate a new API key and update any existing integrations that use an API key with the newly generated value. See which integrations use an API key, and generate a new one, see JumpCloud APIs to learn more.