Not sure if the following are possible, but if they are, they would be very helpful:
Consistent log formatting: Each log has a
typeand the format of the log (other than being JSON) varies from type to type. E.g., one log type might report
user_id, another might report
usernameif present, and all three at the top of the log entry (in addition to whatever might be under
username, and some of the log types substitute
username. And apparently not all ‘user delete’ log events are
sdutype events. User deletes can also be
sapievents with a “Deleted user” description. All this variability makes it very difficult to grok the logs when troubleshooting. E.g., I had an alert set up in Sumologic for user delete events… but it only triggered on
Log the source client name / ID on
sapilog types. Right now only the tenant ID is recorded. There’s no way to know which client updated a users profile. If possible, include an identifier for the user (management dashboard user, delegated admin dashboard user, etc.) who made the change, if the change was made by a user. There’s no chain connecting ‘user profile updated’ back to a person / client / api.
Probably not possible, but a some sort of session ID that links related logs would be amazingly useful. We could check the logs for an event of interest, grab the session ID and then pull all the logs related to that session.