Reporting and monitoring using Audit

This topic provides use cases for when you can use the Audit application to report, monitor, and search through Relativity’s audit records. Use this information to familiarize yourself with the functions and capabilities of the Audit application to help monitor activity in your Relativity instance.

Identifying Relativity scripts and long-running queries

This use case highlights how you can use Relativity scripts run in a workspace or instance to determine who is running the scripts and if the scripts are causing performance issues in your environment.

Note: You can perform this workflow from the Audit tab at the instance or workspace level.

  1. In the List view of the Audit tab, filter under the Action column for RelativityScriptExecution.
    1. Ensure only the RelativityScriptExecution action is selected. Clear the (All) and (Not Set) checkboxes.

  2. Click Apply to filter results.

With this filter, you can view all users who ran a Relativity script and see how frequently they ran each script over time using the timestamp widgets. The Object Name should have details on what the script was performing. If it does not, you can check the Audit Details section for more information on the script including what the query was performing (see the JSON tab in Audit Details).

  1. To access the Audit Details, click in the Details column for the record you wish to view.
  2. Toggle between the Table and JSON tab. The JSON tab contains information on what query the script performed.
  3. Close the Audit Details to return to the Audit tab.
  4. In the List, click on the Execution Time (ms) column to change the sort.

By altering the sort, you can view which scripts are taking the most time to run. Long running scripts can cause issues with the user experience in Relativity. These long running scripts should be running during the off-hours or a downtime window as to not affect other users.

Identifying incorrect coding and performing a mass revert

This use case highlights how to filter to identify incorrect or erroneous coding decisions and then perform a mass revert to update the coding decision back to the previous selection.

Note: You can only mass revert audits from the workspace Audit tab.

Use filters to query on all updates and mass edits performed by a specific user:

  1. Navigate to the workspace Audit tab.
  2. In the List view, filter on the User Name column for a specific user.
  3. From the search panel, click Add Condition, and then select the Action field.
    1.  Select the Update and Update - Mass Edit actions.
    2. Click Apply.
  4. Click Add Condition again, and then select the Object Type field.
    1. Select the Document object.
    2. Click Apply.

Before reverting documents to the previous coding decision, create a report of the documents you're about to revert:

  1. From the mass operations bar, select Export in the drop-down menu.
  2. Next to Format, select Comma Separated Values (.csv).
  3. Click Run.
  4. Save the exported report.

Perform a mass revert to update the document coding decisions to the previous selection:

  1. In the items per page option, adjust the display up to the number you wish to revert (maximum 1000).
  2. From the mass operations bar, select Revert in the drop-down menu.

  3. A pop-up window appears verifying the audits can be Reverted. Once complete, click Run to revert the documents.

Note: You can also use a similar workflow to identify when Mass Updates are occurring and monitoring users performing mass actions.

Tracking user access and identifying potential breaches

This use case highlights how to create a view in the Audit tab to regularly report users accessing the Relativity instance. This view can help identify users’ login, logout, and failed login attempts.

Note: You can only perform this workflow from the instance Audit tab.

  1. Navigate to the instance Audit tab.
  2. Click the view drop-down menu, and then click New View.
  3. Enter the following name for you view: Security Analysis - Last 30 Days.
  4. On the Fields tab, add the following fields to your view:
    • Details
    • Audit ID
    • Timestamp
    • Object Name
    • Object Type
    • User Name
    • Object ArtifactID
  5. On the Conditions tab, click Add Condition, and then select the Timestamp field.
    1. Next to Operator, select is in.
    2. Select Last 30 Days from the drop-down list.
    3. Click Apply.
  6. Click Add Condition, and then select the Action field.
    1. Next to Operator, select any of these.
    2. Select the following actions:
      • Login
      • Login - Failed
      • Logout
    3. Click Apply.

Once you create this view, you or your security team can filter on the Login - Failed action for more insight into what caused the login failure.

  1. On the Count of Action widget, select the Login – Failed action.
  2. Click Apply.
  3. On the Count of User Name by Timestamp widget, look for a User Name of 0. Click on the 0 username to filter.

A username of 0 indicates someone who is not a registered user for your Relativity instance. The reason for this varies and could be as simple as someone incorrectly typing their username. However, it could also indicate an attempt to breach the system. It’s important to note when these times occur and if there's a pattern.

Aggregating the number of errors over time

This use case highlights how to identify patterns of errors over time. Use the timestamp widgets to see if there are a consistent amount of errors occurring during a specific time of day. By using a few different filtering methods - directly in the List, on a widget, adding conditions - you can view patterns of errors specific to services, agents, etc. with Relativity to see if something is consistently causing users issues in Relativity.

Note: You can only perform this workflow from the instance Audit tab.

  1. Navigate to the instance Audit tab.
  2. In the List view, filter on the Object Type field to only display only the Error object.
  3. Once you apply the filter, view the various timestamp widgets above the List.
  4. If you notice a consistent pattern where the Error action occurs, use your mouse to click and drag on a specific timeframe in each of the timestamp widgets.

  5. In the List view, use the Object Name field to see more details about the error.

You can also add a condition to filter on the Object Name field for a specific component of Relativity. Selecting the Object Name field gives you a free text search back. You can specify a specific string or set of string along with the is like operator to filter for errors for a specific component.

You can also save these filters in a View to regularly monitor for specific errors occurring in Relativity.