Audit Logs to AWS S3 Buckets

Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.

Streaming Audit Logs to S3

Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.

Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AirkitWritePermission",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::113997530994:root"
         },
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::{{BUCKET-NAME}}/*"
         ]
      }
   ]
}

Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:

Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}

Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.

Event Data Schema

[block:parameters] { "data": { "h-0": "Property", "h-1": "Data Type", "0-0": "ORGANIZATION_ID", "1-0": "EVENT_ID", "2-0": "EVENT_YEAR", "3-0": "EVENT_MONTH", "4-0": "EVENT_DATE", "5-0": "EVENT_TIME", "6-0": "ROOT_SCOPE_USER_ID", "7-0": "USER_ID", "8-0": "EMAIL", "9-0": "APP_ID", "10-0": "BRANCH_ID", "11-0": "DEPLOY_ID", "12-0": "SAVEPOINT_ID", "13-0": "SAVEPOINT_REVISION", "14-0": "RESOURCE_TYPE", "15-0": "RESOURCE_ID", "16-0": "DOMAIN", "17-0": "DATASTORE_ID", "18-0": "API_KEY_ID", "19-0": "NOTIFIER_ID", "20-0": "SAML_ID", "21-0": "WEBHOOK_ID", "22-0": "ADAPTER_ID", "23-0": "EMBED_ID", "24-0": "ROLE_ID", "25-0": "SERVICE", "26-0": "SERVICE_REVISION", "27-0": "LOGIN_TYPE", "28-0": "EVENT_TYPE", "0-1": "VARCHAR", "1-1": "VARCHAR", "2-1": "NUMBER", "3-1": "DATE", "4-1": "DATE", "6-1": "VARCHAR", "7-1": "VARCHAR", "8-1": "VARCHAR", "9-1": "VARCHAR", "10-1": "VARCHAR", "11-1": "VARCHAR", "12-1": "VARCHAR", "13-1": "VARCHAR", "14-1": "VARCHAR", "15-1": "VARCHAR", "16-1": "VARCHAR", "17-1": "VARCHAR", "18-1": "VARCHAR", "19-1": "VARCHAR", "20-1": "VARCHAR", "21-1": "VARCHAR", "22-1": "VARCHAR", "23-1": "VARCHAR", "24-1": "VARCHAR", "25-1": "VARCHAR", "26-1": "VARCHAR", "27-1": "VARCHAR", "28-1": "VARCHAR (See possible values below.)", "5-1": "TIMESTAMPNTZ" }, "cols": 2, "rows": 29 } [/block]

Event Types

Every Audit Event has an associated Event Type, stored under EVENT_TYPE. EVENT_TYPE has the following possible values:

Event Types

portal_page_view

deployment_changed

new_adapter

deleted_api_key

deleted_encryption_key

modified_notifier

new_saml

invite_sent

new_encryption_key

user_support_scope_assigned

deleted_resource

user_role_removed

deleted_notifier

clone_datastore

invalid_login

saml_assertion_received

user_created

user_logout

deleted_domain_certificate

new_embed

user_root_scope_assigned

deleted_adapter

modified_datastore

deleted_datastore

user_login

app_deployed

new_resource

new_api_key

modified_adapter

modified_api_key

data_migration

org_created

new_domain_certificate

modified_domain_certificate

new_notifier

backup_datastore

new_datastore

password_change

modified_embed

user_locked

deleted_embed

app_undeployed

app_created

user_role_added

request_state

PreviousApp Events to AWS S3 Buckets NextView Data in Activity Explorer

Last updated 1 year ago

Was this helpful?