Audit Logs to AWS S3 Buckets
Last updated
Was this helpful?
Last updated
Was this helpful?
Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.
Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.
Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled
.
Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:
Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}
Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.
[block:parameters] { "data": { "h-0": "Property", "h-1": "Data Type", "0-0": "ORGANIZATION_ID", "1-0": "EVENT_ID", "2-0": "EVENT_YEAR", "3-0": "EVENT_MONTH", "4-0": "EVENT_DATE", "5-0": "EVENT_TIME", "6-0": "ROOT_SCOPE_USER_ID", "7-0": "USER_ID", "8-0": "EMAIL", "9-0": "APP_ID", "10-0": "BRANCH_ID", "11-0": "DEPLOY_ID", "12-0": "SAVEPOINT_ID", "13-0": "SAVEPOINT_REVISION", "14-0": "RESOURCE_TYPE", "15-0": "RESOURCE_ID", "16-0": "DOMAIN", "17-0": "DATASTORE_ID", "18-0": "API_KEY_ID", "19-0": "NOTIFIER_ID", "20-0": "SAML_ID", "21-0": "WEBHOOK_ID", "22-0": "ADAPTER_ID", "23-0": "EMBED_ID", "24-0": "ROLE_ID", "25-0": "SERVICE", "26-0": "SERVICE_REVISION", "27-0": "LOGIN_TYPE", "28-0": "EVENT_TYPE", "0-1": "VARCHAR", "1-1": "VARCHAR", "2-1": "NUMBER", "3-1": "DATE", "4-1": "DATE", "6-1": "VARCHAR", "7-1": "VARCHAR", "8-1": "VARCHAR", "9-1": "VARCHAR", "10-1": "VARCHAR", "11-1": "VARCHAR", "12-1": "VARCHAR", "13-1": "VARCHAR", "14-1": "VARCHAR", "15-1": "VARCHAR", "16-1": "VARCHAR", "17-1": "VARCHAR", "18-1": "VARCHAR", "19-1": "VARCHAR", "20-1": "VARCHAR", "21-1": "VARCHAR", "22-1": "VARCHAR", "23-1": "VARCHAR", "24-1": "VARCHAR", "25-1": "VARCHAR", "26-1": "VARCHAR", "27-1": "VARCHAR", "28-1": "VARCHAR (See possible values below.)", "5-1": "TIMESTAMPNTZ" }, "cols": 2, "rows": 29 } [/block]
Every Audit Event has an associated Event Type, stored under EVENT_TYPE
. EVENT_TYPE
has the following possible values:
portal_page_view
deployment_changed
new_adapter
deleted_api_key
deleted_encryption_key
modified_notifier
new_saml
invite_sent
new_encryption_key
user_support_scope_assigned
deleted_resource
user_role_removed
deleted_notifier
clone_datastore
invalid_login
saml_assertion_received
user_created
user_logout
deleted_domain_certificate
new_embed
user_root_scope_assigned
deleted_adapter
modified_datastore
deleted_datastore
user_login
app_deployed
new_resource
new_api_key
modified_adapter
modified_api_key
data_migration
org_created
new_domain_certificate
modified_domain_certificate
new_notifier
backup_datastore
new_datastore
password_change
modified_embed
user_locked
deleted_embed
app_undeployed
app_created
user_role_added
request_state
After creating your S3 Bucket, provide Airkit to your S3 bucket via the following AWS IAM policy, assuming {{BUCKET-NAME}}
is the name of the S3 bucket you created:
In Airkit ,visit Settings > Logs and App Notifiers. The UI will look as follows: