Audit Logs to AWS S3 Buckets
Last updated
Last updated
Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.
Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.
Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.
After creating your S3 Bucket, provide Airkit permission to your S3 bucket via the following AWS IAM policy, assuming {{BUCKET-NAME}}is the name of the S3 bucket you created:
In Airkit Console,visit Settings > Logs and App Notifiers. The UI will look as follows:
Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:
Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}
Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.
[block:parameters] { "data": { "h-0": "Property", "h-1": "Data Type", "0-0": "ORGANIZATION_ID", "1-0": "EVENT_ID", "2-0": "EVENT_YEAR", "3-0": "EVENT_MONTH", "4-0": "EVENT_DATE", "5-0": "EVENT_TIME", "6-0": "ROOT_SCOPE_USER_ID", "7-0": "USER_ID", "8-0": "EMAIL", "9-0": "APP_ID", "10-0": "BRANCH_ID", "11-0": "DEPLOY_ID", "12-0": "SAVEPOINT_ID", "13-0": "SAVEPOINT_REVISION", "14-0": "RESOURCE_TYPE", "15-0": "RESOURCE_ID", "16-0": "DOMAIN", "17-0": "DATASTORE_ID", "18-0": "API_KEY_ID", "19-0": "NOTIFIER_ID", "20-0": "SAML_ID", "21-0": "WEBHOOK_ID", "22-0": "ADAPTER_ID", "23-0": "EMBED_ID", "24-0": "ROLE_ID", "25-0": "SERVICE", "26-0": "SERVICE_REVISION", "27-0": "LOGIN_TYPE", "28-0": "EVENT_TYPE", "0-1": "VARCHAR", "1-1": "VARCHAR", "2-1": "NUMBER", "3-1": "DATE", "4-1": "DATE", "6-1": "VARCHAR", "7-1": "VARCHAR", "8-1": "VARCHAR", "9-1": "VARCHAR", "10-1": "VARCHAR", "11-1": "VARCHAR", "12-1": "VARCHAR", "13-1": "VARCHAR", "14-1": "VARCHAR", "15-1": "VARCHAR", "16-1": "VARCHAR", "17-1": "VARCHAR", "18-1": "VARCHAR", "19-1": "VARCHAR", "20-1": "VARCHAR", "21-1": "VARCHAR", "22-1": "VARCHAR", "23-1": "VARCHAR", "24-1": "VARCHAR", "25-1": "VARCHAR", "26-1": "VARCHAR", "27-1": "VARCHAR", "28-1": "VARCHAR (See possible values below.)", "5-1": "TIMESTAMPNTZ" }, "cols": 2, "rows": 29 } [/block]
Every Audit Event has an associated Event Type, stored under EVENT_TYPE. EVENT_TYPE has the following possible values:
| Event Types |
|---|
portal_page_view |
deployment_changed |
new_adapter |
deleted_api_key |
deleted_encryption_key |
modified_notifier |
new_saml |
invite_sent |
new_encryption_key |
user_support_scope_assigned |
deleted_resource |
user_role_removed |
deleted_notifier |
clone_datastore |
invalid_login |
saml_assertion_received |
user_created |
user_logout |
deleted_domain_certificate |
new_embed |
user_root_scope_assigned |
deleted_adapter |
modified_datastore |
deleted_datastore |
user_login |
app_deployed |
new_resource |
new_api_key |
modified_adapter |
modified_api_key |
data_migration |
org_created |
new_domain_certificate |
modified_domain_certificate |
new_notifier |
backup_datastore |
new_datastore |
password_change |
modified_embed |
user_locked |
deleted_embed |
app_undeployed |
app_created |
user_role_added |
request_state |
