Audit Logs to AWS S3 Buckets

Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.

Streaming Audit Logs to S3

Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.

Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.

After creating your S3 Bucket, provide Airkit permission to your S3 bucket via the following AWS IAM policy.

{{BUCKET-NAME}}: name of the S3 bucket you created

{{aws_region}}: name of the region your organization is provisioned

US - us-west-2
AP - ap-southeast-2
EU - eu-central-1

{{organization_id}}: The ID of your organization. To get your org id, see Getting Application Metadata

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AirkitWritePermission",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:sts::113997530994:assumed-role/airkit-{{aws_region}}-reporting-export-role/{{organization_id}}"
         },
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::{{BUCKET-NAME}}/*"
         ]
      }
   ]
}

In Airkit Console,visit Settings > Logs and App Notifiers. The UI will look as follows:

Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:

Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}

Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.

Schema and Examples

The structure of the exported data depends on the type of Event being sent. There is a lot of variation to the data structure depending on the Event type, as the relevant information depends on the Event details.

There are a couple standard fields that are exported with every Audit Log Event:

organizationId
eventTime
eventId
type
kind - for Audit Log Events, this will always be "Audit"

It is the type field that usually determines what other fields that will be part of the export. For instance, consider the following export where type = app_created:

{
    "organizationId": "482f2a38-8e9d-4329-b2a0-e97d5bc05d36",
    "type": "app_created",
    "eventTime": "2022-11-14T14:50:02.662",
    "appId": "efb19715-9a42-4a04-81c8-a026fa882f94",
    "eventId": "1RRvwLDVfvR7wathILYtnE34XFDm",
    "elevatedOperation": false,
    "kind": "Audit"
}

In addition to the standard fields, this export also contains the fields appId and elevatedOperation, which contain important information pertaining to app creation.

In contrast, consider the following export where type = user_login:

{
    "organizationId": "482f2a38-8e9d-4329-b2a0-e97d5bc05d36",
    "type": "user_login",
    "eventTime": "2022-11-14T21:29:06.062",
    "userId": "32c81dee-db98-4143-8996-888b0b0fc501",
    "eventId": "1RS7LYxhirW8RMtAG5FDB30Psviz",
    "loginType": "org-picker",
    "elevatedOperation": false,
    "kind": "Audit"
}

In addition to the standard fields, this export contains the fields userId, loginType, and elevatedOperation, two of which are relevant to a builder logging into the platform but NOT a builder creating a new app.

Event Types

type has the following possible values:

Event Types
api_key_not_in_group
app_created
app_deployed
app_undeployed
backup_datastore
clone_datastore
created_invite
data_decrypt
data_encrypt
data_export
data_migration
deleted_adapter
deleted_api_key
deleted_datastore
deleted_domain_certificate
deleted_embed
deleted_encryption_key
deleted_notifier
deleted_resource
deleted_user
deployment_changed
invalid_api_key
invalid_login
invite_sent
modified_adapter
modified_api_key
modified_datastore
modified_domain_certificate
modified_embed
modified_encryption_key
modified_notifier
modified_user_role
new_adapter
new_api_key
new_datastore
new_domain_certificate
new_embed
new_encryption_key
new_notifier
new_resource
new_saml
org_created
password_change
portal_page_view
request_state
saml_assertion_received
searched_all_user
successfully_authenticated
updated_organization_displayname_whitelabelid_type
updated_organization_license_key
user_created
user_locked
user_login
user_logout
user_role_added
user_role_removed
user_root_scope_assigned
user_super_admin_assigned
user_support_admin_assigned
user_support_scope_assigned
viewed_all_organizations
viewed_all_users_in_organization
viewed_filtered_organizations
viewed_licenses_by_org_id
viewed_organization_by_id

Event Types

api_key_not_in_group

app_created

app_deployed

app_undeployed

backup_datastore

clone_datastore

created_invite

data_decrypt

data_encrypt

data_export

data_migration

deleted_adapter

deleted_api_key

deleted_datastore

deleted_domain_certificate

deleted_embed

deleted_encryption_key

deleted_notifier

deleted_resource

deleted_user

deployment_changed

invalid_api_key

invalid_login

invite_sent

modified_adapter

modified_api_key

modified_datastore

modified_domain_certificate

modified_embed

modified_encryption_key

modified_notifier

modified_user_role

new_adapter

new_api_key

new_datastore

new_domain_certificate

new_embed

new_encryption_key

new_notifier

new_resource

new_saml

org_created

password_change

portal_page_view

request_state

saml_assertion_received

searched_all_user

successfully_authenticated

updated_organization_displayname_whitelabelid_type

updated_organization_license_key

user_created

user_locked

user_login

user_logout

user_role_added

user_role_removed

user_root_scope_assigned

user_super_admin_assigned

user_support_admin_assigned

user_support_scope_assigned

viewed_all_organizations

viewed_all_users_in_organization

viewed_filtered_organizations

viewed_licenses_by_org_id

viewed_organization_by_id

PreviousApp Events to AWS S3 Buckets NextView Data in Activity Explorer

Last updated 1 year ago