Audit Logs to AWS S3 Buckets

Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.

13571357

Streaming Audit Logs to S3

Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.

  1. Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.
17931793
  1. After creating your S3 Bucket, provide Airkit permission to your S3 bucket via the following AWS IAM policy, assuming {{BUCKET-NAME}}is the name of the S3 bucket you created:
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AirkitWritePermission",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::113997530994:root"
         },
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::{{BUCKET-NAME}}/*"
         ]
      }
   ]
}
  1. In Airkit Console,visit Settings > Logs and App Notifiers. The UI will look as follows:
14801480

Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:

649649

Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}

  1. Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.

Event Data Schema

Property

Data Type

ORGANIZATION_ID

VARCHAR

EVENT_ID

VARCHAR

EVENT_YEAR

NUMBER

EVENT_MONTH

DATE

EVENT_DATE

DATE

EVENT_TIME

TIMESTAMPNTZ

ROOT_SCOPE_USER_ID

VARCHAR

USER_ID

VARCHAR

EMAIL

VARCHAR

APP_ID

VARCHAR

BRANCH_ID

VARCHAR

DEPLOY_ID

VARCHAR

SAVEPOINT_ID

VARCHAR

SAVEPOINT_REVISION

VARCHAR

RESOURCE_TYPE

VARCHAR

RESOURCE_ID

VARCHAR

DOMAIN

VARCHAR

DATASTORE_ID

VARCHAR

API_KEY_ID

VARCHAR

NOTIFIER_ID

VARCHAR

SAML_ID

VARCHAR

WEBHOOK_ID

VARCHAR

ADAPTER_ID

VARCHAR

EMBED_ID

VARCHAR

ROLE_ID

VARCHAR

SERVICE

VARCHAR

SERVICE_REVISION

VARCHAR

LOGIN_TYPE

VARCHAR

EVENT_TYPE

VARCHAR (See possible values below.)

Event Types

Every Audit Event has an associated Event Type, stored under EVENT_TYPE. EVENT_TYPE has the following possible values:

Event Types
portal_page_view
deployment_changed
new_adapter
deleted_api_key
deleted_encryption_key
modified_notifier
new_saml
invite_sent
new_encryption_key
user_support_scope_assigned
deleted_resource
user_role_removed
deleted_notifier
clone_datastore
invalid_login
saml_assertion_received
user_created
user_logout
deleted_domain_certificate
new_embed
user_root_scope_assigned
deleted_adapter
modified_datastore
deleted_datastore
user_login
app_deployed
new_resource
new_api_key
modified_adapter
modified_api_key
data_migration
org_created
new_domain_certificate
modified_domain_certificate
new_notifier
backup_datastore
new_datastore
password_change
modified_embed
user_locked
deleted_embed
app_undeployed
app_created
user_role_added
request_state

Did this page help you?