Audit Logs to AWS S3 Buckets

Data collected around Audit Events can be streamed from Airkit to AWS S3 buckets, allowing you to investigate the data in external analytics platforms.

1357

Streaming Audit Logs to S3

Here, we walk through how to set up your S3 bucket to receive System Audit Logs logs from Airkit.

  1. Create your S3 Bucket in AWS. When creating the bucket, select ACLs disabled.
1793
  1. After creating your S3 Bucket, provide Airkit permission to your S3 bucket via the following AWS IAM policy, assuming {{BUCKET-NAME}}is the name of the S3 bucket you created:
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AirkitWritePermission",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::113997530994:root"
         },
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::{{BUCKET-NAME}}/*"
         ]
      }
   ]
}
  1. In Airkit Console,visit Settings > Logs and App Notifiers. The UI will look as follows:
1480

Under System Audit Logs > S3 bucket, click edit to set an new S3 bucket, and then insert the S3 bucket name you created previously into the pop-up window that appears:

649

Click Verify. Airkit will write a test file named airkit-verify-test-{{timestamp}}

  1. Once configured, every five minutes, Airkit will send relevant Events in a new file to the S3 bucket.

Event Data Schema

PropertyData Type
ORGANIZATION_IDVARCHAR
EVENT_IDVARCHAR
EVENT_YEARNUMBER
EVENT_MONTHDATE
EVENT_DATEDATE
EVENT_TIMETIMESTAMPNTZ
ROOT_SCOPE_USER_IDVARCHAR
USER_IDVARCHAR
EMAILVARCHAR
APP_IDVARCHAR
BRANCH_IDVARCHAR
DEPLOY_IDVARCHAR
SAVEPOINT_IDVARCHAR
SAVEPOINT_REVISIONVARCHAR
RESOURCE_TYPEVARCHAR
RESOURCE_IDVARCHAR
DOMAINVARCHAR
DATASTORE_IDVARCHAR
API_KEY_IDVARCHAR
NOTIFIER_IDVARCHAR
SAML_IDVARCHAR
WEBHOOK_IDVARCHAR
ADAPTER_IDVARCHAR
EMBED_IDVARCHAR
ROLE_IDVARCHAR
SERVICEVARCHAR
SERVICE_REVISIONVARCHAR
LOGIN_TYPEVARCHAR
EVENT_TYPEVARCHAR (See possible values below.)

Event Types

Every Audit Event has an associated Event Type, stored under EVENT_TYPE. EVENT_TYPE has the following possible values:

Event Types
portal_page_view
deployment_changed
new_adapter
deleted_api_key
deleted_encryption_key
modified_notifier
new_saml
invite_sent
new_encryption_key
user_support_scope_assigned
deleted_resource
user_role_removed
deleted_notifier
clone_datastore
invalid_login
saml_assertion_received
user_created
user_logout
deleted_domain_certificate
new_embed
user_root_scope_assigned
deleted_adapter
modified_datastore
deleted_datastore
user_login
app_deployed
new_resource
new_api_key
modified_adapter
modified_api_key
data_migration
org_created
new_domain_certificate
modified_domain_certificate
new_notifier
backup_datastore
new_datastore
password_change
modified_embed
user_locked
deleted_embed
app_undeployed
app_created
user_role_added
request_state