View audit logs

Audit logs are your organization’s administrative history, including changes to user accounts, user roles, and more.

Through the Astra Portal, you can download control plane audit logs only.

For control plane and data plane logs, you must use the streaming option.

View control plane audit logs in the Astra Portal

In the Astra Portal, you can download control plane audit logs in intervals of 30, 60, and 90 days:

In the Astra Portal header, click Settings.
In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to view audit logs.

If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.
In the Settings navigation menu, click Security.
In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.

Control plane audit log contents

Audit logs include the following fields:

typename: The log record type, such as AuditEvent.
actionResult: The outcome of the event, such as SUCCESS.
userID: The UUID of the user who triggered the event.
event: Detailed event data, such as the response from the underlying API call associated with the event.
eventTime: The date and time that the event occurred in the format YYYY-MM-DDTHH:MM:SS.SSSZ.
eventType: The event category.

Possible control plane eventTypes include the following:

User events:
- INVITE_USER_TO_ORGANIZATION: An administrator invited a user to an organization.
- ACCEPT_USER_TO_ORGANIZATION: A user accepted an invitation to an organization.
- PROVISION_SSO_USER_INTO_ORGANIZATION: Single sign-on (SSO) identity provider (IdP) provisioning added a user to an organization.
- REVOKE_INVITATION: Canceled a pending user invitation.
- REMOVE_USER_FROM_ORG: An administrator removed a user from an organization.
Token events:
- GENERATE_TOKEN_FOR_CLIENT: Created an application token.
- DELETE_TOKEN_FOR_CLIENT: Deleted an application token.
Role events:
- CREATE_ROLE: Created a custom role.
- COPY_ROLE: Copied an existing role.
- UPDATE_ROLE: Edited a custom role.
- DELETE_ROLE: Deleted a custom role.
Organization events:
- CREATE_ORG: Created an organization.
- DELETE_ORG: Deleted an organization.
Database events:
- CREATE_DATABASE: Created a database through the Astra Portal.
- DELETE_DATABASE: Terminated a database through the Astra Portal.
- CREATE_KEYSPACE: Created a keyspace through the Astra Portal.
- DELETE_KEYSPACE: Deleted a keyspace through the Astra Portal.
- ADD_REGION_TO_DATABASE: Deployed a database to an additional region.
- REMOVE_REGION_FROM_DATABASE: Removed a region from a multi-region database.
- CONFIGURED_THIRD_PARTY_METRICS: Configured a metrics export.
- DELETED_THIRD_PARTY_METRICS: Deleted a metrics export.
Access list events:
- ADD_ADDRESS_TO_ACCESS_LIST: Modified a Data Plane IP Access Control List by adding addresses to the list.
- UPDATE_ACCESS_LIST: Modified a Data Plane IP Access Control List.
- DELETE_ADDRESS_OR_ACCESS_LIST: Deleted all or part of the Data Plane IP Access Control List.
- CREATE_ACCESS_LIST: Create a Control Plane IP Access Control List.
- REPLACE_EXISTING_LIST: Modified a Control Plane IP Access Control List by replacing the whole list.
Single sign-on (SSO) identity provider (IdP) configuration events:
- ADD_SAML_IDP: Added an SSO IdP configuration in active (enabled) status.
- PREP_NEW_IDP: Added an SSO IdP configuration in draft (inactive) status.
- ENABLE_IDP: Activated (enabled) an SSO IdP configuration that was previously inactive.
- ENABLE_ORG_SSO: Activated the SSO functionality for an organization. This means there is at least one SSO IdP configuration in active (enabled) status.
- UPDATE_IDP: Edited an SSO IdP configuration.
- DELETE_IDP: Deleted an SSO IdP configuration.
- DISABLE_IDP: Deactivated an SSO IdP configuration, but did not delete it.
- DISABLE_ORG_SSO: Deactivated the SSO functionality for an organization. This means there are no active SSO IdP configurations.
Other security configuration events:
- CREATE_CLOUD_ACCOUNT: Begin the process of adding a customer-managed encryption key (CMEK) to an Astra organization.
- CREATE_SERVERLESS_KEY: Add a CMEK for Astra DB Serverless databases.
- CREATE_CLASSIC_KEY: Add a CMEK for Classic databases.
- DELETE_SERVERLESS_KEY: Delete a CMEK for Astra DB Serverless databases.
- DELETE_CLASSIC_KEY: Delete a CMEK for Classic databases.
- CUSTOM_DNS_ENABLED: Enabled custom domains.
- CUSTOM_DNS_ADDED: Added a domain to the custom DNS configuration.
- PE_CONFIGURED: Added a private endpoint.
- PE_DELETED: Deleted a private endpoint.

Stream control plane and data plane audit logs

Streamed audit logs contain both control plane and data plane events.

You can stream Astra DB Serverless audit logs to your Apache Pulsar™ instance with the DevOps API or through Astra Streaming.

For the Astra Streaming option, see Stream Astra audit logs.

For the DevOps API option, do the following:

In your Pulsar instance, create a topic.
In the Astra Portal, create an application token with the Organization Administrator role.
Get your organization ID from any Astra Portal URL, such as astra.datastax.com/org/ORGANIZATION_ID/.
To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:
```
curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "pulsar": {
    "endpoint": "BROKER_SERVICE_URL",
    "auth_strategy": "AUTH_TYPE",
    "topic": "PULSAR_TOPIC",
    "auth_name": "PULSAR_AUTH_NAME",
    "token": "PULSAR_TOKEN"
  }
}'
```
Replace the following:
- ORG_ID: Your Astra organization ID.
- APPLICATION_TOKEN: Your Astra application token.
- BROKER_SERVICE_URL: Your Pulsar Broker URL prefixed by pulsar+, such as pulsar+ssl://pulsar.example.com.
- AUTH_TYPE: The Pulsar authentication strategy, either token or oauth2.
  - For token, include the auth_name and token parameters with your Pulsar credentials.
  - For oauth2, include the oauth2_credentials_url and oauth2_issuer_url parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provide oauth_audience and oauth2_scope. For more information, see Authentication using OAuth 2.0 access tokens.
- PULSAR_TOPIC: The Pulsar topic where you want to publish metrics, such as persistent://test/default/audit-log-topic.
Result
HTTP/1.1 202 Accepted

To retrieve and review the audit log streaming configuration, send a GET request:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

Result

{
  "pulsar": {
    "endpoint": "pulsar+ssl://pulsar.example.com",
    "topic": "persistent://test/default/audit-log",
    "auth_strategy": "token",
    "token": "********",
    "auth_name": "token"
  }
}

Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.

To delete an audit log streaming configuration, you can send a DELETE request.

Get user information for streamed audit logs

Streamed audit logs contain user IDs instead of user email addresses.

You can use GET /v2/organizations/users/USER_ID to get the email addresses associated with streamed user IDs:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

You can use GET /v2/organizations/users to get information for all users in an Astra organization:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

View audit logs

View control plane audit logs in the Astra Portal

Control plane audit log contents

Stream control plane and data plane audit logs

Get user information for streamed audit logs

Was this helpful?

Give Feedback