View audit logs
Audit logs are your organization’s administrative history, including changes to user accounts, user roles, and more.
Through the Astra Portal, you can download control plane audit logs only.
For control plane and data plane logs, you must use the streaming option.
View control plane audit logs in the Astra Portal
In the Astra Portal, you can download control plane audit logs in intervals of 30, 60, and 90 days:
-
In the Astra Portal header, click settings Settings.
-
In the Settings navigation menu, click the name of the current organization, and then select the organization where you want to view audit logs.
-
In the Settings navigation menu, click Security.
-
In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.
Control plane audit log contents
Audit logs include the following fields:
-
typename
: The log record type, such asAuditEvent
. -
actionResult
: The outcome of the event, such asSUCCESS
. -
userID
: The UUID of the user who triggered the event. -
event
: Detailed event data, such as the response from the underlying API call associated with the event. -
eventTime
: The date and time that the event occurred in the formatYYYY-MM-DDTHH:MM:SS.SSSZ
. -
eventType
: The event category.
Possible control plane eventTypes
include the following:
-
User events:
-
CREATE_USER
: Created a user object in an organization. This happens when JIT provisioning adds a user to an organization, an organization administrator sends an invite to a user, or you create an organization (which creates the initial organization administrator user). -
INVITE_USER_TO_ORGANIZATION
: An administrator invited a user to an organization. -
ACCEPT_USER_TO_ORGANIZATION
: A user accepted an invitation to an organization. -
PROVISION_SSO_USER_INTO_ORGANIZATION
: Single sign-on (SSO) identity provider (IdP) provisioning added a user to an organization. -
REVOKE_INVITATION
: Canceled a pending user invitation. -
REMOVE_USER_FROM_ORG
: An administrator removed a user from an organization. -
DELETE_USER
: Deleted a user object from an organization. This happens when a user deletes their personal account or an organization administrator removes the user from the organization.
-
-
Token events:
-
GENERATE_TOKEN_FOR_CLIENT
: Created an application token. -
DELETE_TOKEN_FOR_CLIENT
: Deleted an application token.
-
-
Role events:
-
CREATE_ROLE
: Created a custom role. -
COPY_ROLE
: Copied an existing role. -
UPDATE_ROLE
: Edited a custom role. -
DELETE_ROLE
: Deleted a custom role.
-
-
Organization events:
-
CREATE_ORG
: Created an organization. -
DELETE_ORG
: Deleted an organization.
-
-
Database events:
-
CREATE_DATABASE
: Created a database through the Astra Portal. -
DELETE_DATABASE
: Terminated a database through the Astra Portal. -
CREATE_KEYSPACE
: Created a keyspace through the Astra Portal. -
DELETE_KEYSPACE
: Deleted a keyspace through the Astra Portal. -
ADD_REGION_TO_DATABASE
: Deployed a database to an additional region. -
REMOVE_REGION_FROM_DATABASE
: Removed a region from a multi-region database. -
CONFIGURED_THIRD_PARTY_METRICS
: Configured a metrics export. -
DELETED_THIRD_PARTY_METRICS
: Deleted a metrics export. -
CDC_ENABLED
: Enabled Change Data Capture (CDC) for a database. -
LAUNCHED_CQLSH
: Launched the embedded CQL shell in the Astra Portal.
-
-
Access list events:
-
CREATE_ACCESS_LIST
: Create a Control Plane IP Access Control List. -
ADD_ADDRESS_TO_ACCESS_LIST
: Modified a Control Plane IP Access Control List by adding addresses to the list. -
UPDATE_ACCESS_LIST
: Modified a Control Plane IP Access Control List. -
REPLACE_EXISTING_LIST
: Modified a Control Plane IP Access Control List by replacing the whole list. -
DELETE_ADDRESS_OR_ACCESS_LIST
: Deleted all or part of the Control Plane IP Access Control List. -
DP_ACL_CREATED
: Created a Data Plane IP Access Control List. -
DP_ACL_DELETED
: Deleted a Data Plane IP Access Control List. -
DP_ACL_MODIFIED
: Modified a Data Plane IP Access Control List.
-
-
Single sign-on (SSO) identity provider (IdP) configuration events:
-
ADD_SAML_IDP
: Added an SSO IdP configuration in active (enabled) status. -
PREP_NEW_IDP
: Added an SSO IdP configuration in draft (inactive) status. -
ENABLE_IDP
: Activated (enabled) an SSO IdP configuration that was previously inactive. -
ENABLE_ORG_SSO
: Activated the SSO functionality for an organization. This means there is at least one SSO IdP configuration in active (enabled) status. -
UPDATE_IDP
: Edited an SSO IdP configuration. -
DELETE_IDP
: Deleted an SSO IdP configuration. -
DISABLE_IDP
: Deactivated an SSO IdP configuration, but did not delete it. -
DISABLE_ORG_SSO
: Deactivated the SSO functionality for an organization. This means there are no active SSO IdP configurations.
-
-
Other security configuration events:
-
CREATE_CLOUD_ACCOUNT
: Begin the process of adding a customer-managed encryption key (CMEK) to an Astra DB organization. -
CREATE_SERVERLESS_KEY
: Add a CMEK for Astra DB Serverless databases. -
CREATE_CLASSIC_KEY
: Add a CMEK for Classic databases. -
DELETE_SERVERLESS_KEY
: Delete a CMEK for Astra DB Serverless databases. -
DELETE_CLASSIC_KEY
: Delete a CMEK for Classic databases. -
CUSTOM_DNS_ENABLED
: Enabled custom domains. -
CUSTOM_DNS_ADDED
: Added a domain to the custom DNS configuration. -
PE_CONFIGURED
: Added a private endpoint. -
PE_DELETED
: Deleted a private endpoint.
-
Stream control plane and data plane audit logs
Streamed audit logs contain both control plane and data plane events.
You can stream Astra DB Serverless audit logs to your Apache Pulsar™ instance with the DevOps API or through Astra Streaming.
For the Astra Streaming option, see Stream Astra DB audit logs.
For the DevOps API option, do the following:
-
In your Pulsar instance, create a topic.
-
In the Astra Portal, create an application token with the Organization Administrator role.
-
Get your organization ID from any Astra Portal URL, such as
astra.datastax.com/org/ORGANIZATION_ID/
. -
To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:
curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "pulsar": { "endpoint": "BROKER_SERVICE_URL", "auth_strategy": "AUTH_TYPE", "topic": "PULSAR_TOPIC", "auth_name": "PULSAR_AUTH_NAME", "token": "PULSAR_TOKEN" } }'
Replace the following:
-
ORG_ID
: Your Astra DB organization ID. -
APPLICATION_TOKEN
: Your Astra DB application token. -
BROKER_SERVICE_URL
: Your Pulsar Broker URL prefixed bypulsar+
, such aspulsar+ssl://pulsar.example.com
. -
AUTH_TYPE
: The Pulsar authentication strategy, eithertoken
oroauth2
.-
For
token
, include theauth_name
andtoken
parameters with your Pulsar credentials. -
For
oauth2
, include theoauth2_credentials_url
andoauth2_issuer_url
parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provideoauth_audience
andoauth2_scope
. For more information, see Authentication using OAuth 2.0 access tokens.
-
-
PULSAR_TOPIC
: The Pulsar topic where you want to publish metrics, such aspersistent://test/default/audit-log-topic
.
Response
HTTP/1.1 202 Accepted
-
-
To retrieve and review the audit log streaming configuration, send a GET request:
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json"
Response
{ "pulsar": { "endpoint": "pulsar+ssl://pulsar.example.com", "topic": "persistent://test/default/audit-log", "auth_strategy": "token", "token": "********", "auth_name": "token" } }
-
Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.
To delete an audit log streaming configuration, you can send a DELETE request.
Get user information for streamed audit logs
Streamed audit logs contain user IDs instead of user email addresses.
You can use GET /v2/organizations/users/USER_ID
to get the email addresses associated with streamed user IDs:
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
You can use GET /v2/organizations/users
to get information for all users in an Astra DB organization:
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"