View the audit log
The audit log is your organization’s administrative history, including changes to user accounts, user roles, and more. Audit logs are available in intervals of 30, 60, and 90 days.
View an audit log
-
In the Astra Portal navigation menu, click Settings, and then click Security.
-
In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.
Audit log content
Audit logs include the following fields:
-
typename
: The log record type, such asAuditEvent
. -
actionResult
: The outcome of the event, such asSUCCESS
. -
userID
: The UUID of the user who triggered the event. -
event
: Detailed event data, such as the response from the underlying API call associated with the event. -
eventTime
: The date and time that the event occurred in the formatYYYY-MM-DDTHH:MM:SS.SSSZ
. -
eventType
: The event category. PossibleeventTypes
include the following:-
ACCEPT_USER_TO_ORGANIZATION
: A user accepted an invitation to an organization. -
ADD_SAML_IDP
: Added an SSO identity provider configuration in active (enabled) status. -
COPY_ROLE
: Copied an existing role. -
CREATE_ORG
: Created an organization. -
CREATE_ROLE
: Created a role. -
CREATE_USER
: Created a user account. -
DELETE_IDP
: Deleted an SSO identity provider configuration. -
DELETE_ORG
: Deleted an organization. -
DELETE_ROLE
: Deleted a role. -
DELETE_TOKEN_FOR_CLIENT
: Deleted an application token. -
DELETE_USER
: Deleted a user account. -
DISABLE_IDP
: Deactivated an SSO identity provider configuration. -
DISABLE_ORG_SSO
: Deactivated SSO functionality for an organization. This happens if there are no active SSO IdP configurations. -
ENABLE_IDP
: Activated an SSO identity provider configuration. -
ENABLE_ORG_SSO
: Activated SSO functionality for an organization. This happens if there is at least one active SSO IdP configuration. -
GENERATE_TOKEN_FOR_CLIENT
: Created an application token. -
INVITE_USER_TO_ORGANIZATION
: Invited a user to an organization. -
PREP_NEW_IDP
: Added an SSO IdP configuration in draft (inactive) status. -
PROVISION_SSO_USER_INTO_ORGANIZATION
: SSO IdP provisioning added a user to an organization. -
REMOVE_USER_FROM_ORG
: Removed a user from an organization. -
REVOKE_INVITATION
: Cancelled a pending user invitation. -
UPDATE_IDP
: Edited an SSO IdP configuration. -
UPDATE_ROLE
: Edited a role.
-
Stream audit logs to Pulsar
You can stream Astra DB Serverless audit logs to your Pulsar instance:
-
In your Pulsar instance, create a topic.
-
In the Astra Portal, create an application token with the Organization Administrator role.
-
Get your organization ID from any Astra Portal URL, such as
astra.datastax.com/org/ORGANIZATION_ID/
. -
To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:
curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "pulsar": { "endpoint": "BROKER_SERVICE_URL", "auth_strategy": "AUTH_TYPE", "topic": "PULSAR_TOPIC", "auth_name": "PULSAR_AUTH_NAME", "token": "PULSAR_TOKEN" } }'
Replace the following:
-
ORG_ID
: Your Astra DB organization ID. -
APPLICATION_TOKEN
: Your Astra DB application token. -
BROKER_SERVICE_URL
: Your Pulsar Broker URL prefixed bypulsar+
, such aspulsar+ssl://pulsar.example.com
. -
AUTH_TYPE
: The Pulsar authentication strategy, eithertoken
oroauth2
.-
For
token
, include theauth_name
andtoken
parameters with your Pulsar credentials. -
For
oauth2
, include theoauth2_credentials_url
andoauth2_issuer_url
parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provideoauth_audience
andoauth2_scope
. For more information, see Authentication using OAuth 2.0 access tokens.
-
-
PULSAR_TOPIC
: The Pulsar topic where you want to publish metrics, such aspersistent://test/default/audit-log-topic
.
Response
HTTP/1.1 202 Accepted
-
-
To retrieve and review the audit log streaming configuration, send a GET request:
curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json"
Response
{ "pulsar": { "endpoint": "pulsar+ssl://pulsar.example.com", "topic": "persistent://test/default/audit-log", "auth_strategy": "token", "token": "********", "auth_name": "token" } }
-
Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.
To delete an audit log streaming configuration, you can send a DELETE request.
You can also configure audit log streaming with Astra Streaming.