View the audit log

The audit log is your organization’s administrative history, including changes to user accounts, user roles, and more. Audit logs are available in intervals of 30, 60, and 90 days.

View an audit log

  1. In the Astra Portal navigation menu, click Settings, and then click Security.

  2. In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.

Audit log content

Audit logs include the following fields:

  • typename: The log record type, such as AuditEvent.

  • actionResult: The outcome of the event, such as SUCCESS.

  • userID: The UUID of the user who triggered the event.

  • event: Detailed event data, such as the response from the underlying API call associated with the event.

  • eventTime: The date and time that the event occurred in the format YYYY-MM-DDTHH:MM:SS.SSSZ.

  • eventType: The event category. Possible eventTypes include the following:

    • ACCEPT_USER_TO_ORGANIZATION: A user accepted an invitation to an organization.

    • ADD_SAML_IDP: Added an SSO identity provider configuration in active (enabled) status.

    • COPY_ROLE: Copied an existing role.

    • CREATE_ORG: Created an organization.

    • CREATE_ROLE: Created a role.

    • CREATE_USER: Created a user account.

    • DELETE_IDP: Deleted an SSO identity provider configuration.

    • DELETE_ORG: Deleted an organization.

    • DELETE_ROLE: Deleted a role.

    • DELETE_TOKEN_FOR_CLIENT: Deleted an application token.

    • DELETE_USER: Deleted a user account.

    • DISABLE_IDP: Deactivated an SSO identity provider configuration.

    • DISABLE_ORG_SSO: Deactivated SSO functionality for an organization. This happens if there are no active SSO IdP configurations.

    • ENABLE_IDP: Activated an SSO identity provider configuration.

    • ENABLE_ORG_SSO: Activated SSO functionality for an organization. This happens if there is at least one active SSO IdP configuration.

    • GENERATE_TOKEN_FOR_CLIENT: Created an application token.

    • INVITE_USER_TO_ORGANIZATION: Invited a user to an organization.

    • PREP_NEW_IDP: Added an SSO IdP configuration in draft (inactive) status.

    • PROVISION_SSO_USER_INTO_ORGANIZATION: SSO IdP provisioning added a user to an organization.

    • REMOVE_USER_FROM_ORG: Removed a user from an organization.

    • REVOKE_INVITATION: Cancelled a pending user invitation.

    • UPDATE_IDP: Edited an SSO IdP configuration.

    • UPDATE_ROLE: Edited a role.

Stream audit logs to Pulsar

You can stream Astra DB Serverless audit logs to your Pulsar instance:

  1. In your Pulsar instance, create a topic.

  2. In the Astra Portal, create an application token with the Organization Administrator role.

  3. Get your organization ID from any Astra Portal URL, such as astra.datastax.com/org/ORGANIZATION_ID/.

  4. To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:

    curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json" \
    --data '{
      "pulsar": {
        "endpoint": "BROKER_SERVICE_URL",
        "auth_strategy": "AUTH_TYPE",
        "topic": "PULSAR_TOPIC",
        "auth_name": "PULSAR_AUTH_NAME",
        "token": "PULSAR_TOKEN"
      }
    }'

    Replace the following:

    • ORG_ID: Your Astra DB organization ID.

    • APPLICATION_TOKEN: Your Astra DB application token.

    • BROKER_SERVICE_URL: Your Pulsar Broker URL prefixed by pulsar+, such as pulsar+ssl://pulsar.example.com.

    • AUTH_TYPE: The Pulsar authentication strategy, either token or oauth2.

      • For token, include the auth_name and token parameters with your Pulsar credentials.

      • For oauth2, include the oauth2_credentials_url and oauth2_issuer_url parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provide oauth_audience and oauth2_scope. For more information, see Authentication using OAuth 2.0 access tokens.

    • PULSAR_TOPIC: The Pulsar topic where you want to publish metrics, such as persistent://test/default/audit-log-topic.

    Response
    HTTP/1.1 202 Accepted
  5. To retrieve and review the audit log streaming configuration, send a GET request:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"
    Response
    {
      "pulsar": {
        "endpoint": "pulsar+ssl://pulsar.example.com",
        "topic": "persistent://test/default/audit-log",
        "auth_strategy": "token",
        "token": "********",
        "auth_name": "token"
      }
    }
  6. Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.

To delete an audit log streaming configuration, you can send a DELETE request.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com