System Audit Logs
Tecton's System Audit Logging allows you to see the configuration changes occurring in your Tecton account. System Audit Logging differs from Feature Request Audit Logs. The former records access-related changes in your Tecton account, while the latter records what requests are being sent to your production feature serving endpoint.
Accessing System Audit Logs​
System Audit logs are available in your Cloud Provider's Object Storage that you
configured for use with Tecton. For example, AWS customers will find their
System Audit Logs in: s3://tecton-{DEPLOYMENT_NAME}/logging/system_audit_logs.
Note that Tecton on Snowflake customers do not have object storage configured, and must contact Support to access System Audit Logs.
Files are partitioned per day, and each filename is named with the ISO 8601 UTC
timestamp that started the logging period. Filenames are formatted like
YYYY-MM-dd/yyyyMMddTHHmmssZ.jsonl. Logs files are emitted in 15 minute
intervals. Log events are available within 30 minutes of the event time.
For example, logs for the period starting at 08:00 UTC (inclusive) and ending at 08:15 UTC (exclusive) on July 1st 2023 can be found at
tecton-{DEPLOYMENT_NAME}/logging/system_audit_logs/2023-07-01/20230701T080000Z.jsonl
If no auditable events occur in a 15-minute interval, no file will be written for that interval.
Understanding System Audit Logs​
System System Audit Logs are emitted as files of newline-separated json objects, with each object representing one auditable action.
Event Schema​
| Name | Description |
|---|---|
timestamp | Timestamp of Event |
actor | Actor ObjectUSER, SERVICE_ACCOUNT, or TECTON_EMPLOYEEUSER Actors |
user_agent | User Agent Header |
request_id | Request ID |
event_type | <EVENT_TYPE>.<VERSION_NUMBER> (see possible EVENT_TYPE values here) |
account_name | Tecton Account Name |
request | Request Object (See event types for fields) |
response | Response Object (See event types for fields) |
status | Request Status |
error_message | Error message (on failure only) |
Sample Log Event​
{
"request_id": "eb88d142a4cd2cf5c1cc111e1f7a422f",
"timestamp": "2023-07-20T21:31:55.826993Z",
"account_name": "account_name",
"event_type": "create_service_account.v1",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"actor": {
"type": "USER",
"id": "00u38dayyxAF2xQ6O358",
"email": "alice@tecton.ai"
},
"status": "OK",
"request": {
"name": "service_account_name",
"description": "Service Account for CI/CD"
},
"response": {
"id": "dgeb493c4d684b9xxx31d3b8ac5c0b09",
"name": "service_account_name",
"description": "Service Account for CI/CD",
"is_active": false
}
}
Event Types​
The following are the event types currently captured in the System Audit Log.
| event_type | Request Fields | Response Fields |
|---|---|---|
create_workspace | workspace_nameworkspace_capabilities | |
delete_workspace | workspace | |
create_service_account | namedescription | idnamedescriptionis_active |
update_service_account | idnamedescriptionis_active | idnamedescriptionis_active |
delete_service_account | id | |
create_account_user | login_email | |
delete_account_user | okta_id | |
account_user_action | okta_idresend_activation_emailunlock_usergrant_adminrevoke_admin | |
assign_roles | List of Assignment Objects with: resource_typeresource_idroleprincipal_typeprincipal_id | |
unassign_roles | List of Assignment Objects with: resource_typeresource_idroleprincipal_typeprincipal_id | |
assign_roles_put | resource_typeresource_idrolesprincipal_typeprincipal_id |
Versioning​
If a field is ever removed from an event type, the version number will increase. Fields may be added to an event type object without a change in version number.
Version stability for System Audit Log event types is not supported at this time - events may be versioned at any time.
Using Audit Logs​
System Audit Log events can be ingested into a customer's SIEM system (e.g. Microsoft Sentinel, Splunk, Sumo Logic, IBM QRadar, Securonix) for monitoring and alerting.
Alternatively, you can download System Audit Log files for local processing.
Downloading Audit Logs​
You can download the audit logs files programmatically with:
- A client such as
boto3or Google Cloud Storage Client API - Using your cloud provider's CLI
- For Example:
The following is an example for how to download all files from S3 for July 1st 2023 (UTC) into a local directory:
import boto3
import os
BUCKET_NAME = "tecton-<DEPLOYENT_NAME>"
# Prefix matching your time range of interest, e.g. events on July 1st 2023
PREFIX = "logging/system_audit_logs/2023-07-01"
s3 = boto3.resource("s3") # assumes credentials & configuration are handled outside python (e.g. in the .aws directory)
local_dir = "<SOME_LOCAL_DIRECTORY>"
bucket = s3.Bucket(BUCKET_NAME)
for obj in bucket.objects.filter(Prefix=PREFIX):
filename = obj.key.split("/")[-1] # filename will be like yyyyMMddTHHmmssZ.jsonl
bucket.download_file(obj.key, os.join(local_dir, filename))
Processing System Audit Logs Locally​
Below is one example of how to process System Audit Log files using Python.
import os
import pandas as pd
import json
local_dir = "<SOME_LOCAL_DIRECTORY>" # directory containing only System Audit Log .jsonl files
events_as_string = []
for filename in os.listdir(local_dir):
with open(os.path.join(local_dir, filename), "r") as f:
events_as_string.extend([line for line in f.readlines()])
events_as_json = [json.loads(event) for event in events_as_string]
# events_as_json is now a list of json objects which can be analyzed however you like. One option is using pandas dataframes:
df = pd.DataFrame(events_as_json)
# Find all events where a user was granted administrative access
f = (df["event_type"] == "account_user_action.v1") & df.apply(lambda x: x["request"].get("grant_admin", False), axis=1)
grant_admin_events_only = df[f]
# Find all events where the action was taken by alice@tecton.ai
g = df.apply(lambda x: x["actor"].get("email", "") == "alice@tecton.ai", axis=1)
alice_actions_only = df[g]
