Skip to content

Trino and Starburst Query Audit Logs

Audience: Users with the AUDIT permission and Data Owners

Content Summary: This page outlines the common JSON properties of Trino and Starburst native query audit logs in Immuta and an example of the resulting audit record.

For a tutorial on getting these audit logs, see the View Audit Logs page.

Best Practices: Store Audit Records

By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

Overview

With the Trino Event Listener feature enabled, users can view audit records for queries made in Trino against Immuta data sources on the Audit page.

Audit Message

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: prestoQuery.

Property Description Example
ID string b0000000-1234-abcd-11111111111111
DateTime integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. 2504188066580 or 2017-08-31T14:01:15.607Z
Month integer 1455
ProfileID integer The profile ID of the user who made the query. 1
UserID string The user ID of the user who made the query. jane.doe@immuta.com
DataSourceID integer The ID of the data source that was queried. 12
DataSourceName string The name of the data source that was queried. Public Customer Data
ProjectID integer The ID of the project the data source is in. 18
ProjectName string The name of the project the data source is in. Project 1
RecordType string The type of record captured. Databricks query audit records will always be prestoQuery.
Success boolean If true, the query was successful. true or false
Component string The Immuta component that generated the record. nativeSql
AccessType string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. query
Query string The query that was run in the integration. select * from immuta.public. \"case\" limit 50
Extra array Information on the query including viewSql, direct, and maskedColumns. See example audit record below.
DataSourceSchemaName string The name of the schema that the data source that was queried came from.
DataSourceTableName string The name of the table of the data source that was queried. case
sqlUser string The Trino/Starburst username of the user who made the query. kris

Example Audit Record

{
"id": "b0d49f2a-4a34-4d50-b36e-fd9b619eed32",
"dateTime": "1617997828777",
"month": 1455,
"profileId": 1,
"userId": "kris@immuta.com",
"dataSourceId": 41,
"dataSourceName": "Crime Data Delta",
"projectId": 17,
"count": 1,
"recordType": "prestoQuery",
"success": true,
"component": "nativeSql",
"accessType": "query",
"query": "select * from immuta.public. \"case\" limit 50",
"extra": {
    "direct": true,
    "maskedColumns": {
        "ssn": "Hashing",
        "dob": "Generalization",
        "country": "Constant"
    }
},
"dataSourceSchemaName": "public",
"dataSourceTableName": "default_crime_data_delta",
"sqlUser": "kris",
"createdAt": "2021-04-09T19:50:28.787Z",
"updatedAt": "2021-04-09T19:50:28.787Z"
}