Starburst (Trino) Audit Logs
Deprecation notice
Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.
With the Event Listener enabled, users can view audit records for queries made in Starburst against Immuta data sources on the Audit page. Immuta audits the activity of Immuta users on Immuta data sources.
Requirements
Starburst (Trino) users registered as Immuta users: Note that the users' Starburst (Trino) usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.
Audit Message
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType
: prestoQuery
.
ID
string
b0000000-1234-abcd-11111111111111
DateTime
integer
or string
The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp.
2504188066580
or 2017-08-31T14:01:15.607Z
Month
integer
1455
ProfileID
integer
The profile ID of the user who made the query.
1
UserID
string
The user ID of the user who made the query.
jane.doe@immuta.com
DataSourceID
integer
The ID of the data source that was queried.
12
DataSourceName
string
The name of the data source that was queried.
Public Customer Data
ProjectID
integer
The ID of the project the data source is in.
18
ProjectName
string
The name of the project the data source is in.
Project 1
RecordType
string
The type of record captured.
Trino query audit records will always be prestoQuery
.
Success
boolean
If true
, the query was successful.
true
or false
Component
string
The Immuta component that generated the record.
nativeSql
AccessType
string
Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs.
query
Query
string
The query that was run in the integration.
select * from immuta.public. \"case\" limit 50
Extra
array
Information on the query, including viewSql
, direct
, and maskedColumns
.
See example audit record below.
DataSourceSchemaName
string
The name of the schema that the data source that was queried came from.
DataSourceTableName
string
The name of the table of the data source that was queried.
case
sqlUser
string
The Starburst (Trino) username of the user who made the query.
kris
Example Audit Record
Last updated