Starburst (Trino) Audit Logs

Deprecation notice

Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.

With the Event Listener enabled, users can view audit records for queries made in Starburst against Immuta data sources on the Audit page. Immuta audits the activity of Immuta users on Immuta data sources.

Requirements

Best Practices: Store Audit Records

By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

Audit Message

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: prestoQuery.

Example Audit Record

{
"id": "b0d49f2a-4a34-4d50-b36e-fd9b619eed32",
"dateTime": "1617997828777",
"month": 1455,
"profileId": 1,
"userId": "kris@immuta.com",
"dataSourceId": 41,
"dataSourceName": "Crime Data Delta",
"projectId": 17,
"count": 1,
"recordType": "prestoQuery",
"success": true,
"component": "nativeSql",
"accessType": "query",
"query": "select * from immuta.public. \"case\" limit 50",
"extra": {
    "direct": true,
    "maskedColumns": {
        "ssn": "Hashing",
        "dob": "Generalization",
        "country": "Constant"
    }
},
"dataSourceSchemaName": "public",
"dataSourceTableName": "default_crime_data_delta",
"sqlUser": "kris",
"createdAt": "2021-04-09T19:50:28.787Z",
"updatedAt": "2021-04-09T19:50:28.787Z"
}

Last updated

Copyright © 2014-2024 Immuta Inc. All rights reserved.