Skip to content

Immuta System Audit Logs

Deprecation notice

The /audit endpoint has been deprecated and replaced by Immuta Detect.

All activity in Immuta is audited. This process provides rich audit logs that detail who subscribes to each data source , why they subscribe, when they access data, what SQL queries and blob fetches they run, and which files they access. Audit logs can be used for a number of intentions, including insider threat surveillance and data access monitoring for billing purposes. Audit logs can also be shipped to your enterprise auditing capability.

Audit Record Storage

Best Practices: Store Audit Records

Store audit records outside of Immuta in order to retain the audits long term.

By default, Immuta stores most audit records for 60 days. The following audit record types do not expire after 60 days:

  • blobFetch
  • dataSourceSubscription
  • globalPolicyApproved
  • globalPolicyApprovalRescinded
  • globalPolicyChangeRequested
  • globalPolicyConflictResolved
  • globalPolicyCreate
  • globalPolicyDelete
  • globalPolicyDisabled
  • globalPolicyUpdate
  • nativeQuery
  • policyExemption
  • policyHandlerCreate
  • policyHandlerUpdate
  • prestoQuery
  • spark
  • sqlQuery

Log Aggregation for Kubernetes Installations

Immuta writes all logs to stdout in Kubernetes. Users will get all logs here, but should use the Common Message Types to parse for specifics.

Log Aggregation for Docker-Based Installations

When running Immuta on Docker-based installations, all logs from the Immuta Docker containers will be sent to the Docker log driver.

The Immuta log file will contain messages that are one-line JSON, as described in Log Formats.

Log Formats

Logs messages from the Immuta platform typically will be one line JSON and contain all of the common JSON properties. Depending on the message type, more JSON properties may be present. See Common Message Types for more details.

Common JSON Properties

  • level: This is a string representation of the log level. Acceptable values are "debug", "info", "warning", "error", and "audit".
  • timestamp: This is a timestamp for when the message occurred. The timestamp format is YYYY-MM-DDTHH:mm:ss.sssZ (ISO 8601).
  • message: This is the log message, which may be used to determine common message types.

Limitations

  • Generally, any query that causes multiple background queries will have an audit record created for each. The audited plan should be different, however, for each record. For example, subqueries will generate two audit records: one for the subquery and one for the outer query.
  • Immuta does not audit any notebook cells that don’t query data.

Common Message Types

Audit Messages

Each audit message from the Immuta platform will be a one-line JSON object containing the common JSON properties and the Audit JSON properties. Depending on the recordType, an audit message may contain additional data.

In order to discover audit messages using your analysis tool, you may search the object using the criteria below:

  • level: "audit"
  • message: "Audit - *

Audit JSON Properties

  • dateTime:
    • description: The timestamp for when the record was created. This may be an ISO-8601 timestamp string or a ms since epoch timestamp.
    • type: integer or string
    • example: 1504188066580 or "2017-08-31T14:01:15.607Z"
  • component:
    • description: The Immuta component that generated this record. Possible values are "console", "featureStore", "dataSource", "bim", "audit", "script", "policy", "project", "plugin", and "governance".
    • type: string
  • instanceId:
    • description: The instance ID of the component generating this record.
    • type: string
  • profileId:
    • description: The profile ID of the user generating the action.
    • type: integer
  • userId:
    • description: The user ID of the user generating the action.
    • type: string, null
  • sqlUser:
    • description: The database account generating the action.
    • type: string
  • dataAccess:
    • description: Describes access to an individual blob or a query that may grant access to multiple blobs.
    • type: object
  • sessionId:
    • description: If this record is generated in response to a user action and if that user's session ID is known, record that session ID here.
    • type : string
  • dataSource:
    • description: If the record creation is associated with a data source, the data source name should be recorded here.
    • type: string, null
  • dataSourceId:
    • description: If the record creation is associated with a data source, the data source ID should be recorded here.
    • type: integer, null
  • projectName:
    • description: If the record creation is associated with a project, the project name should be recorded here.
    • type: string, null
  • projectId:
    • description: If the record creation is associated with a project, the project ID should be recorded here.
    • type: integer, null
  • purposeIds:
    • description: If the action being taken by the user involves data and is happening for a specific person, the purpose IDs should be recorded here.
    • type: array[integer], null
  • success:
    • description: Denotes whether the action being audited was successful.
    • type: boolean
  • failureReason:
    • description: Describes the reason that this audit event failed. Possible values are "systemError", "insufficientAuthorizations", "insufficientPermissions", and "userError".
    • type: string
  • failureDetails:
    • description: If the audit event failed, details can be provided in this free text field to examine later.
    • type: string or object
  • recordType:
    • description: The type of audit event being captured. This also corresponds to the additional information in the record field. Possible values are "auditQuery", "blobVisibility", "blobFetch", "blobIndex", "blobDelete", "blobCatalogFetch", "blobCatalogFetchDate", "blobUpdateFeatures", "blobUpdateTags", "createQuery", "modifyQuery", "consoleDataSourceView", "sqlAccess", "sqlCreateUser", "sqlDeleteUser", "sqlResetPassword", "featureList", "sqlQuery", "dataSourceCreate", "dataSourceDelete", "dataSourceSave", "dataSourceGet", "dataSourceListMine", "dataSourceGetTags", "dataSourceSubscription", "dataSourceGetUsers", "dataSourceTest", "dictionaryCreate", "dictionaryDelete", "dictionaryUpdate", "projectCreate", "projectUpdate", "projectDelete", "addToProject", "removeFromProject", "acknowledgePurposes", "userVisibilities", "accessUser", "accessGroup", "searchAuthorizations", "apiKey", "scriptCopy", "scriptSave", "scriptGet", "scriptGetForks", "scriptGetVersions", "scriptVersionGet", "scriptUpdate", "scriptDelete", "scriptVersionDelete","scriptVersionUpdate", "scriptDataSourceGet", "scriptDataSourceUpdate", "scriptSaveContent", "scriptGetContent", "userKernelCreate", "userKernelUpdate", "userKernelDelete", "querySampleData", "authenticate", "checkPendingRequest", "policyExemption", "governanceUpdate", "purposeCreate", "purposeUpdate", and "purposeDelete".
    • type: string
  • record:
    • description: The component-defined type of record. For example, it could be something like 'data source access request'.
    • type: object
  • extra:
    • description: A JSON object representing the additional information to be logged/audited.
    • type: object
API Key Object
  • keyIamId:
    • description: The IAM ID for the user who owns the API key accessed.
    • type: string
  • keyId:
    • description: The API key ID.
    • type: integer
  • keyUserId:
    • description: The user who owns the API key accessed.
    • type: string
  • keyAction:
    • description: Denotes how the specified user was accessed. Possible values are "get" and "delete".
    • type: string
Data Access Object
  • accessType:
    • description: Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. Possible values are "blob"and "query".
    • type: string
  • blobId:
    • description: If accessType==blob, this is the blobId.
  • visibility:
    • description: If the accessType==blob, this is the visibility. If the accessType==query, this is an array of the visibilities the user had when querying.
    • type: object, array
  • query:
    • description: If the accessType==blob, this is not present. If the accessType==query, this is the query.
    • type: string
  • dataSourceTableName:
    • description: The data source table name queried in the audit record.
    • type: string
Blob Fetch Object
  • blobSize:
    • description: The size (in bytes) of the blob being fetched.
    • type: integer
Blob Visibility Object
  • newVisibility:
    • description: This is the new visibility for the blob.
    • type: object
SQL Access Object
  • action:
    • description: Denotes whether access was granted or revoked. Possible values are "revoked"and "granted".
    • type: string
  • sqlUser:
    • description: The username of the user whose access is being manipulated.
    • type: string
SQL Create User Object
  • sqlUser:
    • description: The username of the user whose access is being manipulated.
    • type: string
Data Source Subscription Object
  • dataSourceSubscriptionState:
    • description: If the record type is dataSourceSubscription, this field must be present and indicate the state to which the record was changed (dataSources.length must be 1 in this case). Possible values are "denied", "subscribed", "expert", "owner", "ingest", and "unsubscribed".
    • type: string
  • accessedId:
    • description: The user identifier of the user who is being acted upon.
    • type: integer
  • accessedIdType:
    • description: Type of user being acted upon. Possible values are "user" and "group".
    • type: string
Data Source Delete Object
  • hardDelete:
    • description: Denotes whether this was a hard delete.
    • type: boolean
Access User Object
  • accessedUserId:
    • description: The user being accessed.
    • type: string
  • accessedIamId:
    • description: The IAM ID for the user being accessed.
    • type: string
  • accessType:
    • description: Denotes how the specified user was accessed. Possible values are "update", "get", "search", "create", "delete", "complete", "newToken", and "clone".
    • type: string
Access Group Object
  • accessedUserId:
    • description: The user being accessed.
    • type: string
  • accessedGroupId:
    • description: The group being accessed.
    • type: integer
  • groupAccessType:
    • description: Denotes how the specified group was accessed. Possible values are "update", "get", "search", "create", "delete", "addUser", and "removeUser".
    • type: string
  • groupIamId:
    • description: The IAM ID for the group being accessed.
    • type: string

Error Response Messages

Each error message response from the Immuta platform will be a one-line JSON object containing the common JSON properties and the error JSON properties below. Error message responses represent error responses that have been sent to clients.

NOTE: It is possible for a similar message referencing the same error to appear in the logs, as this log message represents only that an error response was sent to a client.

In order to discover error response message using your analysis tool, search the object using the criteria below:

  • message: Error Response Sent

Error JSON Properties

  • id:
    • description: A unique ID assigned to each request.
    • type: string
  • method:
    • The HTTP method used for the request.
    • type: string
  • path:
    • description: This is the HTTP path used for the request.
    • type: string
  • query:
    • description: An object containing the parsed query string used for the query.
    • type: object
  • responseSentTime:
    • description: This is the duration from the time a request was received until the time that the server responded.
    • type: integer
  • responseTime:
    • description: This is the duration from the time a request was received until server post-processing.
    • type: integer
  • stack:
    • description: This is a string representation of a stack trace if one exists.
    • type: string
  • statusCode:
    • description: This is the HTTP status code that was sent to the client.
    • type: integer

Request Response Messages

Each request message response from the Immuta platform will be a one-line JSON object containing the common JSON properties and the error JSON properties below. Request message responses represent responses that have been sent to clients.

In order to discover request response messages using your analysis tool, search the object using the criteria below:

  • message: Response Sent

Request JSON Properties

  • id:
    • description: A unique ID assigned to each request.
    • type: string
  • method:
    • The HTTP method used for the request.
    • type: string
  • path:
    • description: This is the HTTP path used for the request.
    • type: string
  • query:
    • description: An object containing the parsed query string used for the query.
    • type: object
  • responseSentTime:
    • description: This is the duration from the time a request was received until the time that the server responded.
    • type: integer
  • responseTime:
    • description: This is the duration from the time a request was received until server post-processing.
    • type: integer
  • statusCode:
    • description: This is the HTTP status code that was sent to the client.
    • type: integer

Example Response Message

{
  "id": "aaa5adf4-5b2b-4c46-974f-dca000bf228b",
  "dateTime": "1628524947022",
  "month": 1459,
  "profileId": 2,
  "userId": "john.doe@immuta.com",
  "dataSourceId": 7,
  "dataSourceName": "Tpc Web Sales",
  "count": 1,
  "recordType": "sqlQuery",
  "success": true,
  "component": "featureStore",
  "accessType": "query",
  "query": "SELECT \"ws_sold_date_sk\", \"ws_sold_time_sk\", \"ws_ship_date_sk\", \"ws_item_sk\", \"ws_bill_customer_sk\", \"ws_bill_cdemo_sk\", \"ws_bill_hdemo_sk\", \"ws_bill_addr_sk\", \"ws_ship_customer_sk\", \"ws_ship_cdemo_sk\", \"ws_ship_hdemo_sk\", \"ws_ship_addr_sk\", \"ws_web_page_sk\", \"ws_web_site_sk\", \"ws_ship_mode_sk\", \"ws_warehouse_sk\", \"ws_promo_sk\", \"ws_order_number\", \"ws_quantity\", \"ws_wholesale_cost\", \"ws_list_price\", \"ws_sales_price\", \"ws_ext_discount_amt\", \"ws_ext_sales_price\", \"ws_ext_wholesale_cost\", \"ws_ext_list_price\", \"ws_ext_tax\", \"ws_coupon_amt\", \"ws_ext_ship_cost\", \"ws_net_paid\", \"ws_net_paid_inc_tax\", \"ws_net_paid_inc_ship\", \"ws_net_paid_inc_ship_tax\", \"ws_net_profit\" FROM \"tpc\".\"web_sales\" LIMIT 100",
  "queryId": "30f65620-f92b-11eb-8205-567f9878b67f",
  "extra": {
    "direct": true,
    "remoteQueries": [
      "SELECT  TOP 100 \"ws_sold_date_sk\", \"ws_sold_time_sk\", \"ws_ship_date_sk\", \"ws_item_sk\", \"ws_bill_customer_sk\", \"ws_bill_cdemo_sk\", \"ws_bill_hdemo_sk\", \"ws_bill_addr_sk\", \"ws_ship_customer_sk\", \"ws_ship_cdemo_sk\", \"ws_ship_hdemo_sk\", \"ws_ship_addr_sk\", \"ws_web_page_sk\", \"ws_web_site_sk\", \"ws_ship_mode_sk\", \"ws_warehouse_sk\", \"ws_promo_sk\", \"ws_order_number\", \"ws_quantity\", \"ws_wholesale_cost\", \"ws_list_price\", \"ws_sales_price\", \"ws_ext_discount_amt\", \"ws_ext_sales_price\", \"ws_ext_wholesale_cost\", \"ws_ext_list_price\", \"ws_ext_tax\", \"ws_coupon_amt\", \"ws_ext_ship_cost\", \"ws_net_paid\", \"ws_net_paid_inc_tax\", \"ws_net_paid_inc_ship\", \"ws_net_paid_inc_ship_tax\", \"ws_net_profit\" FROM \"tpc\".\"web_sales\""
    ]
  },
  "dataSourceSchemaName": "tpc",
  "dataSourceTableName": "web_sales",
  "sqlUser": "immuta_query_impersonator",
  "createdAt": "2021-08-09T16:02:27.023Z",
  "updatedAt": "2021-08-09T16:02:27.023Z"
}