# Export Audit Logs to ADLS {% hint style="info" %} **Public preview:** This feature is public preview and available to all accounts. {% endhint %} ## Create an ADLS shared access signature token for the export Before Immuta can export audit events to your Azure Data Lake Storage (ADLS) Gen2 storage account, you need to create a shared access signature (SAS) token that allows the Immuta audit service to add audit logs to your specified ADLS storage account and file system. Follow the Azure documentation to create the following in Azure: 1. [An ADLS Gen2 storage account](https://learn.microsoft.com/en-us/azure/storage/blobs/create-data-lake-storage-account) with the following settings required for audit export: * Enable hierarchical namespace * Standard performance is adequate, but premium may be used 2. [A dedicated container](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container). 3. [A shared access signature (SAS) for your dedicated container](https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/create-sas-tokens?view=doc-intel-4.0.0#use-the-azure-portal) with at least the following permissions at the storage account or container level: * Create * Write **Save the SAS token to use in the next steps. Do not navigate away from the SAS page unless you have saved the token.** ## Configure the audit export to ADLS You can configure your audit export destination using one of two methods: 1. [Immuta CLI](#using-the-immuta-cli) 2. [Immuta Audit Service GraphQL API](#using-the-audit-service-graphql-api) ### Using the Immuta CLI #### Install the Immuta CLI Download the binary in a tab below that corresponds to your operating system: {% tabs %} {% tab title="Linux" %} * Linux x86\_64 (amd64) ``` curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_linux_amd64 && chmod +x immuta ``` * Linux ARMv8 (arm64) ``` curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_linux_arm64 && chmod +x immuta ``` {% endtab %} {% tab title="MacOS" %} * Darwin x86\_64 (amd64) ``` curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_darwin_amd64 && chmod +x immuta ``` * Darwin ARMv8 (arm64) ``` curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_darwin_arm64 && chmod +x immuta ``` {% endtab %} {% tab title="Windows" %} The latest stable binary can be found here: . Download and add the binary to a directory in your system's $PATH as immuta.exe. {% endtab %} {% endtabs %} #### Configure the Immuta CLI *For descriptions of the commands used below, see the* [*Immuta audit export configuration CLI reference guide*](https://documentation.immuta.com/2024.2/detect-your-activity/audit/reference-guides/cli-reference-guide)*.* 1. The SHA 256 checksum is available to verify the file at . 2. Run `immuta configure` in your terminal. 3. Enter the **URL** of your Immuta tenant in the interactive prompt. 4. Enter your **Immuta API Key**. #### Configure Immuta to export audit logs to ADLS 1. Set the following parameters in a JSON or YAML file: * **interval**: The interval at which audit logs will be exported to your ADLS storage. They can be sent at 2-, 4-, 6-, 12-, or 24-hour intervals. * **storage account**: The name of the storage account you created that your audit logs will be sent to. * **file system**: The name of the file system (or container) you created that your audit logs will be written to. * **path**: The name of the path in the file system. This will be a new folder or directory in the container where Immuta will send your audit logs for storage. * **SAS token**: The previously-generated SAS token. ```json { "interval": "EVERY_12_HOURS", "storageAccount": "your-adls-storage-account", "filesystem": "audit-output", "path": "immuta-audit", "sasToken": "your-sas-token" } ``` 2. Create an export configuration in Immuta by running the following command: ```shell immuta audit exportConfig create:adls ./your-exportConfig.json ``` #### List all configurations To view all of the export configurations created for your Immuta tenant, run the following command: ```shell immuta audit exportConfig list ``` #### View a configuration To review a specific export configuration, run the get command with the export configuration ID as the argument: ```shell immuta audit exportConfig get your-exportConfig-ID ``` #### Disable a configuration To disable a configuration, run the following command with the export configuration ID as the argument: ```shell immuta audit exportConfig disable your-exportConfig-ID ``` #### Enable a configuration To enable a disabled configuration, run the following command with the export configuration ID as the argument: ```shell immuta audit exportConfig enable your-exportConfig-ID ``` #### Delete a configuration To delete an export configuration, run the following command with the export configuration ID as the argument: ```shell immuta audit exportConfig delete your-exportConfig-ID ``` ### Using the audit service GraphQL API #### Configure Immuta to export audit logs to ADLS Gen2 1. Pass the following fields into the **$data variable** used in the mutation in the next step: * **interval**: The interval at which audit logs will be exported to your ADLS storage. They can be sent at 2-, 4-, 6-, 12-, or 24-hour intervals. * **storage account**: The name of the storage account you created that your audit logs will be sent to. * **file system**: The name of the file system (or container) you created that your audit logs will be written to. * **path**: The name of the path in the file system. This will be a new folder or directory in the container where Immuta will send your audit logs for storage. * **SAS token**: The previously-generated SAS token. ```json { "interval": "EVERY_12_HOURS", "storageAccount": "your-adls-storage-account", "filesystem": "audit-output", "path": "immuta-audit", "sasToken": "your-sas-token" } ``` 2. Configure these settings in Immuta using the `createAdlsExportConfiguration` mutation: {% tabs %} {% tab title="Mutation" %} ```shell mutation createAdlsExportConfiguration($data: CreateAdlsExportConfigurationInput!) { createAdlsExportConfiguration(data: $data) { id enabled interval endpointConfiguration { ... on AdlsEndpointConfiguration { storageAccount filesystem path } } } } ``` {% endtab %} {% tab title="Variable" %} The ADLS export configuration to create. ```json {"data": CreateAdlsExportConfigurationInput} ``` {% endtab %} {% tab title="CreateAdlsExportConfigurationInput example" %} ```json { "interval": "EVERY_2_HOURS", "storageAccount": "your-adls-storage-account", "filesystem": "audit-output", "path": "immuta-audit", "sasToken": "your-sas-token" } ``` {% endtab %} {% tab title="Response" %} ```json { "data": { "createADlsExportConfiguration": { "id": "4", "enabled": true, "interval": "EVERY_2_HOURS", "endpointConfiguration": { "storageAccount": "your-adls-storage-account", "filesystem": "audit-output", "path": "immuta-audit" } } } } ``` {% endtab %} {% endtabs %} #### Disable a configuration To disable a configuration, use the `disableExportConfiguration` mutation: {% tabs %} {% tab title="Mutation" %} ```shell mutation disableExportConfiguration($id: String!) { disableExportConfiguration(id: $id) { id interval enabled } } ``` {% endtab %} {% tab title="Variable" %} The ID of the export configuration to disable. ```json {"id": "4"} ``` {% endtab %} {% tab title="Response" %} ```json { "data": { "disableExportConfiguration": { "id": "4", "interval": "EVERY_2_HOURS", "enabled": false } } } ``` {% endtab %} {% endtabs %} #### Enable a configuration To enable a disabled configuration, use the `enableExportConfiguration` mutation: {% tabs %} {% tab title="Mutation" %} ```shell mutation enableExportConfiguration($id: String!) { enableExportConfiguration(id: $id) { id interval enabled } } ``` {% endtab %} {% tab title="Variable" %} The ID of the export configuration to enable. ```json {"id": "4"} ``` {% endtab %} {% tab title="Response" %} ````json { "data": { "enableExportConfiguration": { "id": "4", "interval": "EVERY_2_HOURS", "enabled": true } } } ``` ```` {% endtab %} {% endtabs %}