Audit Logs Schema
Our audit logs come in the following JSON schema:
{
"version": "1",
"time": "2021-08-15T14:30Z",
"actor": {
"type": "User",
"id": "unique-id",
// For a "User" actor
"info": {
"email": "name@example.com",
"name": "John Doe",
},
// For an "API" actor
"info": {
"name": "Terraform API key"
},
// For a "Twingate Support" actor
"info": { null }
},
"action": "edit",
"targets": [
{
...
},
]
}
For audit logs synced to S3, all events are inside the following object:
{
"event_type": "audit_log",
"event:" {
// See event schema above
}
}
Notes on the audit log schema
version
: The root-level schema versiontime
: The beginning of the network communication in UTC ISO compliant date-time stringactor
: The user making the changetype
: Possible values: “User”, “API”, “Twingate Support”action
: The type of event. Possible values: “create”, “edit”, “delete”target
: The object impacted
Targets represent objects impacted by an event. Below are various targets and their schemas.
Remote Network
{
"version": "1",
"type": "remoteNetwork",
"id": "unique-id",
"name": "Data engineering",
"location": "AWS",
"isActive": true
}
Connector
{
"version": "1",
"type": "connector",
"id": "unique-id",
"name": "purple-monkey",
"remoteNetwork": {
"id": "unique-id",
"name": "Data engineering"
},
}
Resource
{
"version": "1",
"type": "resource",
"id": "unique-id",
"name": "Airflow DB",
"address": {
"type": "DNS",
"value": "airflow.autoco.int"
},
"protocols": {
"allowIcmp": true,
"tcp": {
"policy": "ALLOW_ALL",
"ports": []
},
"udp": {
"policy": "ALLOW_ALL",
"ports": []
}
},
"isActive": true
}
API key
{
"version": "1",
"type": "publicAPIKey",
"id": "unique-id",
"name": "Terraform API key",
"permission": "read only",
"allowedIpRange": "0.0.0.0/0"
}
permission
: Possible values: “read only”, “read write”, “provision”
User
{
"version": "1",
"type": "user",
"id": "unique-id",
"name": "John Doe",
"email": "name@example.com",
"isAdmin": true,
"isActive": true
}
Group
{
"version": "1",
"type": "group",
"id": "unique-id",
"name": "Production users"
}
Device
{
"version": "1",
"type": "device",
"id": "unique-id",
"name": "Banana Phone",
"displayName": "Alex's iPhone 12 Pro",
"platform": "iOS",
"osName": "iOS",
"serialNumber": "BEADBA53-CC33-49D8-85FC-EB26E778EA9D",
"user": {
"id": "unique-id",
"email": "name@example.com",
"name": "John Doe"
}
"isTrusted": false
"clientVersion": "1.0.15"
}
Service Account
{
"version": "1",
"type": "serviceAccount",
"id": "unique-id",
"name": "CircleCI Production",
}
Service Account Key
{
"version": "1",
"type": "serviceAccountKey",
"name": "blue-giraffe",
"id": "unique-id",
"state": "active"
"serviceAccount": {
// See service account target above
}
}
state
: Possible values: “active”, “expired”, “revoked”, “deleted”
Last updated 1 month ago