Audit Logs Schema

Our audit logs come in the following JSON schema:

{
  "version": "1", 
  "time": "2021-08-15T14:30Z", 
  "actor": {
    "type": "User",
		"id": "unique-id",
		// For a "User" actor
    "info": {
      "email": "name@example.com",
      "name": "John Doe",
    },
		// For an "API" actor
		"info": {
			"name": "Terraform API key"
		},
    // For a "Twingate Support" actor
    "info": { null }
  },
  "action": "edit", 
  "targets": [
		{
      ...
    },
	]
}

For audit logs synced to S3, all events are inside the following object:

{
  "event_type": "audit_log",
  "event:" {
    // See event schema above
  }
}

Notes on the audit log schema

  • version: The root-level schema version
  • time: The beginning of the network communication in UTC ISO compliant date-time string
  • actor: The user making the change
  • type: Possible values: “User”, “API”, “Twingate Support”
  • action: The type of event. Possible values: “create”, “edit”, “delete”
  • target: The object impacted

Targets represent objects impacted by an event. Below are various targets and their schemas.

Remote Network

{
	"version": "1",
	"type": "remoteNetwork",
	"id": "unique-id",
	"name": "Data engineering",
	"location": "AWS", 
	"isActive": true
}

Connector

{
	"version": "1",
	"type": "connector",
	"id": "unique-id",
	"name": "purple-monkey",
	"remoteNetwork": {
		"id": "unique-id",
		"name": "Data engineering"
	},
}

Resource

{
	"version": "1",
	"type": "resource",
	"id": "unique-id",
	"name": "Airflow DB",
	"address": { 
		"type": "DNS",
		"value": "airflow.autoco.int"
	},
	"protocols": { 
	  "allowIcmp": true,
    "tcp": {
      "policy": "ALLOW_ALL",
	    "ports": []
    },
    "udp": {
      "policy": "ALLOW_ALL",
      "ports": []
    }
  },
  "isActive": true
}

API key

{
	"version": "1",
	"type": "publicAPIKey",
	"id": "unique-id",
	"name": "Terraform API key",
	"permission": "read only",
	"allowedIpRange": "0.0.0.0/0"
}
  • permission: Possible values: “read only”, “read write”, “provision”

User

{
	"version": "1",
	"type": "user",
	"id": "unique-id",
	"name": "John Doe",
	"email": "name@example.com",
	"isAdmin": true,
	"isActive": true
}

Group

{
	"version": "1",
	"type": "group",
	"id": "unique-id",
	"name": "Production users"
}

Device

{ 
	"version": "1",
	"type": "device",
	"id": "unique-id",
	"name": "Banana Phone",
	"displayName": "Alex's iPhone 12 Pro",
	"platform": "iOS",
	"osName": "iOS",
	"serialNumber": "BEADBA53-CC33-49D8-85FC-EB26E778EA9D",
	"user": {
		"id": "unique-id", 
		"email": "name@example.com",
		"name": "John Doe"
	}
	"isTrusted": false
	"clientVersion": "1.0.15"
}

Service Account

{
	"version": "1",
	"type": "serviceAccount",
	"id": "unique-id",
	"name": "CircleCI Production",
}

Service Account Key

{
		"version": "1",
		"type": "serviceAccountKey",
		"name": "blue-giraffe",
		"id": "unique-id",
	  "state": "active" 
		"serviceAccount": {
			// See service account target above
		}
}
  • state: Possible values: “active”, “expired”, “revoked”, “deleted”

Last updated 1 month ago