Sign inRequest DemoTry for free
managing twingate
additional resources

Audit Logs Schema

Our audit logs come in the following JSON schema:

{
  "version": "1",
  "time": "2021-08-15T14:30Z",
  "actor": {
    "type": "User",
		"id": "unique-id",
		// For a "User" actor
    "info": {
      "email": "name@example.com",
      "name": "John Doe",
    },
		// For an "API" actor
		"info": {
			"name": "Terraform API key"
		},
    // For a "Twingate Support" actor
    "info": { null }
  },
  "action": "edit",
  "targets": [
		{
      ...
    },
	]
}

For audit logs synced to S3, all events are inside the following object:

{
  "event_type": "audit_log",
  "event:" {
    // See event schema above
  }
}

Notes on the audit log schema

  • version: The root-level schema version
  • time: The beginning of the network communication in UTC ISO compliant date-time string
  • actor: The user making the change
  • type: Possible values: “User”, “API”, “Twingate Support”
  • action: The type of event. Possible values: “create”, “edit”, “delete”
  • target: The object impacted

Targets represent objects impacted by an event. Below are various targets and their schemas.

Remote Network

{
  "version": "1",
  "type": "remoteNetwork",
  "id": "unique-id",
  "name": "Data engineering",
  "location": "AWS",
  "isActive": true
}

Connector

{
  "version": "1",
  "type": "connector",
  "id": "unique-id",
  "name": "purple-monkey",
  "remoteNetwork": {
    "id": "unique-id",
    "name": "Data engineering"
  }
}

Resource

{
  "version": "1",
  "type": "resource",
  "id": "unique-id",
  "name": "Airflow DB",
  "address": {
    "type": "DNS",
    "value": "airflow.autoco.int"
  },
  "protocols": {
    "allowIcmp": true,
    "tcp": {
      "policy": "ALLOW_ALL",
      "ports": []
    },
    "udp": {
      "policy": "ALLOW_ALL",
      "ports": []
    }
  },
  "isActive": true
}

API key

{
  "version": "1",
  "type": "publicAPIKey",
  "id": "unique-id",
  "name": "Terraform API key",
  "permission": "read only",
  "allowedIpRange": "0.0.0.0/0"
}
  • permission: Possible values: “read only”, “read write”, “provision”

User

{
  "version": "1",
  "type": "user",
  "id": "unique-id",
  "name": "John Doe",
  "email": "name@example.com",
  "isAdmin": true,
  "isActive": true
}

Group

{
  "version": "1",
  "type": "group",
  "id": "unique-id",
  "name": "Production users"
}

Device

{
  "version": "1",
  "type": "device",
  "id": "unique-id",
  "name": "Banana Phone",
  "displayName": "Alex's iPhone 12 Pro",
  "platform": "iOS",
  "osName": "iOS",
  "serialNumber": "BEADBA53-CC33-49D8-85FC-EB26E778EA9D",
  "user": {
    "id": "unique-id",
    "email": "name@example.com",
    "name": "John Doe"
  },
  "isTrusted": false,
  "clientVersion": "1.0.15"
}

Service Account

{
  "version": "1",
  "type": "serviceAccount",
  "id": "unique-id",
  "name": "CircleCI Production"
}

Service Account Key

{
  "version": "1",
  "type": "serviceAccountKey",
  "name": "blue-giraffe",
  "id": "unique-id",
  "state": "active",
  "serviceAccount": {
    // See service account target above
  }
}
  • state: Possible values: “active”, “expired”, “revoked”, “deleted”

Last updated 2 months ago