This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Sysdig Platform Audit

    Sysdig provides a set of APIs for auditing and reporting on the use of the Sysdig platform itself. (This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit activity on your target environments.)

    The audit includes the following request methods against the Sysdig system:

    • PUT
    • POST
    • DELETE
    • PATCH
    • GET

    The data retention for system audit info is 90 days.

    Prerequisites

    Know your:

    Commands Overview

    CommandDescription
    filter=source in ("auditTrail")Informs the events feed API that you want to fetch auditTrail type of events
    {{host}}Host of the region for which you want to fetch audit events e.g., https://app.sysdigcloud.com for AWS us-east
    {{from}}(nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000
    {{to}}(nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000
    {{limit}}(integer) - upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example: offset=100&limit=100 (skip first 100 and show next 100)
    {{offset}}(integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events
    {{token}}(string) - Sysdig Secure or Sysdig Monitor API token

    Usage

    Get all audit events across the product and services

    For Sysdig Secure

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDS
    Authorization: Bearer {{token}}
    

    For Sysdig Monitor

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDC
    Authorization: Bearer {{token}}
    

    Get audit events for a specific entity

    auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.

    X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail") and auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDS
    Authorization: Bearer {{token}}
    

    Entities Used

    For Sysdig Monitor/Sysdig Platform

    Some entities are also used in Sysdig Secure but are served from Monitor

    ui_user_settings
    user
    policy
    falco_rules_file
    team
    customer_settings
    event
    api_token
    overview
    datasource
    secure_settings
    inactivity_settings
    plan_settings
    role
    application_user_settings
    dashboard_template
    dashboard
    integration
    auth
    default_dashboard
    downtime
    alert
    capture
    alert_notification
    agent
    alert_template_group
    auth_settings
    auth_sso
    aws_settings
    falco_list
    falco_macro
    invoice
    notification_channel
    permission
    provider
    runtime_policy_rule
    s3_settings
    service_account
    silencing_rule
    subscription
    usage_report
    

    For Sysdig Secure

    policy
    falco
    account
    event
    feature
    health
    networkSecurity
    report
    task
    compliance
    dataSource
    forwarding_integration
    framework
    host
    list
    macro
    networkTopology
    policyTuner
    provider
    resource
    rule
    schema
    user