[BETA] Auditing Sysdig Platform Activities

Sysdig allows administrators to view a log of user activities and modifications to the components in the system. Audit logs refer to chronologically cataloged events to provide a history of operational actions and to mitigate challenges. The ability to trace an event back to their origin provides proof of compliance and operational integrity, and protection from unsolicited use. An audit log contains:

  • What the event was about.

  • What user, service, system, or application launched the event.

  • The date and time the event occurred

Sysdig maintains audit logs in the database for 14 days and removes them in a first-in, first-out basis. The event retention limit is 100 K events per day.

Prerequisites

At this time, this feature is available only for Sysdig Secure On-Premises.

Usecases

  • View user logins happened on a specific day for compliance purposes. 

  • Investigate issues such as the “Messaging Service - Health” Dashboard showing no data.

  • View if something has changed.

  • Investigate security incidents, such as Sysdig collecting sensitive data.

  • View who accessed the capture on Sysdig Monitor side.

  • Keep a record of removing a user from the system who is no longer with the organization.

Accessing Audit APIs

Use the conventions described in REST API Conventions to access Audit APIs.

Methods

  • GET

  • POST

Available Audit APIs

The following APIs are available to support the audit log feature.

  • AppAttributes

  • AuditEvents

AppAttributes

AppAttributes enables registering audit logs in Sysdig.

Base URL

https://<HOSTNAME>/api/admin/appAttributes

Request Parameters

Request Parameters

Parameters

Description

ID

Unique ID of the feature: auditLogEnabled

Value

True indicates audit log is turned on.

False indicates audit log is turned off.

Response Parameters

See table_title

Sample  Request

Fire a request as follows to enable audit log:

curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\
  --request POST \
  --data '{"id":"auditLogEnabled","value":"true"}' \
  https://<HOSTNAME>/api/admin/appAttributes

Sample Response

The response looks as follows:

{"id": "auditLogEnabled","value": "true"}

auditEvents

auditEvents returns a list of auditable events.

Request Parameters

Request Parameters of auditEvents

Parameters

Description

customerId

The unique ID of the user.

username

The username of the account that accessed the system.

requestMethod

Type of request method.

Supported methods are GET and PUT.

requestUri

/api/admin/appAttributes

queryString

A set of characters passed to retrieve specific information.

responseStatus

HTTP Response status code.

responseReasonPhrase

The response from the API server.

dateCreated

The date on which the event is created.

lastUpdated

The date when the event was last modified.

From

Indicates the date and time when Sysdig started recording auditable events.

Date format is YYYY-MM-DD HH:MM:SS.

To

Indicates the date and time when Sysdig stopped recording auditable events.

Date format is YYYY-MM-DD HH:MM:SS.

Request Parameters of auditEvents

Response Parameters

Response Parameters

Parameters

Description

customerId

The unique ID of the user.

username

The username of the account that accessed the system.

requestMethod

Type of request method.

Supported methods are GET and PUT.

requestUri

The URI to identify the resource.

/api/admin/appAttributes

queryString

A set of characters passed to retrieve specific information.

responseStatus

The HTTP Response status code.

responseReasonPhrase

The response from the API server.

dateCreated

The date on which the event is created.

lastUpdated

The date when the event was last modified.

Sample Request to Query by Date Range

The request parameters show the start and end time of the interval in which events are observed and registered.

curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://<HOSTNAME>:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00'

Sample Response

{
    "auditEvents": [
        {
            "customerId": 1,
            "username": "test@draios.com",
            "requestMethod": "POST",
            "requestUri": "/api/admin/appAttributes",
            "queryString": "",
            "responseStatus": 200,
            "responseReasonPhrase": "OK",
            "dateCreated": "2019-06-25 11:07:32",
            "lastUpdated": "2019-06-25 11:07:32"
        },
        {
            "customerId": 1,
            "username": "test@draios.com",
            "requestMethod": "GET",
            "requestUri": "/api/history/timelines/",
            "queryString": "",
            "responseStatus": 200,
            "responseReasonPhrase": "OK",
            "dateCreated": "2019-06-25 11:07:42",
            "lastUpdated": "2019-06-25 11:07:42"
        }
}

Sample Request to Query by Date Range, Username, and methodType

curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://<HOSTNAME>:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00&methodType=POST&username=test@draios.com'

Sample Response

{
    "auditEvents": [
        {
            "customerId": 1,
            "username": "test@draios.com",
            "requestMethod": "POST",
            "requestUri": "/api/admin/appAttributes",
            "queryString": "",
            "responseStatus": 200,
            "responseReasonPhrase": "OK",
            "dateCreated": "2019-06-25 11:07:32",
            "lastUpdated": "2019-06-25 11:07:32"
        }
}

Disable Audit Log

To disable audit log, get the current version of the API, then pass the new value and the current version field as follows:

curl -sk  -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" --request PUT --data '{"value":"false", "version": 1}' "https:// <HOSTNAME>/api/admin/appAttributes/auditLogEnabled" | jq
{
  "appAttribute": {
    "id": "auditLogEnabled",
    "version": 2,
    "createdOn": 1564743383000,
    "modifiedOn": 1565115934000,
    "value": "false"
  }
}