Sysdig allows administrators to view a log of user activities and modifications to the components in the system. Audit logs refer to chronologically cataloged events to provide a history of operational actions and to mitigate challenges. The ability to trace an event back to their origin provides proof of compliance and operational integrity, and protection from unsolicited use. An audit log contains:
What the event was about.
What user, service, system, or application launched the event.
The date and time the event occurred
Sysdig maintains audit logs in the database for 14 days and removes them in a first-in, first-out basis. The event retention limit is 100 K events per day.
Prerequisites
At this time, this feature is available only for Sysdig Secure On-Premises.
Usecases
View user logins happened on a specific day for compliance purposes.
Investigate issues such as the “Messaging Service - Health” Dashboard showing no data.
View if something has changed.
Investigate security incidents, such as Sysdig collecting sensitive data.
View who accessed the capture on Sysdig Monitor side.
Keep a record of removing a user from the system who is no longer with the organization.
Accessing Audit APIs
Use the conventions described in REST API Conventions to access Audit APIs.
Methods
GET
POST
Available Audit APIs
The following APIs are available to support the audit log feature.
AppAttributes
AuditEvents
AppAttributes
AppAttributes enables registering audit logs in Sysdig.
Base URL
https://<ip>/api/admin/appAttributes
Request Parameters
Parameters | Description |
|---|---|
ID | Unique ID of the feature: auditLogEnabled |
Value | True indicates audit log is turned on. False indicates audit log is turned off. |
Request Parameters
Response Parameters
See table_title
Sample Request
Fire a request as follows to enable audit log:
curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\
--request POST \
--data '{"id":"auditLogEnabled","value":"true"}' \
https://<url>/api/admin/appAttributes
Sample Response
The response looks as follows:
{"id": "auditLogEnabled","value": "true"}
auditEvents
auditEvents returns a list of auditable events.
Request Parameters
Parameters | Description |
|---|---|
customerId | The unique ID of the user. |
username | The username of the account that accessed the system. |
requestMethod | Type of request method. Supported methods are GET and PUT. |
requestUri | /api/admin/appAttributes |
queryString | A set of characters passed to retrieve specific information. |
responseStatus | HTTP Response status code. |
responseReasonPhrase | The response from the API server. |
dateCreated | The date on which the event is created. |
lastUpdated | The date when the event was last modified. |
From | Indicates the date and time when Sysdig started recording auditable events. Date format is YYYY-MM-DD HH:MM:SS. |
To | Indicates the date and time when Sysdig stopped recording auditable events. Date format is YYYY-MM-DD HH:MM:SS. |
Request Parameters of auditEvents
Response Parameters
Parameters | Description |
|---|---|
customerId | The unique ID of the user. |
username | The username of the account that accessed the system. |
requestMethod | Type of request method. Supported methods are GET and PUT. |
requestUri | The URI to identify the resource. /api/admin/appAttributes |
queryString | A set of characters passed to retrieve specific information. |
responseStatus | The HTTP Response status code. |
responseReasonPhrase | The response from the API server. |
dateCreated | The date on which the event is created. |
lastUpdated | The date when the event was last modified. |
Response Parameters
Sample Request to Query by Date Range
The request parameters show the start and end time of the interval in which events are observed and registered.
curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://localhost:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00'
Sample Response
{
"auditEvents": [
{
"customerId": 1,
"username": "test@draios.com",
"requestMethod": "POST",
"requestUri": "/api/admin/appAttributes",
"queryString": "",
"responseStatus": 200,
"responseReasonPhrase": "OK",
"dateCreated": "2019-06-25 11:07:32",
"lastUpdated": "2019-06-25 11:07:32"
},
{
"customerId": 1,
"username": "test@draios.com",
"requestMethod": "GET",
"requestUri": "/api/history/timelines/",
"queryString": "",
"responseStatus": 200,
"responseReasonPhrase": "OK",
"dateCreated": "2019-06-25 11:07:42",
"lastUpdated": "2019-06-25 11:07:42"
}
}
Sample Request to Query by Date Range, Username, and methodType
curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://localhost:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00&methodType=POST&username=test@draios.com'
Sample Response
{
"auditEvents": [
{
"customerId": 1,
"username": "test@draios.com",
"requestMethod": "POST",
"requestUri": "/api/admin/appAttributes",
"queryString": "",
"responseStatus": 200,
"responseReasonPhrase": "OK",
"dateCreated": "2019-06-25 11:07:32",
"lastUpdated": "2019-06-25 11:07:32"
}
}
Disable Audit Log
To disable audit log, get the current version of the API, then pass the new value and the current version field as follows:
curl -sk -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" --request PUT --data '{"value":"false", "version": 1}' "https:// <HOSTNAME>/api/admin/appAttributes/auditLogEnabled" | jq
{
"appAttribute": {
"id": "auditLogEnabled",
"version": 2,
"createdOn": 1564743383000,
"modifiedOn": 1565115934000,
"value": "false"
}
}