This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    [BETA] Auditing Sysdig Platform Activities

    Sysdig allows administrators to view a log of user activities and modifications to the components in the system. Audit logs refer to chronologically cataloged events to provide a history of operational actions and to mitigate challenges. The ability to trace an event back to their origin provides proof of compliance and operational integrity, and protection from unsolicited use. An audit log contains:

    • What the event was about.

    • What user, service, system, or application launched the event.

    • The date and time the event occurred

    Sysdig maintains audit logs in the database for 14 days and removes them in a first-in, first-out basis. The event retention limit is 100 K events per day.

    Prerequisites

    At this time, this feature is available only for Sysdig Secure On-Premises.

    Usecases

    • View user logins happened on a specific day for compliance purposes. 

    • Investigate issues such as the “Messaging Service - Health” Dashboard showing no data.

    • View if something has changed.

    • Investigate security incidents, such as Sysdig collecting sensitive data.

    • View who accessed the capture on Sysdig Monitor side.

    • Keep a record of removing a user from the system who is no longer with the organization.

    Accessing Audit APIs

    Use the conventions described in REST API Conventions to access Audit APIs.

    Methods

    • GET

    • POST

    Available Audit APIs

    The following APIs are available to support the audit log feature.

    • AppAttributes

    • AuditEvents

    AppAttributes

    AppAttributes enables registering audit logs in Sysdig.

    Base URL

    https://<ip>/api/admin/appAttributes
    

    Request Parameters

    Request Parameters

    Parameters

    Description

    ID

    Unique ID of the feature: auditLogEnabled

    Value

    True indicates audit log is turned on.

    False indicates audit log is turned off.

    Request Parameters

    Response Parameters

    See table_title

    Sample  Request

    Fire a request as follows to enable audit log:

    curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\
      --request POST \
      --data '{"id":"auditLogEnabled","value":"true"}' \
      https://<url>/api/admin/appAttributes
    

    Sample Response

    The response looks as follows:

    {"id": "auditLogEnabled","value": "true"}
    

    auditEvents

    auditEvents returns a list of auditable events.

    Request Parameters

    Request Parameters of auditEvents

    Parameters

    Description

    customerId

    The unique ID of the user.

    username

    The username of the account that accessed the system.

    requestMethod

    Type of request method.

    Supported methods are GET and PUT.

    requestUri

    /api/admin/appAttributes

    queryString

    A set of characters passed to retrieve specific information.

    responseStatus

    HTTP Response status code.

    responseReasonPhrase

    The response from the API server.

    dateCreated

    The date on which the event is created.

    lastUpdated

    The date when the event was last modified.

    From

    Indicates the date and time when Sysdig started recording auditable events.

    Date format is YYYY-MM-DD HH:MM:SS.

    To

    Indicates the date and time when Sysdig stopped recording auditable events.

    Date format is YYYY-MM-DD HH:MM:SS.

    Request Parameters of auditEvents

    Response Parameters

    Response Parameters

    Parameters

    Description

    customerId

    The unique ID of the user.

    username

    The username of the account that accessed the system.

    requestMethod

    Type of request method.

    Supported methods are GET and PUT.

    requestUri

    The URI to identify the resource.

    /api/admin/appAttributes

    queryString

    A set of characters passed to retrieve specific information.

    responseStatus

    The HTTP Response status code.

    responseReasonPhrase

    The response from the API server.

    dateCreated

    The date on which the event is created.

    lastUpdated

    The date when the event was last modified.

    Response Parameters

    Sample Request to Query by Date Range

    The request parameters show the start and end time of the interval in which events are observed and registered.

    curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://localhost:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00'
    

    Sample Response

    {
        "auditEvents": [
            {
                "customerId": 1,
                "username": "test@draios.com",
                "requestMethod": "POST",
                "requestUri": "/api/admin/appAttributes",
                "queryString": "",
                "responseStatus": 200,
                "responseReasonPhrase": "OK",
                "dateCreated": "2019-06-25 11:07:32",
                "lastUpdated": "2019-06-25 11:07:32"
            },
            {
                "customerId": 1,
                "username": "test@draios.com",
                "requestMethod": "GET",
                "requestUri": "/api/history/timelines/",
                "queryString": "",
                "responseStatus": 200,
                "responseReasonPhrase": "OK",
                "dateCreated": "2019-06-25 11:07:42",
                "lastUpdated": "2019-06-25 11:07:42"
            }
    }
    

    Sample Request to Query by Date Range, Username, and methodType

    curl -k --header "Content-Type: application/json" -H "X-Sysdig-Product: SDC" -H "Authorization: Bearer <token>"\ --request GET \ 'http://localhost:9000/api/audit/events?from=2019-06-25 11:00:00&to=2019-06-25 12:41:00&methodType=POST&username=test@draios.com'
    

    Sample Response

    {
        "auditEvents": [
            {
                "customerId": 1,
                "username": "test@draios.com",
                "requestMethod": "POST",
                "requestUri": "/api/admin/appAttributes",
                "queryString": "",
                "responseStatus": 200,
                "responseReasonPhrase": "OK",
                "dateCreated": "2019-06-25 11:07:32",
                "lastUpdated": "2019-06-25 11:07:32"
            }
    }
    

    Disable Audit Log

    To disable audit log, get the current version of the API, then pass the new value and the current version field as follows:

    curl -sk  -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" --request PUT --data '{"value":"false", "version": 1}' "https:// <HOSTNAME>/api/admin/appAttributes/auditLogEnabled" | jq
    {
      "appAttribute": {
        "id": "auditLogEnabled",
        "version": 2,
        "createdOn": 1564743383000,
        "modifiedOn": 1565115934000,
        "value": "false"
      }
    }