SPEKTRA Edge Audit Service API

SPEKTRA Edge audit service helps store audit logs to record all API activities for all users and service accounts. Audit logs provide the ability to check who made a specific operation and the actual changes made to the data (for operations such as create/update). The audit log also records the timestamp and the IP address of the user.

There are two types of audit logs:

1. Activity Logs
2. Resource Change Logs

The audit logging is automatically enabled for all SPEKTRA Edge services such as IAM, Devices, Applications, Proxies, Monitoring, Limits, Secrets, etc. It is highly recommended to enable it for all 3rd party services too.

Full API Specifications (with resources):

• Version v1alpha2
• Version v1

Resources

Activity Logs

Activity logs record all API operations that are performed by any user.

The contents of the activity log include:

• scope (project, organization, or service name)
• request ID (useful to correlate with resource change logs)
• user data (User email or service account details)
• metadata (Source IP address of the request and user agent name)
• request method (MethodName and API version)
• authorization (List of Permissions that are granted for this operation and list of permissions that were denied)
• Service information (name and region to which the request is made)
• resource details (resource name, field-mask for the operation, and resource data before and after the API operation )
• API request category
  • Create
  • Read
  • Delete
  • SpecUpdate
  • StateUpdate
  • MetadataUpdate
  • Custom Operations
  • Internal
  • Rejected
  • ClientError
  • ServerError
• events related to the request
  • client request
  • server response
  • regions routing
  • etc.

Resource Change Logs

Resource change logs record the details of the events related to changes made on a specific resource. A resource change log is always related to an activity log. A single API request may modify multiple resources and therefore there is a 1:N relation between the activity log and Resource change log. Activity logs and resource change logs can be correlated using the Request ID field.

The contents of resource change logs include:

• scope
• request ID
• timestamp
• user data (user name or service account details)
• Service Information (name and the region to which the request is made)
• resource change details
  • resource name
  • type
  • value of resource before and after the operation
• Transaction Details
  • Transaction ID
  • retry counter
  • Transaction States:
    • PRE_COMMITTED
    • COMMITTED
    • ROLLED_BACK

Retrieving logs

In this short quickstart guide we will show you how to retrieve both activity logs and resource change logs using our CLI:

• Retrieving Activity logs using CLI
• Retrieving Resource Change logs using CLI

Retrieving Activity logs using CLI

Audit logs can be queried by providing three input parameters:

• Parents

  Project, Organization, or Service name

• Interval

  Time interval for the queried data. Start time is mandatory. If the end time is not provided, the current time is taken.

• Filter

  Activity logs can be filtered based on any of the fields in the API schema.

We support =, !=, IN, and NOT IN filter conditions. Multiple conditions can be combined using AND.

Sample query to fetch activity logs for a given resource:

cuttle audit query activity-logs \
  --parents 'projects/<projectID' \
  --filter 'service.name="devices.edgelq.com" \
    and resource.name="projects/<projectID>/regions/us-west2/devices/<deviceID>"' \
  --interval '{"startTime":"2022-06-07T00:00:00Z"}' \
  --page-size 20 -o json

Sample query to fetch activity logs for a given user:

cuttle audit query activity-logs \
  --parents 'projects/<projectID' \
  --filter 'authentication.principal=”user:<emailID>”"' \
  --interval '{"startTime":"2022-06-07T00:00:00Z"}' \
  --page-size 20 -o json

Sample query to fetch all user triggered API operations in IAM service (skip service accounts):

cuttle audit query activity-logs \
  --parents 'projects/<projectID>' \
  --filter 'service.name="iam.edgelq.com" \
    and authentication.principalType="user"' \
  --interval '{"startTime":"2022-08-10T00:00:00Z"}' \
  --page-size 20 \
  -o json

Sample query to fetch activity logs involving important user triggered changes (using IN condition):

cuttle audit query activity-logs \
  --parents 'projects/<projectID>' \
  --filter 'service.name="devices.edgelq.com" and \
    category IN (“Creation”, “SpecUpdate", “Deletion”)' \
  --interval '{"startTime":"2022-06-07T00:00:00Z"}'

Retrieving Resource Change logs using CLI

Resource Change logs can be queried in a similar way to audit logs:

• Parents

  Project, Organization, or Service name

• Interval

  Time interval of the queried data. Start time is mandatory. If the end time is not provided, the current time is taken as the end time.

• Filter

  Filter must mandatorily specify service.name+resource.type or request_id

Sample query to fetch all resource change logs for a specific request ID (from activity log):

cuttle audit query resource-change-logs \
  --parents 'projects/<projectID>' \
  --filter 'requestId=<requestID from activity log> \
  --interval '{"startTime":"2022-07-20T00:00:00Z"}' \
  -o json

Sample query to fetch all resource change logs for a specific resource type:

cuttle audit query resource-change-logs \
  --parents 'projects/<projectID>' \
  --filter 'service.name="devices.edgelq.com" and resource.type="Device"' \
  --interval '{"startTime":"2022-06-01T00:00:00Z"}' \
  --page-size 20 -o json

Sample query to fetch all resource change logs for a specific resource ID:

cuttle audit query resource-change-logs \
  --parents 'projects/<projectID>' \
  --filter 'service.name="devices.edgelq.com" and \
    resource.type="Device" and \
    resource.name="projects/<projectID>/regions/us-west2/devices/<deviceID>"' \
  --interval '{"startTime":"2022-06-01T00:00:00Z"}' \
  --page-size 20 -o json