Home
ProductsDownload Free Edition

Audits

This page describes how to use Lenses to enable auditing to track every action in Lenses.

Lenses audits all user actions. Audit events can be viewed in Lenses and also sent to two channels, Splunk and Webhook.

Audits can also written to a file by setting a file path in the lenses.audit.to.log.file option in lenses.conf. Lenses will then write audit entries to disk as JSON for collection by your log aggregation systems.

Viewing audit logs in Lenses

Go to Admin->Audits->Logs. Lenses will display the activity including, who performed the action and when. Details can also be viewed (dependent on the action).

Sending audit logs to Splunk

To send audit logs to Splunk, you first need a Splunk connection. Go to Admin->Connection->New Connection and select Splunk.

Enter the connection details for your Splunk HTTP Event collector deployment.

Next, go to Admin->Audits->Channels->New Channel and select Splunk. Select a Splunk connection and set a Source.

Sending audit logs to a Webhook

First, you need a Webhook connection. Go to Admin->Connections->New Connection

Enter the URL, port and credentials.

Create a Channel to use the connection. Go to Admin->Audits->Channels->New Channel and select Webhook.

  1. Choose a name for your Channel instance.

  2. Select your connection.

  3. Set the HTTP method to use.

  4. Set the Request path. A URI-encoded request path, which may include a query string. Supports alert-variable interpolation.

  5. Set the HTTP Headers

  6. Set the Body payload

Lenses can also audit users' access to data and send events to multiple channels at the same time.

Template variables

In Request path, HTTP Headers and Body payload fields there is a possibility of using template variables, which will be translated to audit specific fields. In order to use template variables you have to use this format: {{VARIABLE}}, i.e. {{TYPE}}.

Supported template variables:

  • TYPE - high level source of the audit (i.e. USER in case of action related to user management - like user creation).

  • ACTION - name of the action audit refers to (i.e. UPDATE in case of editing group).

  • USER

  • TIMESTAMP

  • RESOURCE_ID - low level source id of the audit (i.e. alert id group in case of creating new alert rule). Can be empty for some audits.

  • RESOURCE_NAME - low level source name of the audit (i.e. connection name in case of creating new connection). Can be empty for some audits.

  • CREDS - CREDS[0] etc. - variables specified in connection's Credentials as a list of values separated by comma.

  • CONTENT - complete content of the audit entry. This variable is in JSON, so it should not be quoted.

E.g.:

{
  "type": "{{TYPE}}",
  "user": "{{USER}}",
  "timestamp": "{{TIMESTAMP}}",
  "content": {{CONTENT}}
}
PreviousData policiesNextKafka ACLs

Last updated

Logo

Resources

PrivacyCookiesTerms & ConditionsCommunity EULA

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.