Audit
DSV captures and stores audit logs of actions taken. The following fields are captured in audit data.
| Attribute | Description | Example |
|---|---|---|
| id | Audit ID | "00000000-1111-2222-8b1f-b94bb1fab746" |
| tenant | Tenant ID | "abcd1234567890jbo090" |
| tenantName | Tenant Name | "test" |
| principal | Security principal that performed action | "users:user" |
| principalItemId | Principal item ID | "12345678-0000-41b8-8b02-0123456789ab" |
| action | Action performed | "POST" |
| status | Response status code | 200 |
| path | Resource path action performed on | "token" |
| ipaddress | IP Address logged from client | "10.10.10.10" |
| created | Audit created date | "2020-05-01T01:09:07.225694779Z" |
| message | Additional details | "login succeeded" |
Permissions
To allow reading audit logs create a policy that allows list action on audit resource. Example of creating
such a policy via CLI:
Copy
dsv policy create --path audit --actions list --resources audit --subjects groups:audit-readers
API Endpoint
You can make direct REST API requests to access audit logs. Example using curl as follows:
Copy
curl -s -H "Authorization: ${DSV_TOKEN}" 'https://example.secretsvaultcloud.com/v1/audit?startDate=2023-04-20'
Read more at Audit API documentation page.
CLI Command
DSV CLI supports reading and filtering audit logs via the dsv audit command.
Read more at Audit Command page.
UI View
DSV Web UI (or simply UI) can display audit logs. Learn more at Audit page.
SIEM
The audit logs can be sent to registered Security Information and Event Management (SIEM) servers in near real time. DSV supports following types of SIEM listeners:
| Type | Transport |
|---|---|
| Syslog | UDP, TCP, TLS |
| CEF | UDP, TCP, TLS |
| JSON | UDP, TCP, HTTP, HTTPS |
| Splunk | HTTPS |
Read more at SIEM Audits page.
Available Audit Logs
| Path | Method | Status | Description |
|---|---|---|---|
| clients | POST | 201 | Log when client is created successfully |
| clients:{clientId} | GET | 200 | Log when client is read |
| clients:bootstrap:{clientId} | GET | 200 | Log when client credential is read |
| clients | GET | 200 | Log when client search is performed |
| clients:{clientId} | DELETE | 200 | Log when client is deleted |
| clients:{clientId}:restore | GET | 200 | Log when client is restored |
| config:auth | POST | 201 | Log when new auth provider is saved |
| config:auth:{name} | GET | 200 | |
| config:auth:{name} | PUT | 200 | Log when auth provider is updated |
| config:auth:{name}:version:{version} | GET | 404,200 | Log when auth provider is read by version |
| config:auth | GET | 200 | Log when auth provider is searched |
| config:auth:{name}:rollback:{version} | PUT | 404,200 | Log when auth provider config is rolled back |
| config:auth:{name} | DELETE | 200 | Log when auth provider config is deleted |
| config:auth:{name}:restore | GET | 200 | Log when auth provider config is restored |
| config:policies:{path} | GET | 200 | Log when policy is read |
| config:policies:{path}:version:{version} | GET | 404,200 | Log when policy is ready by version |
| config:policies | POST | 201 | Log when policy is created |
| config:policies:{path} | PUT | 200 | Log when policy is updated |
| config:policies:{path}:rollback:{version} | PUT | 404,200 | Log when policy is rolled back |
| config:policies | GET | 200 | Log when policy is searched |
| config:policies:{path} | DELETE | 200 | Log when policy is deleted |
| config:siem | POST | 201 | Log when siem endpoint is registered |
| config:siem:{name} | PUT | 200 | Log when siem endpoint is updated |
| config:siem:{name} | GET | 200 | Log when siem endpoint is read |
| config:siem:{name} | DELETE | 200 | Log when siem endpoint is deleted |
| crypto:key:{path} | POST | 201 | Log when new encryption key is created |
| crypto:rotate | POST | 201 | Log when data and key are rotated |
| crypto:key:{path} | GET | 200 | Log when key metadata is read |
| crypto:key:{path} | DELETE | 204 | Log when key is deleted |
| crypto:key:{path}:restore | PUT | 204 | Log when key is restored |
| crypto:encrypt | POST | 200 | Log when data is encrypted |
| crypto:decrypt | POST | 200 | Log when data is decrypted |
| engines | POST | 201 | Log when dsv engine is created |
| engines:{name}:ping | POST | 200 | Log when an engine is pinged |
| engines:{name} | GET | 200 | Log when an engine is read |
| engines:{name} | DELETE | 200 | Log when an engine is deleted |
| pools | POST | 201 | Log when a pool is created |
| pools:{name} | GET | 200 | Log when a pool is read |
| pools:{name} | DELETE | 204 | Log when a pool is deleted |
| groups | POST | 201 | Log when a group is created |
| groups:{name}:members | POST | 200 | Log when a group member is added |
| groups:{name} | GET | 200 | Log when a group is read |
| users:{name}:group | GET | 200 | Log when group members are read |
| groups:{name}:members | DELETE | 204 | Log when group members are deleted |
| groups:{name} | DELETE | 200 | Log when group is deleted |
| groups:{name}:restore | GET | 200 | Log when group is restored |
| groups | GET | 200 | Log when groups are searched |
| pki:register | POST | 201 | Log when CA root is saved |
| pki:root | POST | 200 | Log when CA root is generated |
| pki:sign | POST | 200 | Log when certificate is signed |
| pki:leaf | POST | 200 | Log when leaf certificate & key are created |
| pki:ssh-cert | POST | 200 | Log when SSH cert is saved/generated |
| roles | POST | 201 | Log when role is created |
| roles:{name} | PUT | 200 | Log when role is updated |
| roles:{name} | GET | 200 | Log when role is read |
| roles:{name}:version:{version} | GET | 200 | Log when role is read by version |
| roles | GET | 200 | Log when roles are searched |
| roles:{name} | DELETE | 200 | Log when role is deleted |
| roles:{name}:restore | GET | 200 | Log when role is restored |
| task:status:{id} | GET | 200 | Log when task status is read |
| token | POST | 200 | Log when user authenticates successfully |
| revoke:{refreshtoken} | POST | 204 | Log when a refresh token is revoked |
| token | POST | 0 | Log when user authentication attempt fails |
| users:{name} | PUT | 200 | Log when a user is updated |
| users | POST | 201 | Log when a user is created |
| users:{name}:password | POST | 200 | Log when user password is updated |
| users:{name} | GET | 200 | Log when user is read |
| users:{name}:version:{version} | GET | 200 | Log when user is read by version |
| users | GET | 200 | Log when users are searched |
| users:{name} | DELETE | 200 | Log when user is deleted |
| users:{name}:restore | GET | 200 | Log when user is restored |
| config | GET | 500,404,200 | Log when config is read |
| config:version:{version} | GET | 404,500,200 | Log when config is read by version |
| config | POST | 400,500,201 | Log when config is created or updated |
| secrets:{path,id} | GET | 404,200 | Log when secret is read |
| secrets:{path,id}:version:{version} | GET | 404,200 | Log when secret is read by version |
| secrets:{path,id}:rollback:{version} | PUT | 404,200 | Log when secret is rolled back |
| secrets:{path,id}::description | GET | 404,200 | Log when secret is described |
| secrets:{path}::listpaths | GET | 0 | Log when secret paths are listed [disabled] |
| secrets:{path} | POST | 201 | Log when secret is created |
| secrets:{path,id} | PUT | 200 | Log when secret is updated |
| secrets:{path,id} | DELETE | 200 | Log when secret is deleted |
| secrets:{path,id}:restore | GET | 200 | Not logged |
| secrets | GET | 200 | Log when secrets are searched |
| home:{principal}:{path} | GET | 404,200 | Log when home secret is read |
| home:{principal}:{path} | POST | 201 | Log when home secret is created |
| home:{principal}:{path} | PUT | 200 | Log when home secret is updated |
| home:{principal}:{path} | DELETE | 200 | Log when home secret is deleted |
| home:{principal}:{path}::description | GET | 404,200 | Log when home secret is described |
| home:{principal} | GET | 200 | Log when home is searched |
| home:{principal}:{path}:version:{version} | GET | 404,200 | Log when home secret is read by version |
