Skip to main content

About audit logs

Learn how Piiano Vault collects audit logs.

Vault always logs all requests to access and change data. This enables comprehensive auditing to be performed, if needed.

All operations are logged in a JSON format, and you decide where to stream these logs (for example, to S3, Splunk, ElasticSearch, etc.). The logs do not contain sensitive data. They only contain metadata and references (tokens) to the accessed data.

Here is a typical example of an audit log entry where a few lines were removed for readability. In this example, the Admin user has requested to list several properties from the Test collection. These properties include the email, first_name and a masked version of the SSN. The audit also lists which object IDs were returned.

{
"level": "info",
"version": "0.9.8-dev.1-g3f9508882",
"vault_id": "116073662933712896",
"product": "vault",
"service": "pvault-server",
"license_key": "...D0BEMhqNe3NArFMQ",
"type": "audit",
"server_trace_id": "6b0323e6-b587-4f1b-8cfc-712fc4a4781f",
"user_name": "Admin",
"role_name": "Admin",
"personsIDs":
[
"df801b63-a6e4-438c-8bdb-8306b5e7dc1d",
"76c83bdb-4066-4509-85d3-87c84dafa440",
"55f00519-8eb4-4a7d-92e9-fb57fad6ae26",
"0a7e8713-faee-43a3-aaf5-524b2d84e221",
"db7b14de-3b54-4f58-9859-ac260981e23a",
"4144ed9e-3818-4a7a-a4cd-d1bb7996bb2a",
"09ee7eb1-4b77-468e-b881-a8d1b2c61648",
"23df67b9-54cb-4e06-b963-e0910a080cb0",
"926c768f-3190-4a65-93c8-b1ddbd8eab33",
"b18ecf39-34e8-41e6-a0e8-f481c33e52ce"
],
"data_requested":
[
"email",
"first_name",
"ssn.mask"
],
"data_accessed":
[
"ssn.mask",
"email",
"first_name"
],
"collection": "Test",
"status_code": 200,
"method": "GET",
"url": "/api/pvlt/1.0/data/collections/Test/objects",
"operation_id": "get-objects",
"time": 1668788891888,
"message": "/api/pvlt/1.0/data/collections/Test/objects"
}

Note that data_requested may be different from data_accessed. For example when performing a query that returns no results. In that case data_accessed is empty while data_requested still includes the properties requested by the caller.

On this page