Skip to main content

Secure Audit Log Configuration API Reference

The Secure Audit Log API is designed for recording a trail of application-based user activity in a scalable, tamper-proof log.

Base URL

audit.<csp>.<region>.pangea.cloud

post/v1beta/config
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Get audit config (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config

required parameters

string

object

Pangea standard response schema

Configuration options available for audit service

string

The config ID

integer
(default: 1)
string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

string (date-time)

The DB timestamp when this config was last updated at

string

configuration name

Retention window to store audit logs.

string
(default: "2d")

Retention window for cold query result / state information.

(default: "14d")

Retention window to keep audit logs in hot storage.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

array<string>

Fields to perform redaction against.

string, null

A vault service config that will be used to sign logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

boolean
(default: false)

Enable/disable event signing

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1beta/config/create
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config/create' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

This endpoint cannot be called through the documentation site

Create audit config (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config/create

required parameters

string

configuration name

Audit log field configuration. Only settable at create time.

boolean

If true, records contain fields to support client/vault signing.

string
(default: "reject")

Save (or reject) malformed AuditEvents.

boolean

If true, records contain fields to support tamper-proofing.

string
string
array<object>
string

Prefix name / identity for the field.

  • maxLength: 32
string

Human display description of the field.

  • maxLength: 255
string

Human display name/title of the field.

  • maxLength: 64
boolean

If true, redaction is performed against this field (if configured.) Only valid for string type.

boolean

If true, this field is required to exist in all logged events.

boolean

If true, this field is used to partition the data in cold storage.

integer

The maximum size of the field. Only valid for strings, which limits number of UTF-8 characters.

string

The data type for the field.

boolean

If true, this field is visible by default in audit UIs.

integer

Current version: 3

string
(default: "2d")

Retention window for cold query result / state information.

Retention window for logs in cold storage. Deleted afterwards. Minimum 180d.

string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

boolean
(default: false)

NGSIEM Forwarder type

string (uri)

URL where events will be written to. Must use HTTPS

string

If indexer acknowledgement is required, this must be provided along with a 'channel_id'.

string

An optional splunk channel included in each request if indexer acknowledgement is required for the HEC token along with the 'ack_url'

string (base64)

Public certificate if a self signed TLS cert is being used

string

Optional splunk index passed in the record bodies

string

The vault config used to store the HEC token

string

The secret ID where the HEC token is stored in vault

(default: "14d")

Retention window for logs in hot storage. Migrated to warm, cold, or deleted afterwards.

string

The config ID

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

string (date-time)

The DB timestamp when this config was last updated at

string

ID of the Vault key used for signing. If missing, use a default Audit key

string, null

A vault service config that will be used to sign logs.

boolean
(default: false)

Enable/disable event signing

Retention window for logs in warm storage. Migrated to cold or deleted afterwards.

object

Settings overrides for partition-specific configuration

string

Use specific datastore. Ex: AIDR uses postgres as datastore.

object

Pangea standard response schema

Configuration options available for audit service

string

The config ID

integer
(default: 1)
string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

string (date-time)

The DB timestamp when this config was last updated at

string

configuration name

Retention window to store audit logs.

string
(default: "2d")

Retention window for cold query result / state information.

(default: "14d")

Retention window to keep audit logs in hot storage.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

array<string>

Fields to perform redaction against.

string, null

A vault service config that will be used to sign logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

boolean
(default: false)

Enable/disable event signing

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1beta/config/update
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config/update' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

This endpoint cannot be called through the documentation site

Update audit config (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config/update

required parameters

string

The config ID

string

configuration name

Audit log field configuration. Only settable at create time.

boolean

If true, records contain fields to support client/vault signing.

string
(default: "reject")

Save (or reject) malformed AuditEvents.

boolean

If true, records contain fields to support tamper-proofing.

string
string
array<object>
string

Prefix name / identity for the field.

  • maxLength: 32
string

Human display description of the field.

  • maxLength: 255
string

Human display name/title of the field.

  • maxLength: 64
boolean

If true, redaction is performed against this field (if configured.) Only valid for string type.

boolean

If true, this field is required to exist in all logged events.

boolean

If true, this field is used to partition the data in cold storage.

integer

The maximum size of the field. Only valid for strings, which limits number of UTF-8 characters.

string

The data type for the field.

boolean

If true, this field is visible by default in audit UIs.

string (date-time)

The DB timestamp when this config was last updated at

integer

Current version: 3

string
(default: "2d")

Retention window for cold query result / state information.

Retention window for logs in cold storage. Deleted afterwards. Minimum 180d.

string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

boolean
(default: false)

NGSIEM Forwarder type

string (uri)

URL where events will be written to. Must use HTTPS

string

If indexer acknowledgement is required, this must be provided along with a 'channel_id'.

string

An optional splunk channel included in each request if indexer acknowledgement is required for the HEC token along with the 'ack_url'

string (base64)

Public certificate if a self signed TLS cert is being used

string

Optional splunk index passed in the record bodies

string

The vault config used to store the HEC token

string

The secret ID where the HEC token is stored in vault

(default: "14d")

Retention window for logs in hot storage. Migrated to warm, cold, or deleted afterwards.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

string, null

A vault service config that will be used to sign logs.

boolean
(default: false)

Enable/disable event signing

Retention window for logs in warm storage. Migrated to cold or deleted afterwards.

object

Settings overrides for partition-specific configuration

string

Use specific datastore. Ex: AIDR uses postgres as datastore.

object

Pangea standard response schema

Configuration options available for audit service

string

The config ID

integer
(default: 1)
string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

string (date-time)

The DB timestamp when this config was last updated at

string

configuration name

Retention window to store audit logs.

string
(default: "2d")

Retention window for cold query result / state information.

(default: "14d")

Retention window to keep audit logs in hot storage.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

array<string>

Fields to perform redaction against.

string, null

A vault service config that will be used to sign logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

boolean
(default: false)

Enable/disable event signing

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1beta/config/delete
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config/delete' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

This endpoint cannot be called through the documentation site

Delete audit config (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config/delete

required parameters

string

object

Pangea standard response schema

Configuration options available for audit service

string

The config ID

integer
(default: 1)
string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

string (date-time)

The DB timestamp when this config was last updated at

string

configuration name

Retention window to store audit logs.

string
(default: "2d")

Retention window for cold query result / state information.

(default: "14d")

Retention window to keep audit logs in hot storage.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

array<string>

Fields to perform redaction against.

string, null

A vault service config that will be used to sign logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

boolean
(default: false)

Enable/disable event signing

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1beta/config/list
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config/list' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

List audit configs (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config/list

List audit service configs

fields

object
string

Only records where id equals this value.

array<string>

Only records where id includes each substring.

Click 'Save' to use the value

array<string>

Only records where id equals one of the provided substrings.

Click 'Save' to use the value

string (date-time)

Only records where created_at equals this value.

string (date-time)

Only records where created_at is greater than this value.

string (date-time)

Only records where created_at is greater than or equal to this value.

string (date-time)

Only records where created_at is less than this value.

string (date-time)

Only records where created_at is less than or equal to this value.

string (date-time)

Only records where updated_at equals this value.

string (date-time)

Only records where updated_at is greater than this value.

string (date-time)

Only records where updated_at is greater than or equal to this value.

string (date-time)

Only records where updated_at is less than this value.

string (date-time)

Only records where updated_at is less than or equal to this value.

string

Reflected value from a previous response to obtain the next page of results.

string

Order results asc(ending) or desc(ending).

string

Which field to order results by.

integer

Maximum results to include in the response.

  • minimum: 1

object

Pangea standard response schema

object
integer

The total number of service configs matched by the list request.

string

Used to fetch the next page of the current listing when provided in a repeated request's last parameter.

Configuration options available for audit service

string

The config ID

integer
(default: 1)
string (date-time)

The DB timestamp when this config was created. Ignored when submitted.

string (date-time)

The DB timestamp when this config was last updated at

string

configuration name

Retention window to store audit logs.

string
(default: "2d")

Retention window for cold query result / state information.

(default: "14d")

Retention window to keep audit logs in hot storage.

string
(default: "2d")

Length of time to preserve server-side query result caching.

string, null

A redact service config that will be used to redact PII from logs.

array<string>

Fields to perform redaction against.

string, null

A vault service config that will be used to sign logs.

string

ID of the Vault key used for signing. If missing, use a default Audit key

boolean
(default: false)

Enable/disable event signing

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1beta/config/partition_overrides
curl -sSLX POST 'https://audit.aws.us.pangea.cloud/v1beta/config/partition_overrides' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

Response

Update retention for a partition value (Beta)

POST
https://audit.aws.us.pangea.cloud/v1beta/config/partition_overrides

Update the retention settings for a specific partitioned value. This beta endpoint accepts an overrides object whose keys are the partition values (for example, individual tenant_ids) and whose values specify custom warm- and cold-storage retention periods. You must first enable partitioning on your audit configuration schema (typically set on the tenant_id field).

required parameters

string

The config ID

object

Partition overrides. The key is the partition name, and the value is the configuration for that partition.

Click 'Save' to use the value

object

Retention window for logs in warm storage. Migrated to cold or deleted afterwards.

Retention window for logs in cold storage. Deleted afterwards. Minimum 180d.

object

Pangea standard response schema

object
string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"
string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"
string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"
string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"
string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

Status Codes
StatusStatus CodeDescription
TreeNotFound200

A tree has not been built for proofs. This is likely due to a lack of audit messages ingested.

BadOffset400

The offset provided is invalid or out of range.

ForwardingError400

Forwarder has experienced an error while forwarding messages

InvalidSchema400

The configured schema is not valid for this endpoint.

NoForwarderConfigured400

Testing a forwarder requires a forwarder to be configured

ForbiddenFieldValue403

A field value was supplied that is not allowed by the token's field restrictions.

Was this article helpful?

Contact us