Audit Logging
Audit Logging is functionality exclusive to AuthZed products that publishes logs of SpiceDB API operations to a log sink.
Info: Audit Logging is currently in Early Access.
Early Access functionality is production-ready, but requires coordination with your success team to set-up.
Log Format
Logs contain the full details related to a request including:
- API Token hash
- Request Method
- Request Body
- Request IP
- Response Body
- Errors (if any)
Example
{
"specversion": "1.0",
"id": "35cdd6662882bd387292ef78a650d18b",
"source": "spicedb",
"type": "/authzed.api.v1.SchemaService/ReadSchema",
"datacontenttype": "application/json",
"time": "2023-12-18T17:32:47.234247Z",
"data": {
"request": {
"@type": "type.googleapis.com/authzed.api.v1.ReadSchemaRequest"
},
"response": {
"@type": "type.googleapis.com/authzed.api.v1.ReadSchemaResponse",
"schemaText": "definition folder {\n\trelation reader: user | service\n\tpermission read = reader\n}\n\ndefinition resource {\n\trelation reader: user | service\n\tpermission read = reader\n}\n\ndefinition service {}\n\ndefinition user {}",
"readAt": {
"token": "GhUKEzE3MDI5MjA0MjcxMjM2MDIwMDA="
}
},
"metadata": {
"token_hash": "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2",
"user-agent": "grpc-go/1.58.3",
"x-request-id": "35cdd6662882bd387292ef78a650d18b"
}
}
}Log Sinks
Log Sinks are the targets where logs will be shipped in order to be persisted. In order to configure a log sink, you must file a request with your AuthZed customer success team.
The following are the supported log sinks:
- Apache Kafka (opens in a new tab)
- AWS Kinesis (opens in a new tab)
- AWS Kinesis Firehose (opens in a new tab)
Info: We're exploring additional Log Sinks.
Please reach out to your success team with any requests.