Audit Logging

Edit online

The audit logging feature of API Gateway provides audit information for different categories of system transactions, events, and occurrences of specific events (for example, login attempts) over a period of time. You can use audit logs to view a detailed record of various auditable events that occurred on the API Gateway objects, user login and logout operations, and identify the users who are responsible for the changes. You can configure which audit events to log for a specific destination based on your auditing requirements.

You can configure API Gateway to log the auditable events for following destinations:

  • API Gateway

  • Elasticsearch

The following auditable events can be configured to write to the API Gateway audit logs:

  • Access profile management events Access profile management consists of the following events:

    • Creation, modification, and deletion of an Access profile object.

  • Alias management events Alias management consists of the following events:

    • Creation, modification, and deletion of an Alias object.

  • Analytics management events Analytics management consists of the following events:

    • Archiving, purging, and restoring of analytics data in the database.

  • API management events API management consists of the following events:

    • Creation, modification, and deletion of an API object.
    • Activation and deactivation of an API.

  • Application management events Application management consists of the following events:

    • Creation, modification, and deletion of an Application object.

  • Approval management events Approval management consists of the following events:

    • Approval and rejection of a request to create, register, and modify an application.
    • Approval and rejection of a request to subscribe a package in Developer Portal.

  • Group management events Group management consists of the following events:

    • Creation, modification, and deletion of a Group object.

  • Package management events Package management consists of the following events:

    • Creation, modification, and deletion of a Package object.

  • Plan management events Plan management consists of the following events:

    • Creation, modification, and deletion of a Plan object.

  • Policy management Policy management consists of the following events:

    • Creation, modification, and deletion of a global Policy object.
    • Creation, modification, and deletion of an API level Policy object.
    • Activation and deactivation of a global policy.
    • Activation and deactivation of an API level policy.

  • Promotion management events Promotion management consists of the following events:

    • Creation, modification, and deletion of a Stage object.
    • Promotion of an API stage.
    • Rollback operation of an API stage.

  • User management events User management consists of the following events:

    • A user logs in or fails to log in to API Gateway.
    • A user logs out of API Gateway.
    • Creation, modification, and deletion of a User object.

API Gateway writes the audit logging data to the Audit logs dashboard (in the API Gateway user interface, go to Analytics > Audit logs). You can view and download audit logs.

Best Practices for API Gateway Audit Logging

API Gateway's audit logging feature has been implemented on an event-driven approach. By default, the API Gateway destination is enabled to log the auditable events for all areas of management, such as APIs, policies, users, and so on. As a best practice, it is recommended to enable audit logging for the required management areas in other supported destinations: Database, Digital Events, and Elasticsearch. This practice is especially important when you want to provide the audit log data to external sources for analytics and anomaly detections.heading level jumped, remove this heading during sanity check

Configuring Audit Logs

Edit online

You have to configure which events you need to audit for a destination so that API Gateway logs the auditable events data to the specific destination. You can configure API Gateway to log the auditable events data to the following destinations:

  • API Gateway

  • Elasticsearch

  • Custom Destination

    Note: You can configure custom destination to publish data to different components. For details on custom destinations, see Destination Configuration.
    .

The following events are available for audit log reports:

  • Access profile management

  • Alias management

  • Analytics management

  • API management

  • Application management

  • Approval management

  • Group management

  • Package management

  • Plan management

  • Policy management

  • Promotion management

  • User management

By default, all the auditable events are logged into the API Gateway destination.

To configure audit logs

  1. Expand the menu options icon icon, in the title bar, and select Administration.

  2. Select Destinations.

  3. Select the required destination to log the auditable events.

  4. In the Audit log data section, select the required management areas to monitor, audit, and report the data.

  5. Click Save.

Viewing Audit Logs

Edit online

You can use the audit log reports to view the data of auditable events.

To view audit logs

  1. Expand the menu options icon icon, in the title bar, and select Analytics. The dashboard displays the API Gateway-wide analytics based on the metrics monitored.

  2. Select Audit logs.

  3. In the drop-down list, choose the time interval in which you want to view the data of auditable events. The available options are:

    • Last 2 days

    • Last 7 days

    • Last 30 days

    • Last 60 days

    • Last 90 days

    • Custom

  4. If you select Custom, type the From Date and To Date to specify the time interval that best suits your needs.

  5. Click Apply filter to filter the analytics based on the time interval chosen. You can view logs for API Gateway auditable events in the Audit logs dashboard. You can also download the API Gateway audit log in a text file and view the auditable events data.

Filtering Audit Log Results

Edit online

In general, the number of audit logs displayed as a result of Audit log filter is large. Hence, you can refine the results using the following steps to view the required records.

You can filter the audit log results based on filters such creation date, event type, payload, and so on. For example, you filter audit logs for the last 90 days, and the number of audit logs for the filter is large, you can filter the log records for a given creation date, event type, or payload.

To filter audit logs

  1. Click + Add filter above the audit logs grid. Logs that are filtered based on the given criteria appears.

  2. Provide the following:

    • Field - Field based on which the records must be filtered.

    • Operator - Conditional operator applied for the filters.

    • Value - Search keywords for the given filters.

  3. Click Save. Audit logs that match your filter criteria appear.

Downloading Audit Logs

Edit online

You can download the audit log reports to examine the data of auditable events.

To download audit logs

  1. Expand the menu options icon icon in the title bar, and select Analytics. The dashboard displays the API Gateway-wide analytics based on the metrics monitored.

  2. Select Audit logs.

  3. In the drop-down list, choose the time interval in which you want to view the data of auditable events.

  4. If you select Custom, type the From Date and To Date to specify the time interval that best suits your needs.

  5. Click Download to download and view the detailed report. API Gateway generates a compressed file of the audit logs and downloads it to the default download folder configured in your browser.

    The compressed file is named auditlogs_N.zip. The compressed file contains one or more simple text files, where each text file contains 10,000 audit log records.

    API Gateway audit log are listed below.

    Column Detail
    id Unique identifier of the event that produced the audit record.
    eventType Type of event (audit log) that produced the record.
    creationDate Date and time the event entry was written to the log.
    objectType Type of object (for example, User, API, Application, and so on) on which the event occurred.
    action Type of action (for example, Create, Update, Delete, and so on) that was performed on the object.
    object Unique identifier of the API Gateway object on which the action was performed.
    message Message that describes the event that occurred.
    user Name of a user on the API Gateway instance that triggered the event.
    sourceMachine The host name of the machine on which the API Gateway instance is running.
    clientIPAddress IP address of the machine on which the API Gateway instance is running.
    payload The request payload defined for the event.
    status Current status of the event (Success or Failure).