Log specification
Cyral data activity logs, also known as Cyral query logs, follow the structure shown below. The particular set of logged fields you'll see in your logs depends on what you have specified in your repository's log settings.
For help setting up logging, see log integrations.
The example below shows an SSO user, bob@hhiu.us
, who logged in
using the repo account dbuser001
and ran a SELECT
query on the
invoices-staging
PostgreSQL repository:
{
"activityId": "127.0.0.1:1111:1611444135249313581:1",
"activityTime": "2021-01-23 23:22:15.3371171 +0000 UTC",
"activityTimeNanos": 1611444135337117200,
"activityTypes": [
"query"
],
"identity": {
"endUser": "bob@hhiu.us",
"repoUser": "dbuser001",
"group": "Contractors"
},
"repo": {
"id": "1nTuOA06DagHjXWkYMvtIKsee2O",
"name": "invoices-staging",
"type": "postgresql",
"host": "172.18.0.4",
"port": 5432
},
"client": {
"connectionId": "127.0.0.1:1111:1611444135249313581",
"connectionTime": "2021-01-23 23:22:15.249313581 +0000 UTC",
"connectionTimeNanos": 1611444135249313500,
"host": "127.0.0.1",
"port": 23665,
"applicationName": "psql"
},
"sidecar": {
"id": "1m483glYfG0E041aAGZMcAgFC9q",
"name": "sidecar-east-2",
"autoScalingGroupInstance": "i-1234567890abcdef0"
},
"request": {
"statement": "SELECT * FROM playground.transactions",
"statementType": "SELECT",
"isSensitive": true,
"searchPath": [
"postgres",
"public"
],
"userConfigParameters": {
"request.jwt.claim.role": "retailapp",
"request.jwt.claim.id": "a32109hL"
},
"datasetsAccessed": [
{
"dataset": "playground.transactions,
"accessType": "read"
}
],
"fieldsAccessed": [
{
"field": "playground.transactions.card_number,
"label": "CCN",
"accessType": "read"
}
]
},
"response": {
"message": "OK",
"isError": false,
"records": 60,
"bytes": 14660,
"executionTime": "1.941074599s",
"executionTimeNanos": 1941074599
},
"policyViolated": false
}
Each log entry begins with a header section that includes:
- activityId: Unique identifier for this log entry
- activityTime: When this event began
- activityTimeNanos: Duration of the event
- activityTypes: What sort of event this entry describes. This may be
query
for a database query,newConnection
when a user connects to a repository, andclosedConnection
when they disconnect.
The identity block shows who performed the action:
- endUser: The user who authenticated; usually an SSO user
- repoUser: The native repo account used for the database session
- group: SSO user group of this user
The repo block shows:
- id: Data repository id in Cyral
- name: Data repository name in Cyral
- type: Type of repository, such as PostgreSQL or MongoDB
- host: Network host of the repository
- port: Network port of the repository
The client block shows:
- connectionId: A unique id for the client connection
- connectionTime: Timestamp when client connection was initiated
- connectionTimeNanos: Duration of connection
- host: Client's network host
- port: Client's network port
- applicationName: Client application that sent the command
The sidecar block shows which Cyral sidecar brokered the request
- id: Sidecar id
- name: Sidecar name
- autoScalingGroupInstance: Id of the sidecar cluster node that brokered the request
The request block shows details about the command or query that was run/attempted:
- statement: The command or query itself. If you have turned
on log redaction,
then sensitive data will be omitted from the logged statement
and replaced with a value of
${cyral-redact}
. - statementType: Type of command
- isSensitive: Did this action affect a table or field considered to be sensitive in your Cyral configuration?
- The userConfigParameters block captures custom configuration
parameters that the database user has provided using
SET
orSELECT set_config
statements in their queries. This facility captures parameters that are written as dot-separated strings. For example, userConfigParameters will show the contents of the JWT token if the API client set it before running the query. - The datasetsAccessed block lists the tables, collections, columns, and fields affected by this action. Inside this block, each accessed data location is listed as a dataset with an accessType showing whether the action was a read, update, delete, or other action. Within each dataset, the log lists all fieldsAccessed. Each is a field, and if the field has a label in your data map, that is shown here.
- statement: The command or query itself. If you have turned
on log redaction,
then sensitive data will be omitted from the logged statement
and replaced with a value of
The response block describes the database response to the command, including any message returned and whether this command resulted in an error (isError). This block indicates how many records and bytes were returned and how long the command took to run.
The policyViolated field shows whether this command violated any of your Cyral policy rules.