Treasure Data premium audit logs provide a detailed audit trail of all the activity that occurs in an account. Every event has an associated resource_id, resource name, and timestamp. By identifying specific areas of security concern, you can use the audit log to view potential breaches and unusual behavior and interrupt an unauthorized action.
Treasure Data can provide a log to track all access events in Treasure Data. You use the log to monitor Treasure Data user access to features and functions such as:
TD processing engines
Your account must include the Premium Audit Log feature and you must be an owner or administrator to access the Premium Audit Log initially. Administrators can also assign non-admin users permissions to access the audit log. Users who buy the premium license can view, filter, and query the audit log. The premium audit log captures and holds an unlimited number of events and is stored in a database table structure.
Audit log is an add-on feature and, therefore, must be requested. Contact your Customer Success representative to learn more about the availability of this feature.
Accessing the Audit Log
When you purchase this premium feature, an access table is added to your account
Database view. The name for the log is
td_audit_log. Even if you have multiple databases, you have only one audit log.
Open TD Console.
Navigate to Data Workbench > Databases.
Open the details of the access tables. For example:
Interpreting the Columns of the Audit Log
All events will log the event_name, resource_id, resource_name. In the audit log table, you can see other columns logged depending on the event. These columns help you determine what action has happened to what TD resource. The full list of column types is in the Premium Audit Log Reference.
By identifying objects with significant security requirements, you can review your premium audit log for specific objects and be able to track those using audit log events.
Which event in the audit log list as occurred to the resource
A unique number is assigned to the action. You can reference the resource_id to distinguish v4 and v5 events.
Which TD resource was affected
For example, if the event_name is job_modify and it was requested on a specific database cdp_audience_2943.22971502, the audit log will reflect that information in this way:
In the access table, search until you locate the
Search for the
job_modifyevent for more details.
You can also review the
resource_namecolumn to look for any patterns that emerge of the same TD resource being affected by different events