Apigee Edge Auditing

Google Cloud Apigee Knowledge Hub
1

Auditing

Introduction:

This article discusses the auditing capabilities and APIs that are available out of the box in Apigee Edge. Auditing is extremely important like any other component for a software or a platform. As an admin, you would want to know what are the different actions and events performed on the platform. In case of any issues, it is this feature that comes to the rescue or at least helps you track and narrow down the potential cause.

Using auditing, you can check not only the calls made but also check the entitlements for each calling user. It is very important that the admins understand this and use it correctly.

Below are the different aspects of Apigee Edge’s out-of-the-box auditing capabilities:

  • Logs a record for every call made to the management API and stores it in the Apigee Edge data store
  • These records can be viewed using:
    • Management UI
    • Management API
  • Audit logs are stored in Apigee Edge central data store and be viewed using:
  • These records can be useful for CI/CD pipeline to understand the different deployments across various teams happening in each environment.
  • Useful to audit RBAC entitlements for different users of Apigee Edge (API Developers, non-human users used for deployments and automation, etc.)

What is being logged as part of an audit?

The following information is logged as part of an audit:

  • Operation: create, update, delete
  • Request URI
  • Request
  • Response code
  • User
  • Timestamp

Can I get audit records just for a developer or any other entities?

Apigee Edge Auditing gives you different levels of auditing as well. Depending on the audit requirements, you can pull the audits appropriately. The different levels of auditing are:

  • Developers (all, single)
  • Apigee Edge Users
  • Organization
  • API Products
  • API Proxies
  • Apps
  • Trace sessions

Other Questions:

  • Can I get the audit for deployments?
    • Yes, there is an API. Refer to this community post for additional information.
  • How do I get to know if there are new Organization users added in my Edge organization?
    • You can use the Audit API or UI to view the same. Please refer to the Reference section below
  • Is there any way we can log all the changes made in the KVM and configuration in API through the Management Console or via a script?
    • Yes, there is an audit API for this. If you query the audit trail, you will see changes in KVM, changes in API Proxies, proxy deployments and un-deployments, API Products, developers, developer apps, and so on. Refer to this community post for additional information.

Reference:

Management API: http://docs.apigee.com/api/audits-0

Apigee Audit Documentation: http://docs.apigee.com/api-services/content/view-api-history

Audit on the Edge UI looks like

pFjB_7_Rmimkb-lF7q8Dup7PAFZwECYWF1VPDnNuq_E3fLsvQIThbmGYMogicA1gQWNASxAIjSCkPbRD_1MCUAiCkUuiR_-NXgI1QhTnj2R-U12Emak5a963-ABYEjSpkBcvxkyW
pFjB_7_Rmimkb-lF7q8Dup7PAFZwECYWF1VPDnNuq_E3fLsvQIThbmGYMogicA1gQWNASxAIjSCkPbRD_1MCUAiCkUuiR_-NXgI1QhTnj2R-U12Emak5a963-ABYEjSpkBcvxkyW819×371 76 KB

5J4P8lY9Yj1LQnZiEhs7rEcz3MSE6ixDbTToRYT0PeI7sIbVuCVIY7Ax9cEez6H5eYp3QLSn5-xiJgIOH2eROFFj1nwD4NtL8xgLz6zn1FOvIpfje0D2FSTLQZB4f3_rhEZH3yVr
5J4P8lY9Yj1LQnZiEhs7rEcz3MSE6ixDbTToRYT0PeI7sIbVuCVIY7Ax9cEez6H5eYp3QLSn5-xiJgIOH2eROFFj1nwD4NtL8xgLz6zn1FOvIpfje0D2FSTLQZB4f3_rhEZH3yVr1227×357 77.1 KB

3 Likes
2

Great article, is there a retention period on audit logs?

3

@Sai Saran Vaidyanathan

Where this org history is stored ? Is it cassandra? and is there a retention period ?

4

Was this written before the official documentation came out? Because to me it looks like everything in this article can be found in the official documentation.

I am interested in finding out the retention period for audit entries, if it can be configured and if what is audited can be configured too.

But this information is missing from the official documentation too.

5

Audit logs are stored in a dedicated Cassandra DB keyspace “audit” and table called “audits”. The audit entries are persisted forever and there is no job periodical activity to purge them by their age.

If needed for compliance, this can be added as a daily purge, using the timestamp field.

Audits schema is below:

audit.audits ( key text PRIMARY KEY, clientip text, id text, operation text, request text, requesturi text, response text, responsecode text, serverhostname text, serverip text, timestamp bigint, type text, user text, “x-forwarded-for” text )

Additionally, audits_ref reference table is below:

audit.audits_ref ( key text, column1 ‘org.apache.cassandra.db.marshal.DynamicCompositeType(org.apache.cassandra.db.marshal.UTF8Type, org.apache.cassandra.db.marshal.LongType)’, value blob, PRIMARY KEY (key, column1) )

1 Like
6

@Nicola

how do i integrate this log with a syslog? Any community post? Surely others must have done it.

7

Hi, Is there a way we can see these History in logs ? I am looking for a way to see these updates getting stored at system level for monitoring ? Appreciate your assistance. Thanks