# Audit Logging You can use any audit log service (e.g [SAP CP Audit Logging service](https://help.sap.com/viewer/eb42e48f5e9c4c9ab58a7ad73ff3bc66/2.1.0.0/en-US/16787b24e67a4611b899b8f8d36f97f7.html)) to record the access to sensitive data. ## SAP CP Audit Logging service There are four main categories of audit logs: * Log read access to sensitive personal data * Log changes to personal data * Security event log * Configuration change log ## Writing Logs ### Writing API Requirements * Tenant ID * Username * Password * Writing URL ```json { "vendor": "SAP", "url": "<Write_API_URL>:8081", "user": "XYZ", "password": "XYZ" } ``` > **Add an Istio ServiceEntry**: Because of istio restriction, you need to add an Istio ServiceEntry object to the lambda namespace to be able to make `https` request to a custom port! > ```bash cat << EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: audit-logging namespace: <LAMBDA_NAMESPACE> spec: hosts: - '<Write_API_URL>' location: MESH_EXTERNAL ports: - name: auditlog number: 8081 protocol: HTTPS EOF ``` ### Example of writing logs of the read access to sensitive personal data in the Lambda function We will use V2 version of Audit Log API, as it's recommended [here](https://wiki.wdf.sap.corp/wiki/display/JPaaS/Documentation%3A+Audit+Log+Retrieval+API+for+Cloud+Foundry). ```javascript const axios = require("axios"); const url = "<Write_API_URL>:8081/audit-log/v2/data-accesses"; const uuid = "<UUID>" const user = "<UUID>" const tenant = "<UUID>" const username = "<USER>"; const password = "<PASSWORD>"; const config = { headers: { "Content-Type": "application/json" }, auth: { username, password } }; const date = new Date(); module.exports = { main: function (event, context) { var data = { uuid: uuid, user: user, tenant: tenant, time: date.toISOString(), object: { type: "Event ID", id: { value: event.extensions.request.headers['ce-id'], } }, data_subject: { type: "Event ID", role: "Operator", id: { value: "0987654321", } }, attributes: [ { name: "Event ID", successful: true } ] }; axios .post(url, data, config) .then(({ data }) => { console.log(data); }) .catch(e => { console.log(e); }); } } ``` Lambda function Dependencies ```json { "dependencies": { "axios": "^0.19.2" } } ``` The response is following: ```json { "id": "69e1d293-fee0-4d1b-8324-59a846dda4fb" } ``` ## Reading Logs ### Reading API Requirements * Tenant UUID * Client_ID * Client_Secret * OAuth2 URL to get the token * Auditlog Read API URL #### Get Access Token for reading Execute the following request using cURL ```bash export CLIENT_ID='<Client_ID>' export CLIENT_SECRET='<Client_Secret>' export AUTH=$(echo -n ${CLIENT_ID}:${CLIENT_SECRET} | base64) export OAUTH_URL='<OAUTH_URL>' curl --request POST \ --url "${OAUTH_URL}/oauth/token?grant_type=client_credentials&token_format=jwt" \ --header "authorization: Basic $AUTH" \ --header 'content-type: application/x-www-form-urlencoded' ``` The response contains: * JWT token * Scopes * Other data described [here](https://docs.cloudfoundry.org/api/uaa/version/4.30.0/index.html#with-authorization) We have got JWT token and `uaa.resource` `auditlog-management!b3034.ReadAuditLogs` scope ### Read Audit logs flow API Spec can be found [here](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/30ece35bac024ca69de8b16bff79c413.html). Execute the following request: ```bash export AUDIT_LOG_READ_URL='{AUDIT_LOG_READ_URL}' curl --request GET \ --url "${AUDIT_LOG_READ_URL}/auditlog/v2/auditlogrecords" \ --header "authorization: Bearer ${BEARER_TOKEN}" ``` Response would be the logs like ```json { "message_uuid": "<UUID>", "time": "2020-03-23T00:00:00.000Z", "tenant": "<UUID>", "org_id": "<UUID>", "space_id": "<UUID>", "app_or_service_id": "<UUID>", "als_service_id": "<UUID>", "user": "<UUID>", "category": "audit.data-access", "format_version": "", "message": "{\"uuid\":\"<UUID>\",\"user\":\"<UUID>\",\"time\":\"2020-03-24T16:29:49.115Z\",\"object\":{\"type\":\"Event ID\",\"id\":{\"value\":\"1234567890\"}},\"data_subject\":{\"type\":\"Event ID\",\"role\":\"Operator\",\"id\":{\"value\":\"0987654321\"}},\"data_subjects\":[],\"attributes\":[{\"name\":\"Event ID\",\"successful\":true}],\"attachments\":[],\"id\":\"58f98397-d54d-497b-a993-831b7f172f4a\",\"category\":\"audit.data-access\",\"tenant\":\"bf27e689-fea8-414b-9090-e049a528bd37\",\"customDetails\":{}}" } ``` which we wrote in write sections. As an alternative, there is an option to [view logs in UI](https://github.wdf.sap.corp/xs-audit-log/sap-cp-audit-log-service-docs/wiki/Viewing-and-Retrieving-of-Audit-Logs).