Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Audit Trail

Track changes to resources within BindPlane OP.

important

📘 Audit Trail is a BindPlane OP Enterprise Edition feature.

What is Audit Trail?

Audit Trail is a feature for BindPlane OP Enterprise Edition that creates a log of events that can be used for auditing resources that are created and modified within BindPlane OP. With the audit trail, you can keep track of changes to configurations, rollouts, and users in your project.

Configuration

The audit trail feature is automatically enabled in BindPlane OP Enterprise Edition.

Retention may be configured in your server config, by setting the auditTrail.retentionDays configuration option. In this example, events are configured to be retained for 60 days:

yaml
1auditTrail:
2  retentionDays: 60

By default, the audit trail will retain audit events for 30 days.

Viewing Audit Events

Audit events can be viewed through either the UI or the CLI.

UI

The audit logs can be accessed by admins of the project by clicking the gear icon in the top right of the BindPlane UI, then on the Audit Logs option.

observIQ docs - Audit Trail - image 1

On the Audit Logs page, you will see the following:

observIQ docs - Audit Trail - image 2
  1. You can filter by the affected configuration. This input accepts both the configuration name, as well as the configuration name + version (e.g. myconfig:3 would filter out all logs except for ones affecting version 3 of myconfig).
  2. You can filter by the user whose action created the log.
  3. You can set the minimum date of logs to view.
  4. You can set the maximum date of logs to view.
  5. You can export and download the current view with all active filters to a CSV file.

Below, you will see a table of all audit events that match the current filters.

CLI

To retrieve audit events, the bindplane get audit-events command can be used.
In addition to the standard options for bindplane get, there are some extra parameters that may optionally be specified in order to filter the retrieved audit events:

FlagDescription
--configurationThe name of the configuration to filter by
--max-dateThe maximum date for the events filter, in the format of YYYYMMDDHHMMSS
--min-dateThe minimum date for the events filter, in the format of YYYYMMDDHHMMSS
--userThe display name of the user who made the change to filter by

For a full list of configuration flags, run the bindplane get audit-events --help command.

CLI Examples

Output Audit Events as CSV
sh
1bindplane get audit-events -o csv
Get All Audit Events Generated by a Specific User
sh
1bindplane get audit-events --user "admin-user"
Get All Audit Events for a Specific Configuration
sh
1bindplane get audit-events --configuration "my-configuration"
Get All Audit Events for a Specific Configuration (with version)
sh
1bindplane get audit-events --configuration "my-configuration:13"
Get All Audit Events for the Past Day
sh
1bindplane get audit-events --min-date "$(date -u --date='1 days ago' '+%Y%m%d%H%M%S')"

Types of Events

Currently, there are three categories of events that are logged to the audit trail.

Configuration Events

When a configuration is created or modified, an event is logged specifying which resource of the config was modified, along with the user that modified it. The following events may be emitted:

ActionResource KindDescription
CreatedSourceA new source of the type specified by the resource name has been added to the configuration.
CreatedProcessorA new processor of the type specified by the resource name has been added to the configuration.
CreatedDestinationA new destination of the type specified by the resource name has been added to the configuration.
ModifiedSourceA source of the type specified by the resource name has been modified for the configuration.
ModifiedProcessorA processor of the type specified by the resource name has been modified for the configuration.
ModifiedDestinationA destination of the type specified by the resource name has been modified for the configuration.
DeletedSourceA source of the type specified by the resource name has been removed from the configuration
DeletedProcessorA processor of the type specified by the resource name has been removed from the configuration.
DeletedDestinationA destination of the type specified by the resource name has been removed from the configuration.

Rollout Events

When a new rollout is created, started, paused, or resumed, an event is logged for the configuration. The following events may be emitted:

ActionResource KindDescription
PendingRolloutA new rollout has been created in a Pending state for the configuration.
StartedRolloutA rollout has been started for the configuration.
PausedRolloutAn in-progress rollout has been paused for the configuration.
ResumedRolloutA previously paused rollout has been resumed for the configuration.

User Events

When users are added, removed, or modified to an project, an audit event is logged for that user. The following events may be emitted:

ActionResource KindDescription
CreatedUserThe user specified by the resource name has been added to the project.
ModifiedUserThe user specified by the resource name has had their role changed to the role specified in the resource name.
DeletedUserThe user specified by the resource name has been removed from the project.