Log Specification

Cyral query logs follow the structure shown below so that policy evaluation tools and reporting dashboards can consume log data consistently, and so that administrators can read the raw logs.

The example below shows an SSO user, bob@hhiu.us, who logged in using the repo account dbuser001 and ran a SELECT query on the invoices-staging PostgreSQL repository:

{
  "activityId": "127.0.0.1:1111:1611444135249313581:1",
  "activityTime": "2021-01-23 23:22:15.3371171 +0000 UTC",
  "activityTimeNanos": 1611444135337117200,
  "activityTypes": [
    "query"
  ],
  "identity": {
    "endUser": "bob@hhiu.us",
    "repoUser": "dbuser001"
    "group": "Contractors"
  },
  "repo": {
    "id": "1nTuOA06DagHjXWkYMvtIKsee2O",
    "name": "invoices-staging",
    "type": "postgresql",
    "host": "172.18.0.4",
    "port": 5432
  },
  "client": {
    "connectionId": "127.0.0.1:1111:1611444135249313581",
    "connectionTime": "2021-01-23 23:22:15.249313581 +0000 UTC",
    "connectionTimeNanos": 1611444135249313500,
    "host": "127.0.0.1",
    "port": 23665,
    "applicationName": "psql",
  },
  "sidecar": {
    "id": "1m483glYfG0E041aAGZMcAgFC9q",
    "name": "sidecar-east-2",
    "autoScalingGroupInstance": "i-1234567890abcdef0"
  },
  "request": {
    "statement": "SELECT * FROM playground.transactions",
    "statementType": "SELECT",
    "isSensitive": true,
    "datasetsAccessed": [
      {
        "dataset": "playground.transactions,
        "accessType": "read"
      }
    ],
    "fieldsAccessed": [
      {
        "field": "playground.transactions.card_number,
        "label": "CCN",
        "accessType": "read"
      }
    ]
  },
  "response": {
    "message": "OK",
    "isError": false,
    "records": 60,
    "bytes": 14660,
    "executionTime": "1.941074599s",
    "executionTimeNanos": 1941074599
  },
  "policyViolated": false
}

The identity block shows who performed the action:
- endUser: The user who authenticated; usually an SSO user
- repoUser: The native repo account used for the database session
- group: SSO user group of this user
The repo block shows:
- id: Data repository id in Cyral
- name: Data repository name in Cyral
- type: Type of repository, such as PostgreSQL or MongoDB
- host: Network host of the repository
- port: Network port of the repository
The client block shows:
- connectionId: A unique id for the client connection
- connectionTime: Timestamp when client connection was initiated
- connectionTimeNanos: Duration of connection
- host: Client's network host
- port: Client's network port
- applicationName: Client application that sent the command
The sidecar block shows which Cyral sidecar brokered the request
- id: Sidecar id
- name: Sidecar name
- autoScalingGroupInstance: Id of the sidecar cluster node that brokered the request
The request block shows details about the command or query that was run/attempted:
- statement: The command or query itself
- statementType: Type of command
- isSensitive: Did this action affect a table or field considered to be sensitive in your Cyral configuration?
The datasetsAccessed block lists the tables, collections, columns, and fields affected by this action. Inside this block, each accessed data location is listed as a dataset with an accessType showing whether the action was a read, update, delete, or other action. Within each dataset, the log lists all fieldsAccessed. Each is a field, and if the field has a label in your data map, that is shown here.
The response block describes the database response to the command, including any message returned and whether this command resulted in an error (isError). This block indicates how many records and bytes were returned and how long the command took to run.
The policyViolated field shows whether this command violated any of your Cyral policy rules.