Skip to main content

Log specification

Cyral data activity logs, also known as Cyral query logs, follow the structure shown below. The particular set of logged fields you'll see in your logs depends on what you have specified in your repository's log settings.

For help setting up logging, see SIEM integrations.

The example below shows an SSO user,, who logged in using the repo account dbuser001 and ran a SELECT query on the invoices-staging PostgreSQL repository:

{  "activityId": "",  "activityTime": "2021-01-23 23:22:15.3371171 +0000 UTC",  "activityTimeNanos": 1611444135337117200,  "activityTypes": [    "query"  ],  "identity": {    "endUser": "",    "repoUser": "dbuser001"    "group": "Contractors"  },  "repo": {    "id": "1nTuOA06DagHjXWkYMvtIKsee2O",    "name": "invoices-staging",    "type": "postgresql",    "host": "",    "port": 5432  },  "client": {    "connectionId": "",    "connectionTime": "2021-01-23 23:22:15.249313581 +0000 UTC",    "connectionTimeNanos": 1611444135249313500,    "host": "",    "port": 23665,    "applicationName": "psql",  },  "sidecar": {    "id": "1m483glYfG0E041aAGZMcAgFC9q",    "name": "sidecar-east-2",    "autoScalingGroupInstance": "i-1234567890abcdef0"  },  "request": {    "statement": "SELECT * FROM playground.transactions",    "statementType": "SELECT",    "isSensitive": true,    "searchPath": [       "postgres",       "public"    ],    "userConfigParameters": {      "request.jwt.claim.role": "retailapp",      "": "a32109hL"    },    "datasetsAccessed": [      {        "dataset": "playground.transactions,        "accessType": "read"      }    ],    "fieldsAccessed": [      {        "field": "playground.transactions.card_number,        "label": "CCN",        "accessType": "read"      }    ]  },  "response": {    "message": "OK",    "isError": false,    "records": 60,    "bytes": 14660,    "executionTime": "1.941074599s",    "executionTimeNanos": 1941074599  },  "policyViolated": false}
  • Each log entry begins with a header section that includes:

    • activityId: Unique identifier for this log entry
    • activityTime: When this event began
    • activityTimeNanos: Duration of the event
    • activityTypes: What sort of event this entry describes. This may be query for a database query, newConnection when a user connects to a repository, and closedConnection when they disconnect.
  • The identity block shows who performed the action:

    • endUser: The user who authenticated; usually an SSO user
    • repoUser: The native repo account used for the database session
    • group: SSO user group of this user
  • The repo block shows:

    • id: Data repository id in Cyral
    • name: Data repository name in Cyral
    • type: Type of repository, such as PostgreSQL or MongoDB
    • host: Network host of the repository
    • port: Network port of the repository
  • The client block shows:

    • connectionId: A unique id for the client connection
    • connectionTime: Timestamp when client connection was initiated
    • connectionTimeNanos: Duration of connection
    • host: Client's network host
    • port: Client's network port
    • applicationName: Client application that sent the command
  • The sidecar block shows which Cyral sidecar brokered the request

    • id: Sidecar id
    • name: Sidecar name
    • autoScalingGroupInstance: Id of the sidecar cluster node that brokered the request
  • The request block shows details about the command or query that was run/attempted:

    • statement: The command or query itself. If you have turned on log redaction, then sensitive data will be omitted from the logged statement and replaced with a value of ${cyral-redact}.
    • statementType: Type of command
    • isSensitive: Did this action affect a table or field considered to be sensitive in your Cyral configuration?
    • The userConfigParameters block captures custom configuration parameters that the database user has provided using SET or SELECT set_config statements in their queries. This facility captures parameters that are written as dot-separated strings. For example, userConfigParameters will show the contents of the JWT token if the API client set it before running the query.
    • The datasetsAccessed block lists the tables, collections, columns, and fields affected by this action. Inside this block, each accessed data location is listed as a dataset with an accessType showing whether the action was a read, update, delete, or other action. Within each dataset, the log lists all fieldsAccessed. Each is a field, and if the field has a label in your data map, that is shown here.
  • The response block describes the database response to the command, including any message returned and whether this command resulted in an error (isError). This block indicates how many records and bytes were returned and how long the command took to run.

  • The policyViolated field shows whether this command violated any of your Cyral policy rules.

Learn more#