Sidecar Logging

Cyral sidecars output two types of logs: data activity logs, which can be used to monitor database activity, and diagnostic logs, which can be used to monitor the health and activity of the sidecar itself.

The sidecar emits both data activity logs and diagnostic logs to its stdout and stderr streams respectively. For multi-container sidecars, logs are aggregated by the cyral_log_shipper container and output to that container's standard streams.

Data Activity Logs

Data activity logs describe queries and other operations performed on your data, and detail who is accessing which data and how they are doing so. Data activity logs can be used to monitor and visualize activity on your data repositories.

Data activity logs are structured JSON documents, which include information about database activity such as executed SQL statements, user identity information, and whether any policies were violated, etc. Please see the data activity logs reference for a complete breakdown on the structure and content of the data activity logs.

Cyral admins can customize which fields are logged and which types of database events generate data activity logs on a per-repository basis. Additionally, Cyral can be customized to redact sensitive values from data activity logs.

Diagnostic Logs

Diagnostic logs are sidecar application-level logs, also sometimes referred to as "debug logs". These logs may be useful for diagnosing sidecar issues, analyzing sidecar performance, and general troubleshooting.

While diagnostic logs are still structured JSON documents, their structure is simpler than data activity logs. In general, a sidecar diagnostic log message may look like:

{
  "time": "2006-01-02T15:04:05.000000Z",
  "instanceId": "some-sidecar-instance-id",
  "level": "info",
  "msg": "Some log message",
  "stream": "stderr",
  "svc": "pg-wire"
}

• time is the timestamp the log message was generated.
• instanceId is the sidecar instance identifier which generated the log (useful in multi-instance sidecar clusters)
• level is the log level. Valid log levels are trace, debug, info, warning, error, fatal, and panic.
• msg is the log message.
• stream is the standard stream on which the log was generated. This should always be stderr.
• svc is the name of the sidecar microservice which generated the log message.

Log Management

Cyral gives you the ability to send sidecar logs to various destinations such as Splunk, AWS CloudWatch, and many others. Please refer to the "Integrations -> Logs" section for complete details.

When using Cyral's logging integrations features, the log management destination for both the sidecar's data activity logs and diagnostic logs can be configured independently in the sidecar's Logging settings: on the Control Plane, navigate to Sidecars -> {sidecar name} -> Settings (tab) -> Logging.

Additionally, sidecar logs can be aggregated and managed using any log management tooling such as FluentD, Fluent Bit, etc. deployed to your infrastructure by consuming the standard output/error streams of the sidecars.

Learn more

• How to use Cyral logs to monitor and visualize data activity
• Specify what types of events generate logging entries
• Redact sensitive information from logs
• Log activity affecting a specific table, column, or field
• Send Cyral logs to your log management systems (SIEM integration).