Auditing
Administrators' guide to BastionZero's auditing capabilities
BastionZero generates many types of events. Similar events are grouped together to create log views. BastionZero currently maintains five different types of event logs available to administrators through the web app and the API. All event types that comprise logs can be retrieved from the BastionZero API as a group or filtered based on criteria, like an SSO user, target user, or target name.
All logs are updated in real time as they come into BastionZero and are stored with a UTC timestamp. Your web browser will convert the UTC timestamp to the browser local time, and thus all events from anywhere in the world are seen in order when viewing from any time zone.
Command logs are events associated with shells. They are the command line event typed at the shell by the user. BastionZero records which SSO user ran what command on which target as what target user (i.e., Alice ran
echo 'hello world' on the remote host foo as the target user admin).Kubernetes logs are events associated with executing k8s API either using
kubectl or the zli clients. Regardless of whether an end user uses kubectl or the zli, BastionZero records the timestamp, SSO user, target cluster, target user or group, and API associated with the command. When the zli is used, BastionZero also records the command text associated with the command. Further, when the zli is used to exec into a container, BastionZero will record that shell command text as well.Connections are events associated with clients' connections to targets. Connections can be opened, closed, or inactive. All connections include start and end time, the SSO user, a unique connection ID, the status of the connection, the space from which it originated, the target user, and the target name.
Connection logs are events associated with clients interacting with targets. Client connection event types can be open, closed, connected, or disconnected. All connection events include the timestamp, the SSO user, a unique connection ID, the connection event type, the space from which it originated, the target user, and the target name.
Closed connection events can originate from the end user, the administrator, or BastionZero. The logs will reflect who closed connections by username or by action. For example, if a target is deleted by an administrator, all current connections are closed. The connection log will reflect that the connection was closed as a result of
[email protected] deleted target. Closed connection events are also the result of closing or terminating SSH tunnels or native TCP connections.Disconnected connections result when the web app is closed by the user logging out or when exiting a
zli-based shell connection. In these cases, the shell is still running on the BastionZero SaaS, but the client is no longer active. By re-authenticating to the web app or by attaching in the zli, the connection is restored and a connected event is generated.User events are a form of audit log within BastionZero. Every action in BastionZero is an API. Every API event, whether it be from an administrator updating or listing a policy, an end user making a connection, or an application using an API key, is recorded in the form of a user event.
- Log into the web app at https://cloud.bastionzero.com/.
- Choose "Logs" in the menu bar at the top.
- Select from the dropdown list whichever log type you'd like to view.
- Log into the web app at https://cloud.bastionzero.com/.
- Choose "Session Recordings" in the menu bar at the top.
- Navigate to the person whose session(s) you are interested in viewing and select from the dropdown menu of sessions. These can be viewed in the web app directly or downloaded using the download icon to the right of the session.
Session recordings can be downloaded or deleted using the icons directly on the right of the session.
Session recordings can also be downloaded directly from the web app. Navigate to the session recordings tab in the top navigation bar, find the recording you'd like to export, and download using the icon on the right of the recording.