LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • Logs
  • Log Overview
  • Commands
  • Kubernetes Commands
  • Connections
  • Connection Events
  • User Events
  • How To View Your Logs
  • How To See Your Session Recordings
  • How To Export Your Logs and Session Recordings
  1. Admin Guide

Auditing

Administrators' guide to BastionZero's auditing capabilities

PreviousAuthorizationNextTarget and Connection Management

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

Logs

BastionZero generates many types of events. Similar events are grouped together to create log views. BastionZero currently maintains five different types of event logs available to administrators through the and the . All event types that comprise logs can be retrieved from the BastionZero API as a group or filtered based on criteria, like an SSO user, target user, or target name.

All logs are updated in real time as they come into BastionZero and are stored with a UTC timestamp. Your web browser will convert the UTC timestamp to the browser local time, and thus all events from anywhere in the world are seen in order when viewing from any time zone.

Log Overview

Commands

Command logs are events associated with shells. They are the command line event typed at the shell by the user. BastionZero records which SSO user ran what command on which target as what target user (i.e., Alice ran echo 'hello world' on the remote host foo as the target user admin).

Kubernetes Commands

Kubernetes logs are events associated with executing k8s API either using kubectl or the zli clients. Regardless of whether an end user uses kubectl or the zli, BastionZero records the timestamp, SSO user, target cluster, target user or group, and API associated with the command. When the zli is used, BastionZero also records the command text associated with the command. Further, when the zli is used to exec into a container, BastionZero will record that shell command text as well.

Connections

Connections are events associated with clients' connections to targets. Connections can be opened, closed, or inactive. All connections include start and end time, the SSO user, a unique connection ID, the status of the connection, the space from which it originated, the target user, and the target name.

Connection Events

Connection logs are events associated with clients interacting with targets. Client connection event types can be open, closed, connected, or disconnected. All connection events include the timestamp, the SSO user, a unique connection ID, the connection event type, the space from which it originated, the target user, and the target name.

Closed connection events can originate from the end user, the administrator, or BastionZero. The logs will reflect who closed connections by username or by action. For example, if a target is deleted by an administrator, all current connections are closed. The connection log will reflect that the connection was closed as a result of admin@org.com deleted target. Closed connection events are also the result of closing or terminating SSH tunnels or native TCP connections.

Disconnected connections result when the web app is closed by the user logging out or when exiting a zli-based shell connection. In these cases, the shell is still running on the BastionZero SaaS, but the client is no longer active. By re-authenticating to the web app or by attaching in the zli, the connection is restored and a connected event is generated.

User Events

User events are a form of audit log within BastionZero. Every action in BastionZero is an API. Every API event, whether it be from an administrator updating or listing a policy, an end user making a connection, or an application using an API key, is recorded in the form of a user event.

How To View Your Logs

  • Log into the web app at https://cloud.bastionzero.com/.

  • Choose "Logs" in the menu bar at the top.

  • Select from the dropdown list whichever log type you'd like to view.

How To See Your Session Recordings

  • Log into the web app at https://cloud.bastionzero.com/.

  • Choose "Session Recordings" in the menu bar at the top.

  • Navigate to the person whose session(s) you are interested in viewing and select from the dropdown menu of sessions. These can be viewed in the web app directly or downloaded using the download icon to the right of the session.

Session recordings can be downloaded or deleted using the icons directly on the right of the session.

How To Export Your Logs and Session Recordings

Session recordings can also be downloaded directly from the web app. Navigate to the session recordings tab in the top navigation bar, find the recording you'd like to export, and download using the icon on the right of the recording.

Logs can be exported as JSON, and session recordings as asciinema. Exporting either logs or session recordings can be done through BastionZero's API. Details on how those requests are structured are for logs and for session recordings.

Access for Infrastructure
web app
API
Logs on the web app
Command logs on the web app
Kubernetes logs on the web app
Connections on the web app
Connection logs on the web app
User events on the web app
here
here