# Auditing

{% hint style="danger" %}

### <mark style="color:red;">**The BastionZero product is maintained for existing BastionZero customers only.**</mark>&#x20;

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/applications/non-http/infrastructure-apps/) service.
{% endhint %}

## Logs

BastionZero generates many types of events. Similar events are grouped together to create log views. BastionZero currently maintains five different types of event logs available to administrators through the [web app](https://cloud.bastionzero.com) and the [API](https://cloud.bastionzero.com/api). All event types that comprise logs can be retrieved from the BastionZero API as a group or filtered based on criteria, like an SSO user, target user, or target name.

All logs are updated in real time as they come into BastionZero and are stored with a UTC timestamp. Your web browser will convert the UTC timestamp to the browser local time, and thus all events from anywhere in the world are seen in order when viewing from any time zone.

{% hint style="info" %}
[Logs on the web app](https://cloud.bastionzero.com/admin/events/commands)
{% endhint %}

## Log Overview

### Commands

Command logs are events associated with shells. They are the command line event typed at the shell by the user. BastionZero records which SSO user ran what command on which target as what target user (i.e., Alice ran `echo 'hello world'` on the remote host `foo` as the target user `admin`).

{% hint style="info" %}
[Command logs on the web app](https://cloud.bastionzero.com/admin/events/commands)
{% endhint %}

### Kubernetes Commands

Kubernetes logs are events associated with executing k8s API either using `kubectl` or the `zli` clients. Regardless of whether an end user uses `kubectl` or the `zli`, BastionZero records the timestamp, SSO user, target cluster, target user or group, and API associated with the command. When the `zli` is used, BastionZero also records the command text associated with the command. Further, when the `zli` is used to exec into a container, BastionZero will record that shell command text as well.

{% hint style="info" %}
[Kubernetes logs on the web app](https://cloud.bastionzero.com/admin/events/kubernetes-commands)
{% endhint %}

### Connections

Connections are events associated with clients' connections to targets. Connections can be opened, closed, or inactive. All connections include start and end time, the SSO user, a unique connection ID, the status of the connection, the space from which it originated, the target user, and the target name.

{% hint style="info" %}
[Connections on the web app](https://cloud.bastionzero.com/admin/events/connections)
{% endhint %}

### Connection Events

Connection logs are events associated with clients interacting with targets. Client connection event types can be open, closed, connected, or disconnected. All connection events include the timestamp, the SSO user, a unique connection ID, the connection event type, the space from which it originated, the target user, and the target name.

Closed connection events can originate from the end user, the administrator, or BastionZero. The logs will reflect who closed connections by username or by action. For example, if a target is deleted by an administrator, all current connections are closed. The connection log will reflect that the connection was closed as a result of `admin@org.com deleted target`. Closed connection events are also the result of closing or terminating SSH tunnels or native TCP connections.

Disconnected connections result when the web app is closed by the user logging out or when exiting a `zli`-based shell connection. In these cases, the shell is still running on the BastionZero SaaS, but the client is no longer active. By re-authenticating to the web app or by attaching in the `zli`, the connection is restored and a connected event is generated.

{% hint style="info" %}
[Connection logs on the web app](https://cloud.bastionzero.com/admin/events/connection-events)
{% endhint %}

### User Events

User events are a form of audit log within BastionZero. Every action in BastionZero is an API. Every API event, whether it be from an administrator updating or listing a policy, an end user making a connection, or an application using an API key, is recorded in the form of a user event.

{% hint style="info" %}
[User events on the web app](https://cloud.bastionzero.com/admin/events/user-events)
{% endhint %}

### How To View Your Logs

* Log into the web app at <https://cloud.bastionzero.com/>.
* Choose "Logs" in the menu bar at the top.
* Select from the dropdown list whichever log type you'd like to view.

### How To See Your Session Recordings

* Log into the web app at <https://cloud.bastionzero.com/>.
* Choose "Session Recordings" in the menu bar at the top.
* Navigate to the person whose session(s) you are interested in viewing and select from the dropdown menu of sessions. These can be viewed in the web app directly or downloaded using the download icon to the right of the session.

{% hint style="info" %}
Session recordings can be downloaded or deleted using the icons directly on the right of the session.
{% endhint %}

### How To Export Your Logs and Session Recordings

Logs can be exported as JSON, and session recordings as `asciinema`. Exporting either logs or session recordings can be done through BastionZero's API. Details on how those requests are structured are [here](https://cloud.bastionzero.com/api/#tag--Events) for logs and [here](https://cloud.bastionzero.com/api/#tag--Session-Recordings) for session recordings.

Session recordings can also be downloaded directly from the web app. Navigate to the session recordings tab in the top navigation bar, find the recording you'd like to export, and download using the icon on the right of the recording.