ConductorOne system logs
What’s included in ConductorOne system logs?
System logs include a record of actions taken by the ConductorOne API. The ConductorOne API is used for all app-level actions and captures both end-user and administrative activities.
ConductorOne system logs are stored in OCSF (Open Cybersecurity Schema Framework), a leading open-source data format developed by AWS, IBM, and Splunk. Learn more about OCSF by viewing the OCSF schema documentation.
How do I get access to the system logs?
System logs are stored internally in ConductorOne and can be accessed via API or exported to an external data source such as an S3 bucket.
Where can I see a list of all the API events included in the system logs?
You can download our authoritative list of API events, which is presented in Sigma Detection Format.
YAML format: Go to
<YOUR CONDUCTORONE TENANT URL>/api/v1/ocsf-events.yaml
JSON format: Go to
<YOUR CONDUCTORONE TENANT URL>/api/v1/ocsf-events.json
Sync ConductorOne system logs into your SIEM
Importing ConductorOne logs into your security information and event management (SIEM) platform is a breeze. We’ll walk you through it here.
This task requires the Super Administrator role in ConductorOne.
Step 1: Create an external data source
If you haven’t already done so, create an external data source to sync the system logs to.
Re-using an existing external data source in ConductorOne? If you’re re-using an existing data source that you’ve already created, ensure that it was created with the ability to accept writes. For example, for S3 buckets, the policy will require the
"s3:PutObject"
permission.
Step 2: Create a system log exporter
Navigate to Admin > Settings > System log and click Add exporter.
Set up the new exporter:
- Give the exporter a name, such as “System log to S3”
- Select the Datasource you created in Step 1
- Optional. Input an file prefix
- Select your output format and compression algorithm
- Click Save.
That’s it! Your system log exporter will now run every four to five minutes. You’ll see a Waiting status indicator between runs, and an Error status indicator if anything’s amiss.
A new log file is generated for each run, each containing up to 2.5mb of uncompressed data. In a full day of activity, you should expect roughly 280 files to be exported to your external data source.
Step 3: Connect your SIEM
This step will vary depending on the SIEM that you are using. In general terms, however, you will want to:
- Add the datasource to your SIEM
A partial list of SIEM directions are:
Reading system log files
ConductorOne system logs use the Open Cybersecurity Schema Framework (OCSF) to format log events. Check out the OCSF documentation for full details of OCSF API activity formatting, but here are a few key details to help you quickly make sense of ConductorOne system log output.
“activity_id”: The “activity_id” entry in a log line tells you what type of API call activity triggered the event. By filtering logs by these activity IDs, you can zero in on key types of activity in the ConductorOne system.
- “activity_id”:1 - “Create” activity
- “activity_id”:2 - “Read” activity
- “activity_id”:3 - “Update” activity
- “activity_id”:4 - “Delete” activity