> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Pulsar Audit log
Audit logs track and store authorization activities in Pulsar clusters, tenants, namespaces, and topics. After a Pulsar cluster is up and running within a large team, it's critical to keep an eye on who is touching data and what they're doing with it. Structured audit logs provide an easy way to track user/application access, so you can identify potential anomalies and bad actors.
Structured audit logs enable you to capture audit logs in a set of dedicated Pulsar topics, either on a local or a remote cluster, including:
* low-volume, management-related activities, such as creating or deleting tenants, namespaces or topics
* high-volume activities, such as produce, consume, and acknowledge events
Because the audit logs are stored in a Pulsar topic, you should configure the cleanup and backlog policy for the namespace to avoid having the Pulsar retention policies inadvertently clean up the audit logs. For more information, see [Configure policies for a namespace](/cloud/manage-data-streams/namespace#configure-policies-for-a-namespace).
## Configure audit log
The audit logger writes the audit log into a Pulsar topic using the following default settings:
* The topic name of the audit log is `persistent://sn/system/audit_log_all`.
* The audit log captures only events in the `Management` category.
To enable the audit log, you need to add the below configutions under the `broker.configData` in Helm values:
```yaml theme={null}
broker:
configData:
PULSAR_PREFIX_disableBrokerInterceptors: 'false'
PULSAR_PREFIX_brokerInterceptors: 'audit-log'
PULSAR_PREFIX_brokerInterceptorsDirectory: './interceptors'
PULSAR_PREFIX_snAuditLogConfig: >
{"captured":{".*":{".*":{"category":"Management","eventType":".*"}}},"defaultTopics":{"allowed":"persistent://sn/system/audit_log_all","denied":"persistent://sn/system/audit_log_all"}}
```
To capture [more audit log events](#event-type), add the `captured` setting in the `PULSAR_PREFIX_snAuditLogConfig` section.
To write events of different categories to separate topics, add the `routes` setting in the `PULSAR_PREFIX_snAuditLogConfig` section.
The following example captures audit log events in the `Management` and `Produce` categories. Events in the `Produce` category are written to `persistent://sn/system/audit_log_produce_allowed` if they succeed in permission, and written to `persistent://sn-system/audit/audit_log_produce_denied` if they fail in permission.
```yaml theme={null}
broker:
configData:
PULSAR_PREFIX_disableBrokerInterceptors: 'false'
PULSAR_PREFIX_brokerInterceptors: 'audit-log'
PULSAR_PREFIX_brokerInterceptorsDirectory: './interceptors'
PULSAR_PREFIX_snAuditLogConfig: >
{"captured":{"principal://User:bob":{"srn://cluster=.*/tenant=.*/namespace=.*/topic=.*": {"category":"Management|Produce","eventType":".*"}}},”routes”:{"srn://cluster=.*/tenant=.*/namespace=.*/topic=.*":{"Produce":{"allowed":"persistent://sn/system/audit_log_produce_allowed","denied":"persistent://sn/system/audit_log_produce_denied"}}},defaultTopics":{"allowed":"persistent://sn/system/audit_log_allowed","denied":"persistent://sn/system/audit_log_denied"}}
```
## Work with audit log
You can use Pulsar clients, Pulsar CLI, Rest API, and sink connectors to process and analyze the audit events stored in the Pulsar topics.
### Consume the audit log topic with Pulsar clients
You can get data from the audit log topic with Pulsar clients. Refer to the [Connect](/private-cloud/v1/build/platform-index-clients) section to learn how to configure Pulsar clients for StreamNative Platform cluster and consume data from the audit log topic.
### Consume the audit log topic with Pulsar CLI
The `pulsar-client` is also a helpful tool to get data from the audit log topic. You can use `pulsar-client` for StreamNative Platform cluster and consume data from the audit log topic.
### Consume the audit log topic with Rest API
StreamNative Cloud supports Rest API, which provides a RESTful interface to a Pulsar cluster. For more information, see [Rest API](/private-cloud/v1/operating-streamnative-platform/protocols/restapi) to learn how to leverage the Rest API to consume data from the audit log topic.
### Sink audit log topic with connectors
If you want to integrate audit log data with your other data systems like Google BigQuery, AWS SQS, and AWS Kinesis, use a sink connector. For more information, see [sink connectors](/private-cloud/v1/connectors/how-to-use/work-with-sink-connectors) to learn how to leverage sink connectors to integrate and synchronize audit log data.
### Audit log example
```json theme={null}
{
"id": "11c5296d-bf17-431a-80be-79ba66ba8a35",
"specVersion": "0.1",
"category": "Management",
"time": "2021-06-15T04:58:41.710Z",
"eventType": "CreateNamespace",
"resourceInfo": {
"resourceType": "Namespace",
"cluster": "-sn-platform",
"tenant": "public",
"namespace": "audit_log"
},
"authenticationInfo": { "role": "admin" },
"authorizationInfo": { "granted": true, "superUserAuthorization": true },
"requestInfo": {
"metadata": {
"clientAddress": "10.225.14.43",
"uri": "/admin/v2/namespaces/public/audit_log",
"method": "PUT"
}
},
"responseInfo": { "responseType": "SUCCESS", "responseCode": 204 }
}
```
## Event type
Each audit log includes information about the event, event time, and permission status. The supported audit event types include:
| Category | Type | Event type | Description | Default value |
| ---------- | ------------ | ------------------------ | --------------------------------------------------- | ------------- |
| Management | Cluster | `CreateCluster` | Create a Pulsar cluster. | true |
| | Cluster | `UpdateCluster` | Update Pulsar cluster information. | true |
| | Cluster | `DeleteCluster` | Delete Pulsar cluster information. | true |
| | Tenant | `CreateTenant` | Create a Pulsar tenant. | true |
| | Tenant | `UpdateTenant` | Update tenant information. | true |
| | Tenant | `DeleteTenant` | Delete a Pulsar tenant. | true |
| | Namespace | `CreateNamespace` | Create a namespace. | true |
| | Namespace | `DeleteNamespace` | Delete a namespace. | true |
| | Topic | `CreatePartitionedTopic` | Create a partitioned topic. | true |
| | Topic | `UpdatePartitions` | Update partitions for a partitioned topic. | true |
| | Topic | `DeletePartitionedTopic` | Delete a partitioned topic. | true |
| | Subscription | `CreateSubscription` | Create a subscription. | true |
| | Subscription | `DeleteSubscription` | Delete a subscription. | true |
| Describe | Cluster | `ListClusters` | List Pulsar clusters. | false |
| | Cluster | `GetCluster` | Get cluster information. | false |
| | Tenant | `ListTenants` | List Pulsar tenants. | false |
| | Tenant | `GetTenant` | Get tenant information. | false |
| | Namespace | `ListNamespaces` | List Pulsar namespaces. | false |
| | Namespace | `GetNamespace` | Get namespace information. | false |
| | Topic | `ListTopics` | List Pulsar topics. | false |
| | Topic | `ListPartitionedTopics` | List partitioned Pulsar topics. | false |
| | Topic | `GetPartitions` | Get partitions of a partitioned topic. | false |
| | Subscription | `ListSubscriptions` | List subscriptions of a topic. | false |
| Produce | Producer | `NewProducer` | Create a producer to produce messages to the topic. | false |
| | Producer | `CloseProducer` | Close a producer. | false |
| Consume | Consumer | `NewConsumer` | Create a consumer to subscribe to the topic. | false |
| | Consumer | `CloseConsumer` | Close a consumer. | false |