Audit logs

Audit logs document changes in a system. In the case of ReachFive, audit logs capture when certain events occur in your ReachFive account.

Currently, you can produce audit logs for the following Action(s) below.

All security-related (settings-update) updates are detected automatically.

Action Description

clients:create

Creating a Client.

clients:update

Updating a Client.

clients:delete

Deleting a Client.

console:login

Login on the console.

ip:unban

Unbanning a specific IP address with the /ips/{IpAddress}/unban endpoint.

jobs:create

Creating an export job.

jobs:copy

Copying an export job.

jobs:update

Updating an export job.

jobs:delete

Deleting an export job.

jobs:execution

Executing an export job.

on-demand-scaling:create

Creating an on-demand scaling event.

on-demand-scaling:update

Updating an on-demand scaling event.

on-demand-scaling:delete

Deleting an on-demand scaling event.

users:update

Updating a User.

users:delete

Deleting a User.

settings:update

Updating security settings such as rate limits, SSO, password policy, user lockouts and/or activating (or deactivating) account features.

These security-related updates are detected automatically.

Why is this useful?

Having audit logs available allows you to track changes in your system more easily. This acts as an important security mechanism, informing you of changes in the system each time they occur automatically. If, for example, someone unexpectedly exports user profiles, you will automatically be informed via the audit logs and could potentially prevent a data breach.

Create Pub/Sub hook from console

The Pub/Sub hook that you create in the ReachFive Console is triggered after an event is generated similar to that of a typical Post-event webhook.

In order for an audit log to be produced for a specified event, you must first create a Pub/Sub hook in the ReachFive Console.

Prerequisites

You must have access to the ReachFive Console.
You must have a Developer, Manager, or Administrator role.
You must have the Pub/Sub Hooks feature enabled.

Instructions

Log in to your ReachFive Console.
Go to Settings Pub/Sub Hooks Audit Logs.
Select New Pub/Sub hook or edit an existing Pub/Sub Hook.
Enable your Pub/Sub hook.

From the drop-down menu, choose the Action(s) that will trigger the Pub/Sub hook.

Action(s)

Action Description

clients:create

Creating a Client.

clients:update

Updating a Client.

clients:delete

Deleting a Client.

console:login

Login on the console.

ip:unban

Unbanning a specific IP address with the /ips/{IpAddress}/unban endpoint.

jobs:create

Creating an export job.

jobs:copy

Copying an export job.

jobs:update

Updating an export job.

jobs:delete

Deleting an export job.

jobs:execution

Executing an export job.

on-demand-scaling:create

Creating an on-demand scaling event.

on-demand-scaling:update

Updating an on-demand scaling event.

on-demand-scaling:delete

Deleting an on-demand scaling event.

users:update

Updating a User.

users:delete

Deleting a User.

settings:update

Updating security settings such as rate limits, SSO, password policy, user lockouts and/or activating (or deactivating) account features.

These security-related updates are detected automatically.

Enter your Project ID for your Google Cloud account.
Enter the Topic where you want requests sent.
Enter the Credentials (in JSON format) needed to connect to Google Cloud.

Where do I get the credentials? 🤔
External instructions

These instructions are current as of July 5th, 2024. Refer to Google Cloud’s official documentation for the most up-to-date information.

To get your credentials in JSON format from Google Cloud:
1. Go to your Google Cloud console (GCP).
2. Select your desired GCP project.
3. Go to the API & Services section.
  
  Inside of API & Services, go to Credentials.
  
  Inside of API & Services, go to your Service accounts.
  
  Choose your desired Service Account (or create a new one if necessary).
  
  Go to Keys inside your chosen Service account. This is typically a tab at the top of the page.
  
  Add a new key.
  
  Select the key type, choose JSON.
  
  Click Create.
  
  This downloads the `.json `file which contains your service account credentials. You can only get your JSON file when first creating the key. If you forget it or have misplaced it, you’ll need to create a new key.
4. Save this JSON file securely. You will need it for authentication in your application.
Don’t forget to Save your input.

pubsub audit log

View Pub/Sub results

To view the Audit Logs, you should go to your Pub/Sub page in your Google Cloud Platform (GCP) account.

Go to Topics.
Choose the desired Topic ID.
Click View Messages.
Select the desired Cloud Pub/Sub subscription.
Follow the on-screen instructions.

Audit log example

{
  "user_email": "user@gmail.com", (1)
  "entity_name": "jobs", (2)
  "user_name": "My user name", (3)
  "action_name": "create", (4)
  "account_name": "my-account", (5)
  "created_at" : "2021-09-09T09:21:22.107809Z", (6)
  "id": "a040230b-60...998", (7)
  "ip_address": "x.x.x.x", (8)
  "action_data": { (9)
    "jobId": "AXvK4s..UnUYyz",
    "jobType": "export"
  },
  "client_id": "Console ReachFive", (10)
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" (11)
}

1	The email of the ReachFive Console user that produced the audit log.
2	The name of the entity that produced the audit log.
3	The user name of the ReachFive Console user that produced the audit log.
4	The Action name that triggered the Pub/Sub hook that produced the audit log.
5	`account_name` specifies the name of the ReachFive account.
6	The creation date timestamp for the audit log.
7	The ID of the audit log.
8	The IP address of the ReachFive Console user that produced the audit log.
9	The Action data (more information about the trigger). In this case, an export event with the Id `AXvK4s..UnUYyz`.
10	The client that produced the audit log.
11	The `user_agent` that produced the audit log.