Export Audit Logs and Message Events
Background
Sublime Enterprise users on Cloud and AWS CloudFormation deployments can configure all audit logs and message events to export to an S3 bucket that you own every 10 minutes.
Note: Enterprise users on Docker deployments can request assistance with exports to S3 in your Sublime support Slack channel.
1. Setup
Before starting, you'll need to:
- Determine the ID of the AWS account uploads will be coming from (used for
AWS_ACCOUNT_IDplaceholder below):- If you've deployed into a self-managed AWS environment, then the Account ID will be that of the AWS account.
- If you are a Sublime Cloud user located in the EU, then the value you'll use is
128225141972. - For all other Sublime Cloud users, then the value you'll use is
415365657389.
- Create an S3 bucket in the AWS account where you want the events exported to. We recommend creating a new S3 bucket specifically for these exports instead of re-using an existing one.
2. Configure bucket permissions
These instructions assume you have a bucket with default settings and bucket policies.
- Navigate to your desired bucket in the AWS S3 dashboard, and go to the Permissions tab.
- Click Edit on the
Block public access (bucket settings)section, which should bring you to the following page:
- Make sure the final checkbox is deselected. The other three should remain checked, unless you have a particular reason not to. Save these changes.
- Now, scroll down to the
Bucket policysection (still on the Permissions tab). This is where we'll set up the policy to allow cross-account uploads from the account Sublime is running in. Click Edit on theBucket Policytab. - Use the following template as the Policy. Update the placeholders
AWS_ACCOUNT_ID(use the ID from Setup step 1 -- the AWS account where exports are coming from) andBUCKET_NAME_HEREwith the corresponding values. Save changes once complete.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSublimeWrites",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:root"
},
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME_HERE/*"
]
}
]
}
- The bucket is now configured for cross-account uploads from the Sublime platform.
3. Configure settings in Sublime
To complete configuration, head over to Account > Admin in your Sublime dashboard and scroll down to the Audit Log and Message Events Export setting. Configure the following fields:
- S3 bucket name: Bucket names must be globally unique. They can be named anything but here’s a sample format:
sublime-audit-log-and-message-events-export-<your-organization-name> - S3 prefix (optional): Configuring a prefix will store your exports in a folder with the prefix name within the bucket. A prefix is not necessary if the bucket is not used for any other use cases (recommended).
Example prefix:exports - S3 region: the region you created the S3 bucket in
After hitting Apply, it may take up to 20 minutes before you start seeing events in S3. After the first export, exports take place every 10 minutes.
S3 Export Details
File Names
The filename (with prefixes) is output as follows:
ConfiguredKeyPrefix/AuditType/YYYY/MM/DD/HHMMSSZ-ID.json
Where each is as follows:
ConfiguredKeyPrefix: The key prefix that was configured in your Sublime Platform settings. If you did not set a prefix, this field will be omitted.
AuditType: The type of audit content, either sublime_platform_audit_log or sublime_platform_message_events
YYYY: Year
MM: Month, zero-padded
DD: Day, zero-padded
HHMMSSZ: The hour, minute, seconds, and timezone, zero-padded
ID: Six random characters
Example Audit Logs
This includes all audit log events, stored under the sublime_platform_audit_log type.
Example 1 (empty):
{
"events": null,
"count": 0,
"start": "2023-05-03T23:55:01.06552Z",
"end": "2023-05-04T00:05:00.309749667Z",
"key": "sublime_platform_audit_log/2023/05/04/000500Z-LPPJKV.json"
}
Example 2:
{
"events": [
{
"id": "beace168-2c8f-43ca-9e4b-6d7f76af1ddc",
"type": "message.view_contents",
"created_at": "2023-05-04T00:59:29.58391Z",
"data": {
"request": {
"id": "c61dafcb-dfdd-41bb-acdc-e66fee4148c4",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "a7e29e07-6ce6-429a-88a7-b29b6fb55d38",
"type": "message_group.trash",
"created_at": "2023-05-04T00:59:25.252995Z",
"data": {
"message_group": {
"id": "0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f"
},
"request": {
"id": "316a16b1-2658-4b9b-bc74-3302c2662665",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f/delete",
"method": "POST",
"query": {},
"body": "{\"review_comment\":\"\",\"share_with_sublime\":false}",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "6930efb2-bc40-4e90-a206-7fb2211cf3aa",
"type": "message.view_contents",
"created_at": "2023-05-04T00:58:29.179602Z",
"data": {
"request": {
"id": "9ed8b3ee-bab2-493c-a675-44344df32a91",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "5545d2da-04d2-482d-a32e-a9e494b782d9",
"type": "message.view_contents",
"created_at": "2023-05-04T00:58:29.159373Z",
"data": {
"request": {
"id": "16967ed4-7b70-44f1-9a5b-0be4c46f0f02",
"path": "/v0/messages/6e079728-0cec-4388-87c2-d35595fed536/image_link",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "06e1fe91-6963-4bc6-96a6-1f141dedd974",
"type": "message.access_justification",
"created_at": "2023-05-04T00:58:28.911435Z",
"data": {
"message": {
"id": "6e079728-0cec-4388-87c2-d35595fed536"
},
"request": {
"id": "934a3a0c-1794-4204-bc4a-e37c9e405f9d",
"path": "/v1/messages/6e079728-0cec-4388-87c2-d35595fed536/justification",
"method": "POST",
"query": {},
"body": "{}",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "dd529556-4578-4e54-833a-23d69053a6c5",
"type": "message.view_contents",
"created_at": "2023-05-04T00:58:20.681083Z",
"data": {
"request": {
"id": "d1643ae7-94e6-4f3d-82ca-645456dc96f1",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "0e7017b5-60fe-49b4-ac8a-3f45765e7cf7",
"type": "message_group.quarantine",
"created_at": "2023-05-04T00:58:08.206579Z",
"data": {
"request": {
"id": "059b0f11-0caa-4444-8f2c-6256a8bcd5a1",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f/quarantine",
"method": "POST",
"query": {},
"body": "{\"review_comment\":\"\",\"share_with_sublime\":false}",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "377369a8-e07f-4052-b61b-6ed88c921f15",
"type": "message.view_contents",
"created_at": "2023-05-04T00:58:04.017724Z",
"data": {
"request": {
"id": "c5494c7e-fcdc-4513-90dc-d0990b63eb7c",
"path": "/v0/messages/6e079728-0cec-4388-87c2-d35595fed536/image_link",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
},
{
"id": "5d60ce00-57a1-4add-8a2a-a1c84070c320",
"type": "message.view_contents",
"created_at": "2023-05-04T00:58:03.719453Z",
"data": {
"request": {
"id": "82f4e05b-8649-4ddc-96b5-89c3fe9133bc",
"path": "/v1/messages/groups/0c8e2ef2a2eb02fbbdafb74c8dc5e27ab1096527cc1d07483cf4519a5478dd5f",
"method": "GET",
"query": {},
"body": "",
"authentication_method": "user_session",
"ip": "71.81.206.41/32",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
}
},
"created_by": {
"id": "8ccab895-d27f-4250-9d51-ae50793d3a68",
"first_name": "Sublime",
"last_name": "Test",
"email_address": "[email protected]",
"phone_number": null,
"created_at": "2021-06-21T18:09:27.66874Z",
"updated_at": "2022-06-14T09:11:38.629119Z",
"role": "admin",
"is_enrolled": true,
"google_oauth_user_id": "",
"microsoft_oauth_user_id": ""
}
}
],
"count": 9,
"start": "2023-05-04T00:55:00.91963Z",
"end": "2023-05-04T01:05:00.246998523Z",
"key": "sublime_platform_audit_log/2023/05/04/010500Z-MQABBD.json"
}
Example Message Events
This includes all flagged message data, under the sublime_platform_message_events type.
Example 1 (empty):
{
"events": null,
"count": 0,
"start": "2023-05-03T23:55:01.06552Z",
"end": "2023-05-04T00:05:00.309749667Z",
"key": "sublime_platform_message_events/2023/05/04/000500Z-ONJOFG.json"
}
Example2:
{
"events": [
{
"created_at": "2023-05-04T01:06:50.73801Z",
"data": {
"flagged_rules": [
{
"id": "958ad820-767f-4c83-ac44-94032151574f",
"name": "Test rule1",
"severity": null,
"tags": [
"Testing"
]
},
{
"id": "2483da42-6905-4eca-bc8e-a5475ab906a4",
"name": "Test rule2",
"severity": null,
"tags": [
"Testing"
]
},
{
"id": "9f95f7bb-b1f1-465a-a7a4-23266792c000",
"name": "Test rule3",
"severity": null,
"tags": [
"Testing"
]
},
{
"id": "862b4f5b-c0f7-4e36-89b2-3091f9ac492b",
"name": "Test rule4",
"severity": null,
"tags": [
"Testing"
]
}
],
"message": {
"canonical_id": "8fdb3acd8441b18478b7e80927c732f44e9086dcf7cfa6c1186ed21637427ef8",
"external_id": "187e44c2288f2e8d",
"id": "089b2e97-2107-4d1e-83e1-1920314dbb80",
"mailbox": {
"external_id": "100712120249161713725",
"id": "3142d2f8-ac0d-4e37-bb1f-d5e4ff5f7f96"
},
"message_source_id": "d76ce576-4687-4182-b8e3-a220d6878b21"
},
"triggered_actions": null
},
"type": "message.flagged"
}
],
"count": 1,
"start": "2023-05-04T01:05:00.246998Z",
"end": "2023-05-04T01:15:00.164976076Z",
"key": "sublime_platform_message_events/2023/05/04/011500Z-NBFUQY.json"
}
Updated 3 months ago