Keeper supports event streaming into an Amazon S3 bucket. Setup instructions are below.
Copy {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::name_of_bucket/*"
]
}
]
}
For the Bucket Name, provide a full ARN that includes the region. For example:
arn:aws:s3:us-west-2::my-keeper-events
Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.
If you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.
Copy <165>1 2023-10-30T02:18:43.776Z keepersecurity.jp keeper - - - {"audit_event":"device_user_approval_requested","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50,"client_version_new":true}^M
<165>1 2023-10-30T02:19:19.587Z keepersecurity.jp keeper - - - {"audit_event":"device_approved","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^M
<165>1 2023-10-30T02:19:51.774Z keepersecurity.jp keeper - - - {"audit_event":"login","channel":"PASS","remote_address":"12.34.56.78","category":"login","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^M
Copy [{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:17.545Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:27.200Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:22.740Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"open_record","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"fast_fill","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241}]
Copy audit_event,name,remote_address,category,client_version,timestamp,username,enterprise_id
audit_sync_setup,s3,12.34.56.78,policy,EMConsole.16.15.3,1698759022585,craig@keeperdemo.io,50
role_created,,12.34.56.78,policy,EMConsole.16.15.3,1698759049640,craig@keeperdemo.io,50
role_enforcement_changed,,12.34.56.78,policy,EMConsole.16.15.3,1698759049876,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136968,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136979,craig@keeperdemo.io,50
lock_user,,12.34.56.78,security,EMConsole.16.15.3,1698759169004,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759134936,craig@keeperdemo.io,50