Accessing decision logs storage objects through the CLI
Immutable storage objects are created roughly once an hour for each policy for which decision logging is enabled and for which decision activity exists during that time period. The storage consists of CSV files containing decision log events; each one corresponding to a decision performed by some authorizer. Objects for one, more (or all) policies can be discovered and then downloaded individually using the Aserto CLI. The CLI also supports bulk downloads.
aserto decision-logs list [--policies=<policy-id1>,<policy-id2>...<policy-idN>]
Fetch a Download URL
For each decision log object name, a download URL can be obtained. The download URL can be used to perform a standard HTTP download.
aserto decision-logs get --info <object name>
The Aserto CLI can also perform bulk downloads, which can be useful when automating ingestion of decision log objects into analytics tools.
aserto decision-logs get [--path <destination path>] \
When used this way, the CLI will only download decision log objects which don't already exist in the destination path. This is safe because, once they exist, decision log objects are final and immutable.
Other Storage Objects
Aserto's decision logging system maintains versioned copies of users involved in decisions. These can be accessed using the Aserto CLI.
Listing User Objects
aserto decision-logs list-users
Fetch a Download URL
For each user object name, a download URL can be obtained. The download URL can be used to perform a standard HTTP download.
aserto decision-logs get-user --info <object name>
The Aserto CLI can also perform bulk downloads, which can be useful when automating ingestion of data referenced by decision log objects.
aserto decision-logs get-users [--path <destination path>]
When used this way, the CLI will only download objects that have changed since last downloaded, according to the metadata on the local versions and remote versions of the objects.
The decision stream is a near real-time stream of decison events. The
decisions command can be used to plug into
the stream and output it to
aserto decisions stream <policy-id> [--since <time in RFC3339 format>]
The CLI will remain open, outputting events to
stdout. Events are typically delivered in under one minute.
The server buffers recent events and the command, by default, starts by replaying all of the buffered events. To begin from
a more recent time, use the optional
since specifies the event time to start streaming from in
RFC3339 format, for example:
Using the decision logs API key
The Aserto CLI decision-logs group of commands can be run without a user logged in, i.e. without first running
aserto login, and instead using the decision logs API key.
To authenticate using the API key use the
--tenant CLI option and the
--api-key option of the decision-logs
commands. For example:
aserto --tenant 0116e83a-7e21-11ec-ab5b-00c9e2c2068b decision-logs get \
--api-key 877572d643b2a8b6d94e12b461cd4527b2eb1e1a5fa2e9d2be67866642a9d123 \
This command would download all the decision logs for the tenant
0116e83a-7e21-11ec-ab5b-00c9e2c2068b onto the
specified path authenticating using the specified API key.