Skip to main content

Decision Logs

Accessing decision logs storage objects through the CLI

Immutable storage objects are created roughly once an hour for each policy for which decision logging is enabled and for which decision activity exists during that time period. The storage consists of CSV files containing decision log events; each one corresponding to a decision performed by some authorizer. Objects for one, more (or all) policies can be discovered and then downloaded individually using the Aserto CLI. The CLI also supports bulk downloads.

Listing Objects

aserto decision-logs list [--policies=<policy-name1>,<policy-name2>...<policy-nameN>]

Fetch a Download URL

For each decision log object name, a download URL can be obtained. The download URL can be used to perform a standard HTTP download.

aserto decision-logs get --info <object name>

Bulk Downloads

The Aserto CLI can also perform bulk downloads, which can be useful when automating ingestion of decision log objects into analytics tools.

aserto decision-logs get [--path <destination path>] \
[--policies <policy-name1>,<policy-name2>...<policyi-nameN>]

When used this way, the CLI will only download decision log objects which don't already exist in the destination path. This is safe because, once they exist, decision log objects are final and immutable.

Decision stream

The decision stream is a near real-time stream of decison events. The decisions command can be used to plug into the stream and output it to stdout.

aserto decisions stream <policy-name> <instance-label> [--since <time in RFC3339 format>]

The CLI will remain open, outputting events to stdout. Events are typically delivered in under one minute. The server buffers recent events and the command, by default, starts by replaying all of the buffered events. To begin from a more recent time, use the optional since argument. since specifies the event time to start streaming from in RFC3339 format, for example: 2022-03-21T06:30:00Z.

Using the decision logs API key

The Aserto CLI decision-logs group of commands can be run without a user logged in, i.e. without first running aserto login, and instead using the decision logs API key.

To authenticate using the API key use the --tenant CLI option and the --api-key option of the decision-logs commands. For example:

aserto --tenant 0116e83a-7e21-11ec-ab5b-00c9e2c2068b decision-logs get \
--api-key 877572d643b2a8b6d94e12b461cd4527b2eb1e1a5fa2e9d2be67866642a9d123 \
--path ~/files/decision-logs

This command would download all the decision logs for the tenant 0116e83a-7e21-11ec-ab5b-00c9e2c2068b onto the specified path authenticating using the specified API key.