Decision Logs
Accessing decision logs storage objects through the CLI
Immutable storage objects are created roughly once an hour for each policy for which decision logging is enabled and for which decision activity exists during that time period. The storage consists of CSV files containing decision log events; each one corresponding to a decision performed by some authorizer. Objects for one, more (or all) policies can be discovered and then downloaded individually using the Aserto CLI. The CLI also supports bulk downloads.
Listing Objects
aserto decision-logs list [--policies=<policy-name1>,<policy-name2>...<policy-nameN>]
Fetch a Download URL
For each decision log object name, a download URL can be obtained. The download URL can be used to perform a standard HTTP download.
aserto decision-logs get --info <object name>
Bulk Downloads
The Aserto CLI can also perform bulk downloads, which can be useful when automating ingestion of decision log objects into analytics tools.
aserto decision-logs get [--path <destination path>] \
[--policies <policy-name1>,<policy-name2>...<policyi-nameN>]
When used this way, the CLI will only download decision log objects which don't already exist in the destination path. This is safe because, once they exist, decision log objects are final and immutable.
Decision stream
The decision stream is a near real-time stream of decison events. The decisions
command can be used to plug into
the stream and output it to stdout
.
aserto decisions stream <policy-name> <instance-label> [--since <time in RFC3339 format>]
The CLI will remain open, outputting events to stdout
. Events are typically delivered in under one minute.
The server buffers recent events and the command, by default, starts by replaying all of the buffered events. To begin from
a more recent time, use the optional since
argument. since
specifies the event time to start streaming from in
RFC3339 format, for example: 2022-03-21T06:30:00Z
.
Using the decision logs API key
The Aserto CLI decision-logs group of commands can be run without a user logged in, i.e. without first running
aserto login
, and instead using the decision logs API key.
To authenticate using the API key use the --tenant
CLI option and the --api-key
option of the decision-logs
commands. For example:
aserto --tenant 0116e83a-7e21-11ec-ab5b-00c9e2c2068b decision-logs get \
--api-key 877572d643b2a8b6d94e12b461cd4527b2eb1e1a5fa2e9d2be67866642a9d123 \
--path ~/files/decision-logs
This command would download all the decision logs for the tenant 0116e83a-7e21-11ec-ab5b-00c9e2c2068b
onto the
specified path authenticating using the specified API key.