Export Audit Logs to ADLS

Requirements:

Immuta permission AUDIT
If you will use the Immuta CLI instead of GraphQL API, install and configure the Immuta CLI. Must be CLI v1.4.0 or newer.

Create an ADSL shared access signature token for the export

Before Immuta can export audit events to your Azure Data Lake Storage (ADLS) Gen2 storage account, you need to create a shared access signature (SAS) token that allows the Immuta audit service to add audit logs to your specified ADLS storage account and file system.

Follow the Azure documentation to create the following in Azure:

An ADLS Gen2 storage account with the following settings required for audit export:
- Enable hierarchical namespace
- Standard performance is adequate, but premium may be used
A dedicated container.
A shared access signature (SAS) for your dedicated container with at least the following permissions at the storage account or container level:
- Create
- Write

Save the SAS token to use in the next steps. Do not navigate away from the SAS page unless you have saved the token.

Configure the audit export to ADLS

Configure the audit export to ADLS using the Immuta CLI or GraphQL API with the following fields:

interval: The interval at which audit logs will be exported to your ADLS storage. They can be sent at 2-, 4-, 6-, 12-, or 24-hour intervals.
storage account: The name of the storage account you created that your audit logs will be sent to.
file system: The name of the file system (or container) you created that your audit logs will be written to.
path: The name of the path in the file system. This will be a new folder or directory in the container where Immuta will send your audit logs for storage.
SAS token: The previously-generated SAS token.

Immuta CLIGraphQL API

Run the following command with the above fields in a JSON file:

immuta audit exportConfig create:adls:sasToken ./your-exportConfig.json

Example ./your-exportConfig.json file

{
"interval": "EVERY_12_HOURS",
"storageAccount": "your-adls-storage-account",
"fileSystem": "audit-output",
"path": "immuta-audit",
"sasToken": "your-sas-token"
}

For additional CLI commands, see the audit CLI reference guide.

Run the following mutation to this URL, https://your-immuta.com/api/audit/graphql, with the above fields passed directly:

mutation {
  createAdlsSasTokenEndpointConfiguration(
    data: {
      interval: "EVERY_12_HOURS",
      storageAccount: "your-adls-storage-account",
      fileSystem: "audit-output",
      path: "immuta-audit",
      sasToken: "your-sas-token"
    }
  )
    {
        id
        interval
        enabled
        connectionStatus
        endpointConfiguration {
            ... on AdlsSasTokenEndpointConfiguration {
                storageAccount
                fileSystem
                path
            }
        }
    }
}

Example response

{
    "data": {
        "createAdlsSasTokenEndpointConfiguration": {
            "id": "259fc41c-b502-418a-a8ff-d875335dbe9b",
            "interval": "EVERY_12_HOURS",
            "enabled": true,
            "connectionStatus": "SUCCESS",
            "endpointConfiguration": {
                "storageAccount": "your-adls-storage-account",
                "fileSystem": "audit-output",
                "path": "immuta-audit"
            }
        }
    }
}

For additional GraphQL API commands, see the GraphQL API reference guide.