Example: How to use S3 audit events for tracking and security
Learn how to interpret and use an S3 audit event generated by the WEKA S3 system.
The S3 audit events are essential for tracking access and modifications to data, ensuring compliance with organizational and regulatory requirements, detecting unauthorized activity, and troubleshooting suspicious or failed S3 operations. By understanding the structure and content of these logs, users can conduct forensic analysis and validate that operations were executed according to policy.
The following example illustrates a PutObject operation and describes the key elements in the event log.
{
  "api": {
    "bucket": "phg-sandman",
    "name": "PutObject",
    "object": "cat-and-dog.jpg",
    "status": "OK",
    "statusCode": 200,
    "timeToResponse": "10531825ns"
  },
  "auditVersion": "1.weka",
  "deploymentid": "079f7a1f-be3b-44c8-b36f-4484fe1ae4b2",
  "remotehost": "216.58.114.14",
  "requestHeader": {
    "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE...",
    "User-Agent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager",
    "Content-Type": "image/jpeg"
  },
  "requestID": "1773CE9A70A978BB",
  "responseHeader": {
    "Content-Length": "0",
    "ETag": "5d64dcd326aa93f6542e27f757ec8146",
    "Server": "S3"
  },
  "time": "2025-03-21T06:37:27.915055685Z",
  "userAgent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager",
  "wekaInfo": {
    "clusterGUID": "b28b4f9b-5d62-4c0b-97ef-6a72037930e7",
    "clusterName": "DAD08-B",
    "release": "4.4.6.11",
    "serverIP": "10.26.211.72",
    "serverName": "obj-115-07.dad08.tcp.target.net",
    "version": "4.4.6"
  }
}Key elements and descriptions
- bucket: Identifies the S3 bucket involved in the event. 
- name: Specifies the S3 operation type (for example, - PutObject,- GetObject).
- object: Name of the object on which the operation was performed. 
- status / statusCode: Indicates the result of the operation (for example, - OK, HTTP status- 200).
- remotehost: The IP address from which the request originated. 
- Authorization: Credentials used for API authorization. 
- userAgent: The user agent string from the requesting client, useful for identifying the client software. 
- clusterName / serverIP / serverName: Provides information about the WEKA cluster and access point. 
- version: The software version of the WEKA system handling the request. 
Last updated
