search

Example: How to use S3 audit events for tracking and security

Learn how to interpret and use an S3 audit event generated by the WEKA S3 system.

The S3 audit events are essential for tracking access and modifications to data, ensuring compliance with organizational and regulatory requirements, detecting unauthorized activity, and troubleshooting suspicious or failed S3 operations. By understanding the structure and content of these logs, users can conduct forensic analysis and validate that operations were executed according to policy.

The following example illustrates a PutObject operation and describes the key elements in the event log.

{
  "api": {
    "bucket": "phg-sandman",
    "name": "PutObject",
    "object": "cat-and-dog.jpg",
    "status": "OK",
    "statusCode": 200,
    "timeToResponse": "10531825ns"
  },
  "auditVersion": "1.weka",
  "deploymentid": "079f7a1f-be3b-44c8-b36f-4484fe1ae4b2",
  "remotehost": "216.58.114.14",
  "requestHeader": {
    "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE...",
    "User-Agent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager",
    "Content-Type": "image/jpeg"
  },
  "requestID": "1773CE9A70A978BB",
  "responseHeader": {
    "Content-Length": "0",
    "ETag": "5d64dcd326aa93f6542e27f757ec8146",
    "Server": "S3"
  },
  "time": "2025-03-21T06:37:27.915055685Z",
  "userAgent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager",
  "wekaInfo": {
    "clusterGUID": "b28b4f9b-5d62-4c0b-97ef-6a72037930e7",
    "clusterName": "DAD08-B",
    "release": "4.4.6.11",
    "serverIP": "10.26.211.72",
    "serverName": "obj-115-07.dad08.tcp.target.net",
    "version": "4.4.6"
  }
}

hashtag
Key elements and descriptions

  • bucket: Identifies the S3 bucket involved in the event.

  • name: Specifies the S3 operation type (for example, PutObject, GetObject).

  • object: Name of the object on which the operation was performed.

  • status / statusCode: Indicates the result of the operation (for example, OK, HTTP status 200).

  • remotehost: The IP address from which the request originated.

  • Authorization: Credentials used for API authorization.

  • userAgent: The user agent string from the requesting client, useful for identifying the client software.

  • clusterName / serverIP / serverName: Provides information about the WEKA cluster and access point.

  • version: The software version of the WEKA system handling the request.

PreviousExample: How to use Splunk to audit S3NextS3 supported APIs and limitations

Last updated