# Example: How to use S3 audit events for tracking and security The S3 audit events are essential for tracking access and modifications to data, ensuring compliance with organizational and regulatory requirements, detecting unauthorized activity, and troubleshooting suspicious or failed S3 operations. By understanding the structure and content of these logs, users can conduct forensic analysis and validate that operations were executed according to policy. The following example illustrates a `PutObject` operation and describes the key elements in the event log. ```json { "api": { "bucket": "phg-sandman", "name": "PutObject", "object": "cat-and-dog.jpg", "status": "OK", "statusCode": 200, "timeToResponse": "10531825ns" }, "auditVersion": "1.weka", "deploymentid": "079f7a1f-be3b-44c8-b36f-4484fe1ae4b2", "remotehost": "216.58.114.14", "requestHeader": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE...", "User-Agent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager", "Content-Type": "image/jpeg" }, "requestID": "1773CE9A70A978BB", "responseHeader": { "Content-Length": "0", "ETag": "5d64dcd326aa93f6542e27f757ec8146", "Server": "S3" }, "time": "2025-03-21T06:37:27.915055685Z", "userAgent": "aws-sdk-go/1.44.235 (go1.18.10; linux; amd64) S3Manager", "wekaInfo": { "clusterGUID": "b28b4f9b-5d62-4c0b-97ef-6a72037930e7", "clusterName": "DAD08-B", "release": "4.4.6.11", "serverIP": "10.26.211.72", "serverName": "obj-115-07.dad08.tcp.target.net", "version": "4.4.6" } } ``` #### Key elements and descriptions * **bucket:** Identifies the S3 bucket involved in the event. * **name:** Specifies the S3 operation type (for example, `PutObject`, `GetObject`). * **object:** Name of the object on which the operation was performed. * **status / statusCode:** Indicates the result of the operation (for example, `OK`, HTTP status `200`). * **remotehost:** The IP address from which the request originated. * **Authorization:** Credentials used for API authorization. * **userAgent:** The user agent string from the requesting client, useful for identifying the client software. * **clusterName / serverIP / serverName:** Provides information about the WEKA cluster and access point. * **version:** The software version of the WEKA system handling the request. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.weka.io/additional-protocols/s3/audit-s3-apis/example-how-to-use-s3-audit-events-for-tracking-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.