Soracom Napter
Audit Logs
Audit Log Updates
CREATED,DELETED, andEXPIREDevents added.
The Napter Audit Log allows you to check the connections made to your devices through the Napter on-demand remote access service.
By default, Napter Audit Logs are disabled; however, events will still be recorded and retained for 24 hours
When enabled, logs are kept for 1 year (366 days) and can be downloaded using the Soracom API or Soracom CLI to assist in auditing the connections made to your devices.
Napter Audit Logs record connections made to your devices through the Napter on-demand remote access service. It is separate from the Soracom Audit Logs feature, which records calls to the Soracom API made from your account.
Enabling Audit Logs
To enable Audit Logs:
-
Login to the User Console. From the Menu, open the Napter Audit Logs screen.
-
Click the Subscribe button, then click the OK button to confirm.
Audit Logs can be disabled in a similar fashion.
Note that when Audit Logs is disabled, all prior logs will be automatically discarded. Even if you re-enable Audit Logs, previous log entries will no longer be available.
Viewing Logs
You can view Napter connection logs directly from the User Console.
-
Login to the User Console. From the Menu, open the Audit Logs screen.
Log Entries
Each Napter Audit Log entry will contain the following fields:
- Source IP and Port - The IP address and port of the remote device (such as a PC) initiating the remote connection
- Destination IP and Port - The IP address and port of the Soracom Air for Cellular device
- Timestamp - The date and time of the connection
- Audit Type - One of the following values describing the log entry:
CREATED- An on-demand remote access connection is createdACCESS- An on-demand remote access connection is initiated and received by NapterCONNECTED- Napter determined that the connection is allowed, and has established the connection to the deviceDENIED- Napter determined that the connection is not allowed, and has forcefully rejected the connectionREFUSED- Napter detected a large number of connection requests within a short period, and has rejected the connectionCLOSED- The on-demand remote access connection is closedDELETED- The on-demand remote access connection is deletedEXPIRED- The on-demand remote access connection has expired
Each on-demand remote access connection will contain the following log entries:
- A
CREATEDentry, when the connection is created (for example, via the User Console) - An
EXPIREDentry, once the connection has expired, or aDELETEDentry, if the connection is deleted manually
In addition, each connection request will contain the following log entries:
- An
ACCESSentry - One of
CONNECTED,DENIED, orREFUSED, depending on the connection status - A
CLOSEDentry
The timing of the CLOSED entry may vary depending on the protocol used. For example, when accessing a device using SSH, the CLOSED entry will appear when the SSH connection is closed. When accessing a device using HTTP, the CLOSED entry will appear when the browser session has ended.
Exporting Logs
When reviewing a large number of connection logs, Napter Audit Logs can also be exported using either the Soracom API or Soracom CLI.
Soracom API
curl -X GET \
> -H 'X-Soracom-API-Key: <my-api-key>' \
> -H 'X-Soracom-Token: <my-token>' \
> -H 'Accept: application/json' \
> https://g.api.soracom.io/v1/audit_logs/napterThe API will return a JSON object containing Napter Audit Log entries, ordered from newest to oldest:
[
{
"operatorId": "OP0012345678",
"imsi": "295000012345678",
"connectionId": "abcdef00-0000-0000-0000-000012345678",
"type": "ACCESS",
"direction": {
"destinationIPAddress": "10.1.2.3",
"destinationPort": 22,
"sourceIPAddress": "123.45.67.89",
"sourcePort": 12345
},
"createdAt": 1570583864913,
"tls": false
}
]You can also specify query parameters to limit the results of the export:
- resource_id - The IMSI of the Air for Cellular subscriber
- from and to - Unix timestamps (milliseconds) to define the log range
- limit - Limit the number of records to be returned
For more information, refer to the getNapterAuditLogs API documentation.
Soracom CLI
Run the following command:
The CLI will return a response similar to the above API example.
Similarly, the following flags are available for limiting the results:
--resource-id- The IMSI of the Air for Cellular subscriber--fromand--to- Unix timestamps (milliseconds) to define the log range--limit- Limit the number of records to be returned
Log Access Quota
Each Soracom account is allowed a monthly quota of 3GB for accessing Audit Logs data. This includes viewing log entries from the Audit Logs screen on the User Console, as well as exporting logs via the Soracom API and Soracom CLI.
If you exceed the 3GB allowance within one month, each subsequent 1GB will be charged an additional fee. Please refer to the Pricing & Fee Schedule for further information.
Soracom provides an Soracom API endpoint as well as a Soracom CLI command that allows you to check your current Audit Logs access usage:
curl -X GET \
> -H 'X-Soracom-API-Key: <my-api-key>' \
> -H 'X-Soracom-Token: <my-token>' \
> -H 'Accept: application/json' \
> https://g.api.soracom.io/v1/stats/napter/audit_logsIn either case, the API or CLI will return the total number of bytes used so far.