Audit Logs

The Napter Audit Log allows you to check the connections made to your devices through the Napter on-demand remote access service.

When enabled, logs are kept for 1 year (366 days) and can be downloaded using the Soracom API or Soracom CLI to assist in auditing the connections made to your devices.

If disabled, audit logs are still available for 24 hours, allowing you to easily troubleshoot recent connection problems.


Enabling Audit Logs

To enable Audit Logs:

  1. Login to the User Console. From the Menu, open the Audit Logs screen.

    https://console.soracom.io

    Enable Napter Audit Logs

  2. Click the Subscribe button, then click the OK button to confirm.

    Enable Napter Audit Logs

Audit Logs can be disabled in a similar fashion.

Note that when Audit Logs is disabled, all prior logs will be automatically discarded. Even if you re-enable Audit Logs, previous log entries will no longer be available.


Viewing Logs

You can view Napter connection logs directly from the User Console.

  1. Login to the User Console. From the Menu, open the Audit Logs screen.

    https://console.soracom.io

    Napter Audit Logs

Log Entries

Each Napter Audit Log entry will contain the following fields:

Each on-demand remote access connection request will contain the following log entries:

The timing of the CLOSED entry may vary depending on the protocol used. For example, when accessing a device using SSH, the CLOSED entry will appear when the SSH connection is closed. When accessing a device using HTTP, the CLOSED entry will appear when the browser session has ended.


Exporting Logs

When reviewing a large number of connection logs, Napter Audit Logs can also be exported using either the Soracom API or Soracom CLI.

Soracom API

curl -X GET \
>  -H 'X-Soracom-API-Key: <my-api-key>' \
>  -H 'X-Soracom-Token: <my-token>' \
>  -H 'Accept: application/json' \
>  https://g.api.soracom.io/v1/audit_logs/napter

The API will return a JSON object containing Napter Audit Log entries, ordered from newest to oldest:

[
  {
    "operatorId": "OP0012345678",
    "imsi": "295000012345678",
    "connectionId": "abcdef00-0000-0000-0000-000012345678",
    "type": "ACCESS",
    "direction": {
      "destinationIPAddress": "10.1.2.3",
      "destinationPort": 22,
      "sourceIPAddress": "123.45.67.89",
      "sourcePort": 12345
    },
    "createdAt": 1570583864913,
    "tls": false
  }
]

You can also specify query parameters to limit the results of the export:

  • resource_id - The IMSI of the Air for Cellular subscriber
  • from and to - Unix timestamps (milliseconds) to define the log range
  • limit - Limit the number of records to be returned

For more information, refer to the getNapterAuditLogs API documentation.

Soracom CLI

Run the following command:

soracom audit-logs napter get --coverage-type g

The CLI will return a response similar to the above API example.

Similarly, the following flags are available for limiting the results:

  • --resource-id - The IMSI of the Air for Cellular subscriber
  • --from and --to - Unix timestamps (milliseconds) to define the log range
  • --limit - Limit the number of records to be returned

Log Access Quota

Each Soracom account is allowed a monthly quota of 3GB for accessing Audit Logs data. This includes viewing log entries from the Audit Logs screen on the User Console, as well as exporting logs via the Soracom API and Soracom CLI.

If you exceed the 3GB allowance within one month, each subsequent 1GB will be charged an additional fee. Please refer to the Fee Schedule for further information.

Soracom provides an Soracom API endpoint as well as a Soracom CLI command that allows you to check your current Audit Logs access usage:

curl -X GET \
>  -H 'X-Soracom-API-Key: <my-api-key>' \
>  -H 'X-Soracom-Token: <my-token>' \
>  -H 'Accept: application/json' \
>  https://g.api.soracom.io/v1/stats/napter/audit_logs
soracom stats napter audit_logs --coverage-type g

In either case, the API or CLI will return the total number of bytes used so far.