Smallstep Activity Audit Log

The Smallstep platform has auditing capabilities for most activities, and this is continually expanded as new features and functionality are added. Smallstep provides an ingestion mechanism for these types of events using Google Cloud Pub/Sub, allowing customers to implement push or pull subscriptions as desired. This page documents the overall structure of these events and details specific event types and their payloads. Event payloads are subject to change without prior notice.

Message Format

Events on the Pub/Sub topic are wrapped in a envelope containing details around the message itself. The envelope format on the audit events topic is shown below:

{
  "message": {
    "data": "base64-encoded-event",
    "messageId": "1234567890",
    "publishTime": "2023-01-01T00:00:00Z"
  },
  "subscription": "projects/PROJECT_ID/subscriptions/SUBSCRIPTION_NAME"
}

Upon decoding the event data, you’ll see the message content:

{
  "insertId": "...",
  "jsonPayload": {
    // event payload
  },
  "resource": {
    "type": "k8s_container",
    "labels": {
      "container_name": "gateway",
      "namespace_name": "production",
      ...
    }
  },
  "timestamp": "2023-01-01T00:00:00.000Z",
  "severity": "INFO"
}

The different kinds of event payloads are documented in sections below.

gateway Events

gateway events are actions that originate from interactions in the Smallstep dashboard. They minimally contain the following details:

actor-email - The email address of the logged in user that initiated the action
actor-team-id - The internal team identifier of the logged in user that initiated the action
actor-uid - The internal user identifier of the logged in user that initiated the action
LEVEL - The log level, which will always be INFO
msg - A human-readable, internal name identifying the action taken

In addition to those fields, the event payload may also contain a request key that details data provided when the action was initiated. This data will be a mix of user-provided data and implicit data from the context in which the action was taken.

Example:

{
  actor-email: "[email protected]"
  actor-team-id: "b021dcf8-42ef-43c8-9d30-3db6edb53706"
  actor-uid: "75e771a6-66a2-4c43-8836-dcac31cf3b4b"
  level: "INFO"
  logger: "audit"
  msg: "CreateDevice"
  request: {
    device_collection_slug: "default"
    id: "bef9b412-bfbe-4847-9a46-882d8216c6ad"
    json: "{"name":"Device E2e 757b6096 Computer","smallstep:identity":"[email protected]","smallstep:host:id":"a47af355-9df2-473b-9e7b-c81d0b0b311f","runtime":{"client_ip":"10.0.0.1","agent_version":"1.0.0","os":"linux","arch":"amd64","system_info":{"hostname":"localhost","ips":["1.2.3.5","1.2.3.6"],"mac_addresses":["mac-address-1"],"secure_boot":true},"os_info":{"name":"Fedora","major":38}}}"
    source: 1
    source_id: "urn:smallstep:user:b2d22dd1-d454-4a02-ba27-0f593b9d9f36/[email protected]"
    team_id: "b021dcf8-42ef-43c8-9d30-3db6edb53706"
}

moody Events

moody events are actions that happen in critical business logic of the Smallstep platform. They communicate things like authentication attempts, device enrollment, and inventory automation. These events minimally contain: