Starburst (Trino) Query Audit Logs
With the Event Listener enabled, users can view audit records for queries made in Starburst against Immuta data sources on the Audit page. Immuta audits the activity of Immuta users on Immuta data sources.
Requirements
- Starburst (Trino) integration with native query audit enabled
- Starburst (Trino) tables registered as Immuta data sources
- Starburst (Trino) users registered as Immuta users: Note that the users' Starburst (Trino) usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.
Audit Message
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
These audit records are stored with the recordType: prestoQuery.
| Property | Description | Example |
|---|---|---|
| ID | string |
b0000000-1234-abcd-11111111111111 |
| DateTime | integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. |
2504188066580 or 2017-08-31T14:01:15.607Z |
| Month | integer |
1455 |
| ProfileID | integer The profile ID of the user who made the query. |
1 |
| UserID | string The user ID of the user who made the query. |
jane.doe@immuta.com |
| DataSourceID | integer The ID of the data source that was queried. |
12 |
| DataSourceName | string The name of the data source that was queried. |
Public Customer Data |
| ProjectID | integer The ID of the project the data source is in. |
18 |
| ProjectName | string The name of the project the data source is in. |
Project 1 |
| RecordType | string The type of record captured. |
Trino query audit records will always be prestoQuery. |
| Success | boolean If true, the query was successful. |
true or false |
| Component | string The Immuta component that generated the record. |
nativeSql |
| AccessType | string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. |
query |
| Query | string The query that was run in the integration. |
select * from immuta.public. \"case\" limit 50 |
| Extra | array Information on the query, including viewSql, direct, and maskedColumns. |
See example audit record below. |
| DataSourceSchemaName | string |
The name of the schema that the data source that was queried came from. |
| DataSourceTableName | string The name of the table of the data source that was queried. |
case |
| sqlUser | string The Starburst (Trino) username of the user who made the query. |
kris |
Example Audit Record
{
"id": "b0d49f2a-4a34-4d50-b36e-fd9b619eed32",
"dateTime": "1617997828777",
"month": 1455,
"profileId": 1,
"userId": "kris@immuta.com",
"dataSourceId": 41,
"dataSourceName": "Crime Data Delta",
"projectId": 17,
"count": 1,
"recordType": "prestoQuery",
"success": true,
"component": "nativeSql",
"accessType": "query",
"query": "select * from immuta.public. \"case\" limit 50",
"extra": {
"direct": true,
"maskedColumns": {
"ssn": "Hashing",
"dob": "Generalization",
"country": "Constant"
}
},
"dataSourceSchemaName": "public",
"dataSourceTableName": "default_crime_data_delta",
"sqlUser": "kris",
"createdAt": "2021-04-09T19:50:28.787Z",
"updatedAt": "2021-04-09T19:50:28.787Z"
}