AuditEventLog

The AuditEventLog contains information about audit events from different Deephaven processes. A variety of Deephaven processes can write to the AuditEventLog. For example, the RemoteQueryProcessor will write to the AuditEventLog with details about events including (but not limited to):

A user attempting to access a table.
A client sending a synchronous or asynchronous query request.
A script loaded from a remote source.

The following processes write audit logs.

Process	Main Class Name
ACL Write Server	`DbAclWriteServer`
Authentication Server	`AuthenticationServer`
Data Import Server	`DataImportServer`
Local Table Data Server	`LocalTableDataServer`
Log Aggregator Service	`LogAggregatorService`
Persistent Query Controller	`PersistentQueryController`
Workers	`Main`
Legacy Workers	`RemoteQueryProcessor`
Remote Query Dispatcher (includes query and merge servers)	`RemoteQueryDispatcher`
Remote User Table Server	`RemoteUserTableServer`
Table Data Cache Proxy	`TableDataCacheProxy`
Tailer	`LogtailerMain`

Columns

Not all columns apply to all events; only those applicable for a given event will be filled in, and the rest will contain null values. For example, client hostnames and ports are only populated by events that apply to client requests.

Column Name	Column Type	Description
`Date`	String	The date on which the audit event was generated. This is the partitioning column.
`Timestamp`	DateTime	The timestamp for the event.
`ClientHost`	String	The client's host name.
`ClientPort`	int	The client's port ID.
`ServerHost`	String	The server's host name.
`ServerPort`	int	The server's port ID.
`Process`	String	The process name generating the event. This will be either the value retrieved from the `process.name` property or the main class name.
`AuthenticatedUser`	String	If available, the authenticated user for the logged event.
`EffectiveUser`	String	If available, the effective user for the logged event.
`Namespace`	String	If applicable, the namespace for the logged event.
`Table`	String	If applicable, the table name for the logged event.
`Id`	int	If applicable, the ID for the logged event.
`Event`	String	The name of the event. See Auditable events by process for information on each event type.
`Details`	String	Further details on the logged event.

Auditable events by process

Each process logs specific events by name; this section defines the names in the Event column and what each name means.

All processes writing audit events will write the following events. Some processes will write further events as described below.

INITIALIZING - the process is initializing.
RUNNING - the process is running and starting to process normally.
SHUTTING_DOWN - the process is shutting down.

ACL Write Server

Add ACL - add an ACL.
Add group strategy - add a group to a strategy.
Add input table editor - add an input table editor group.
Add member - add a member to one or more groups.
Add strategy account - add an account to a strategy.
Add user - add a new user.
Change password - change a user's password.
Delete ACL - delete an ACL.
Delete group - delete a group.
Delete group strategy - remove a group from a strategy.
Delete strategy account - delete an account from a strategy.
Delete input table editor - delete an input table editor group.
Delete user - delete a user.
Remove member - remove a member from one or more groups.
Starting server - a server starts to listen for ACL requests.
Update ACL - update an ACL.
Update input table editor - update an input table editor group.

Authentication Server

Client registration - a client registered with the authentication server.
Client termination - a client terminated.
Starting server - a server is starting to listen for authentication requests.

Persistent Query Controller

Client registration - a client registered with the Persistent Query Controller.
Client termination - a client terminated.
Send script - a Persistent Query script is being sent to a client.

Remote Query Dispatcher

Classpath additions - the classpath additions used for a worker start.
Extra JVM arguments - any extra JVM arguments being used to start a worker
Pushed classes - the classes being pushed to a starting worker.
Starting worker - a worker is being started.

Workers (Main)

Event	Description
Historical Table Access	Requesting a historical table
Live Table Access	Requesting a live table
Historical Partitioned Table Access	Requesting a historical partitioned table
Live Partitioned Table Access	Requesting a live partitioned table
Unpartitioned User Table Write	Writing an unpartitioned user table
Unpartitioned User Table Deletion	Deleting an unpartitioned user table
Partitioned User Table Schema Addition	Adding a partitioned user table schema
Partitioned User Table Schema Update	Updating a partitioned user table's schema
Partitioned User Table Partition Write	Writing a direct partition to a partitioned user table
Partitioned User Table Partition Deletion	Deleting a direct partition from a partitioned user table
Live User Table Append	Appending rows to a live partition from a partitioned user table
Live User Table Incremental Updates	Appending rows incrementally to a live partition from a partitioned user table
Live User Table Partition Deletion	Deleting a live partition from a partitioned user table
Partitioned User Table Deletion	Deleting a partitioned user table, including its schema, direct partitions, and live partitions

The "Details" column provides additional information, such as whether an operation was allowed, rejected, or completed, or the column partition value associated with an operation.

Workspaces

From WorkspaceData table updates (successful writes are not audited, as they have been written to the WorkspaceData table).

WorkspaceData Authorization Failure - an unauthorized user tried to publish a change to the WorkspaceData table.
WorkspaceData Write Failure - an unexpected error occurred writing a record to the WorkspaceData table.