| ℹ️ Note ℹ️ |
|---|
| This repository has been archived and made read-only because the examples within use Airtable's Audit Logs V1. Airtable Audit Logs V2 are available here. Specific SIEM examples may be available from the support article in the future. |
This repository has a collection of sample scripts which can be used to request, retrieve, and ingest Airtable Enterpise audit logs (V1) into various third-party systems.
Note: Audit Logs are only available on the Airtable Enterprise plan.
The software made available from this repository is not supported by Formagrid Inc (Airtable) or part of the Airtable Service. It is made available on an "as is" basis and provided without express or implied warranties of any kind.
- Examples in this repository are setup to read environment variables from
.envusing the dotenv npm package - If you're looking for functions to use to integrate with other systems, take a look at the functions in
helpers/airtable.jswhich leverage axios to call the Airtable Audit Log APIs - All examples implement the same basic workflow:
- Load dependencies/configurations
- Implement an "enrichAuditLogEntries" function which reformats the audit log entries based off of specific requirements for the third-party system
- Create a new request for audit logs for the previous day (this code is commented out by default)
- Get a list of all audit log requests and filters out requests that are not yet available
- Takes the most recent audit log requests and retrieves the files, decompresses them, and logs each audit log entry into the third-party system.
- Uses Splunk's HTTP Event Collector (HEC) via Splunk's first-party JS SDK
- Tested with Splunk Cloud though HEC is available on Splunk Enterprise on-prem as well
- Uses Sumo's HTTP Collection functionaity via Sumo's first-party JS SDK
- Note that in order for Sumo to ingest logs from more than 24 hours ago with their original activity date, the collector's source needs to have timestamp parsing turned on and a timestamp format defined. When using this repository's example code, specify:
- Timezone:
GMT-00:00 - Format:
yyyy-MM-dd'T'HH:mm:ss.SSS'Z' - Timestamp locator:
"_at_action_timestamp":"(.*?)",
- Timezone:
- Uses Azure's Data Collector API via community-provided helper functions (see credits/links inline)
- Uses
console.logto echo the audit log entries to standard out
- Uses fs-extra to save audit log entries to a file as a JSON array of entries.
- Note that this format (JSON array of entries) is different than the format outputted by the raw files from the Airtable API which are JSON but new-line delimmitted (and spread across multiple different files per audit log request)