Access Logs
Access logs track who accessed configuration items and when. This enables compliance auditing, security monitoring, and access reviews for your infrastructure.
Overview
When scraping configurations from external systems, you can also capture access logs that record:
- Who accessed a resource (external user)
- What was accessed (config item)
- When the access occurred
- How they authenticated (MFA status, properties)
Access logs are stored separately from configuration data and can be queried independently for audit purposes. They feed into Application access control views and Identity & Access reports.
Access Log Schema
| Field | Description | Scheme |
|---|---|---|
config_id* | ID of the config item that was accessed | uuid |
external_user_id* | ID of the external user who accessed the resource | uuid |
scraper_id* | ID of the scraper that captured this access log | uuid |
count | Number of aggregated access events (default: 1) |
|
created_at | Timestamp when the access occurred | timestamp |
mfa | Whether multi-factor authentication was used |
|
properties | Additional access metadata (IP address, session info, etc.) |
|
See Config Access Reference for the full field reference of all access entities.
Enabling Access Log Scraping
To scrape access logs, set full: true on your scraper configuration:
apiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: database-config
spec:
full: true
# ... scraper configuration
When full mode is enabled, the scraper expects each configuration item to potentially include an access_logs field containing access records.
Scrapers with Access Log Support
| Scraper | Use Case |
|---|---|
| SQL | Database access logs from audit tables |
| PostgreSQL | PostgreSQL connection and query logs |
| SQL Server | SQL Server audit events |
| Clickhouse | Clickhouse query logs and S3 access |
| HTTP | API access logs from external systems |
| File | Access logs from log files |
| Exec | Custom scripts that output access data |
Entra ID Audit Logs
Entra ID generates sign-in logs and directory audit logs that Mission Control scrapes as access logs. There are three approaches depending on your infrastructure and latency requirements:
| HTTP + MS Graph | Logs Scraper | Event Hub | |
|---|---|---|---|
| Latency | Minutes (polling) | Minutes | Seconds |
| Setup | Low | Medium | High |
| Permissions | AuditLog.Read.All | Azure Diagnostic Settings | Azure Diagnostic Settings + Event Hub |
| Best For | Direct API access, simplest setup | Logs already forwarded to a backend | Real-time, high volume |
All approaches require an Entra ID P1 or P2 license. Free-tier tenants do not generate sign-in logs. Logs typically have a 5–30 minute delay from the event occurring.
For longer retention (beyond 30 days), export logs via Azure Monitor Diagnostic Settings to a log backend and use the Logs scraper approach.
Example: Custom Scraper with Access Logs
The config_id and user_id fields reference UUIDs in the database, but scrapers resolve them by matching on external identifiers (names, aliases, or scraper-assigned IDs). The example below uses human-readable strings to show the scraper input format — Mission Control resolves these to UUIDs internally.
config-with-access-logs.json{
"id": "db-prod-001",
"config": {
"name": "production-database",
"engine": "postgres",
"version": "15.2"
},
"access_logs": [
{
"config_id": "db-prod-001",
"user": "user-123",
"created_at": "2025-01-08T10:30:00Z",
"mfa": true,
"properties": {
"ip_address": "192.168.1.100",
"client": "psql"
}
},
{
"config_id": "db-prod-001",
"user": "user-456",
"created_at": "2025-01-08T11:45:00Z",
"mfa": false
}
]
}
Compliance Use Cases
Access logs provide the audit trail required for compliance frameworks:
- SOC 2: Demonstrate access controls and monitoring
- HIPAA: Track access to systems containing PHI
- PCI-DSS: Monitor access to cardholder data environments
- ISO 27001: Evidence for access management controls