Audit Logging
Monitor all data access, pipeline runs, and admin actions with NATIS audit logs.
On this page
NATIS captures a comprehensive audit log of all user activities and system events. Audit logs are written to a dedicated Delta Lake table in your governance catalog and are available for querying, dashboarding, and export to SIEM systems.
Audit Log Schema
- event_time — UTC timestamp of the event
- user_email — Identity of the user who performed the action
- service_name — NATIS service: SQL, Clusters, Pipelines, ModelServing, Admin
- action_name — Specific action: runQuery, createTable, grantPrivilege, loginSuccess, etc.
- request_params — JSON map of action parameters (e.g., query text, table name, cluster size)
- response_status — SUCCESS, FAILURE, or PERMISSION_DENIED
- source_ip_address — Client IP address
- workspace_id — NATIS workspace identifier
Querying Audit Logs
Export audit logs to your SIEM (e.g., Splunk, Microsoft Sentinel) using the NATIS Log Export connector under Admin → Integrations → Audit Export. Supports real-time streaming via Kafka or hourly batch export to S3/Blob Storage.
-- Find all SQL queries by a specific user in the last 7 days
SELECT
event_time,
user_email,
request_params:commandText::STRING AS query_text,
response_status
FROM governance.audit.system_logs
WHERE
service_name = 'SQL'
AND action_name = 'runCommand'
AND user_email = 'analyst@company.com'
AND event_time >= CURRENT_TIMESTAMP - INTERVAL 7 DAYS
ORDER BY event_time DESC;
-- Find all failed permission checks
SELECT
event_time,
user_email,
service_name,
action_name,
request_params
FROM governance.audit.system_logs
WHERE response_status = 'PERMISSION_DENIED'
AND event_time >= CURRENT_DATE - 1
ORDER BY event_time DESC;Was this page helpful?
Thanks for your feedback!