Custom Audit Logs enable customers to supplement ALTR’s out-of-the-box audit logging with events that are not natively captured by ALTR’s Snowflake Integration. Customers with bespoke requirements can leverage this feature to log actions such as user logins, grant statements, and warehouse creation. Custom Audit Logs are standardized with other ALTR logging capabilities and made available in customer-owned Amazon S3 buckets for analysis and/or incorporation into tools such as SIEM providers.
Custom audit logs are triggered by sending event information from a User-Defined Function (UDF) to ALTR’s Snowflake External Function. These functions are created automatically for newly-connected Snowflake accounts. If your Snowflake account was connected to ALTR prior to January 2024, please contact firstname.lastname@example.org for instructions to configure custom audit logs.
Events can be submitted to ALTR manually through SnowSQL or automatically though processes such as Snowflake tasks. Submitting events to ALTR involves calling the user-defined function with a batch of records. ALTR requires certain information for each event, including:
Optionally, customers can send an event time. The format of this timestamp is milliseconds from epoch. If an event time is not specified, ALTR will use the time the event was submitted.
There is a 256kb limit to the size of custom audit submissions. If you have more than 256kb worth of data to send, consider breaking the information down into smaller requests.
Custom Audit Logs are accessible via ALTR’s Amazon S3 Log Export. To enable exporting of custom audit logs to an S3 bucket, contact ALTR Support.
ALTR indexes events in S3 based on the event time. This is typically the customer-supplied time, if available. If a customer-supplied time is not provided or the customer-supplied time is more than 3 days in the past, events are indexed based on when they were submitted to ALTR.
Below is example SnowSQL for a Snowflake Task that records events from Snowflake’s Login History every hour. See Snowflake’s documentation for more information on using tasks.
The Schema and Function name should be replaced with the schema and function automatically created by ALTR in your Snowflake account. They can be found using the queries below.