{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Audit Logging via Firehose","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com/products/custody","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"audit-logging-via-firehose","__idx":0},"children":["Audit Logging via Firehose"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Audit logs and access logs are critical tools for enterprises, providing visibility into system activities, enhancing security, ensuring compliance, and supporting operational efficiency. They are useful for:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Security and Threat Detection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Compliance and Legal Protection"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Operational Efficiency and Troubleshooting"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Accountability and Fraud Prevention"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Forensic Analysis and Incident Response"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Wallet-as-a-Service (Palisade) keeps track of audit logs, allowing you to configure an endpoint where to receive a copy."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"how-it-works","__idx":1},"children":["How it works"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Customer configures an IAM role and a firehose endpoint in Organization settings. During the upload, the following environment specific IAM roles assume the customer configured IAM roles in order to perform PutRecordBatch on the configured firehose endpoint."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/audit_log_firehouse1.afb45b355e5cc57fdf6d4db2067a4520ef714f560b88f37e50a9a6e758c4008a.3d0a9b10.png","alt":"Audit logging via firehouse"},"children":[]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once configured, Wallet-as-a-Service (Palisade) will buffer and upload logs in batch every 15 seconds."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"iam-role","__idx":2},"children":["IAM Role"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The IAM role that grants access to Wallet-as-a-Service (Palisade) to upload logs to AWS Firehose must have following policies:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowFirehosePutRecordBatch\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"firehose:PutRecordBatch\",\n            \"Resource\": \"arn:aws:firehose:REGION:ACCOUNT_ID:deliverystream/STREAM_NAME\"\n        },\n        {\n            \"Sid\": \"AllowStsGetCallerIdentity\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"sts:GetCallerIdentity\",\n            \"Resource\": \"*\"\n        }\n    ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Additionally, in order to allow Wallet-as-a-Service (Palisade) to assume this role, it must have the following IAM trust relationship:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowPalisadeAssumeRole\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::PALISADE_ACCOUNT_ID:PALISADE_IAM_RESOURCE_NAME\"\n            },\n            \"Action\": \"sts:AssumeRole\"\n        }\n    ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Please contact Wallet-as-a-Service (Palisade) support to get your respective ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PALISADE_ACCOUNT_ID"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PALISADE_IAM_RESOURCE_NAME"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"log-structure","__idx":3},"children":["Log structure"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Example log object received by AWS Firehose:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"id\": 21119,\n  \"orgId\": \"dac59f97-5984-4298-bebd-92c94b6184b4\",\n  \"type\": 1,\n  \"userId\": \"c1e08d96-07a3-4561-846f-dd5a5c274e29\",\n  \"deviceId\": null,\n  \"requestId\": \"2aa53531-2124-4501-b9bb-2ed8208ff0e8\",\n  \"jsonData\": \"eyJ1cmwiOiAiL3YyL2JhbGFuY2VzIiwgIm1ldGhvZCI6ICJHRVQiLCAiaGVhZGVycyI6IHsiQWNjZXB0IjogImFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKiIsICJPcmlnaW4iOiAiaHR0cHM6Ly9hcHAuZGV2ZWxvcG1lbnQucGFsaXNhZGUuY28iLCAiUmVmZXJlciI6ICJodHRwczovL2FwcC5kZXZlbG9wbWVudC5wYWxpc2FkZS5jby8iLCAiUHJpb3JpdHkiOiAidT0xLCBpIiwgIlNlYy1DaC1VYSI6ICJcIkNocm9taXVtXCI7dj1cIjEzNlwiLCBcIkdvb2dsZSBDaHJvbWVcIjt2PVwiMTM2XCIsIFwiTm90LkEvQnJhbmRcIjt2PVwiOTlcIiIsICJVc2VyLUFnZW50IjogIk1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzE1XzcpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMzYuMC4wLjAgU2FmYXJpLzUzNy4zNiIsICJYLVJlcXVlc3QtSWQiOiAiMmFhNTM1MzEtMjEyNC00NTAxLWI5YmItMmVkODIwOGZmMGU4IiwgIlNlYy1GZXRjaC1EZXN0IjogImVtcHR5IiwgIlNlYy1GZXRjaC1Nb2RlIjogImNvcnMiLCAiU2VjLUZldGNoLVNpdGUiOiAic2FtZS1zaXRlIiwgIkFjY2VwdC1FbmNvZGluZyI6ICJnemlwLCBkZWZsYXRlLCBiciwgenN0ZCIsICJBY2NlcHQtTGFuZ3VhZ2UiOiAiZW4tR0IsZW4tVVM7cT0wLjksZW47cT0wLjgiLCAiWC1BbXpuLVRyYWNlLUlkIjogIlJvb3Q9MS02ODMwOWI0Yy0zYTcyZWZjNDI0NGQ2ZDEzNjQ5OThmY2IiLCAiWC1Gb3J3YXJkZWQtRm9yIjogIjgwLjEuMjUzLjI0NSwxMC4wLjYuNDMiLCAiU2VjLUNoLVVhLU1vYmlsZSI6ICI/MCIsICJYLUZvcndhcmRlZC1Qb3J0IjogIjQ0MyIsICJYLUZvcndhcmRlZC1Qcm90byI6ICJodHRwcyIsICJBdXRob3JpemF0aW9uLUhhc2giOiAiNTE5ZGY0ZjdhYmUxODlkOWY3ODkxYzIyZDEyMGQ2NTQiLCAiU2VjLUNoLVVhLVBsYXRmb3JtIjogIlwibWFjT1NcIiIsICJYLUVudm95LUF0dGVtcHQtQ291bnQiOiAiMSIsICJYLUZvcndhcmRlZC1DbGllbnQtQ2VydCI6ICJCeT1zcGlmZmU6Ly9jbHVzdGVyLmxvY2FsL25zL2dhdGV3YXkvc2EvYXBpLWdhdGV3YXk7SGFzaD05NDUwNjdiYjMzNWMwZjEwOTYyZjNmYmFkZWJhOGQ4ZTE3ZGM1YWQ4MmI2ZWExYWZjZTAzNDdiZGU5N2ZmOTYwO1N1YmplY3Q9XCJcIjtVUkk9c3BpZmZlOi8vY2x1c3Rlci5sb2NhbC9ucy9pc3Rpby1zeXN0ZW0vc2EvaXN0aW8taW5ncmVzc2dhdGV3YXkiLCAiWC1FbnZveS1FeHRlcm5hbC1BZGRyZXNzIjogIjEwLjAuNi40MyJ9LCAicmVxdWVzdCI6IHsiYm9keSI6ICIifSwgInJlc3BvbnNlIjogeyJib2R5TGVuZ3RoIjogNjIsICJzdGF0dXNDb2RlIjogMjAwfSwgImR1cmF0aW9uTXMiOiAzLCAicmVtb3RlQWRkciI6ICI4MC4xLjI1My4yNDUifQ==\",\n  \"source\": \"api-gateway\",\n  \"receivedAt\": \"2025-05-23T15:59:08.764753Z\",\n  \"createdAt\": \"2025-05-23T15:59:08.757472Z\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The orgId attribute is guaranteed to be non-nil and correspond to the customer's organization ID. The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["userId"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["deviceId"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["requestId"]}," may provide further information regarding the initiator of the request but they are not guaranteed to be present."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The property ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["jsonData"]}," has the following internal JSON structure when base64 decoded:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"url\": \"/v2/users/info\",\n  \"method\": \"GET\",\n  \"headers\": {\n    \"Accept\": \"application/json, text/plain, */*\",\n    \"Origin\": \"https://app.palisade.co\",\n    \"Referer\": \"https://app.palisade.co/\",\n    \"Priority\": \"u=1, i\",\n    \"Sec-Ch-Ua\": \"\\\"Chromium\\\";v=\\\"136\\\", \\\"Google Chrome\\\";v=\\\"136\\\", \\\"Not.A/Brand\\\";v=\\\"99\\\"\",\n    \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\",\n    \"X-Request-Id\": \"e630143f-1df1-4116-966d-b1819d62683f\",\n    \"Sec-Fetch-Dest\": \"empty\",\n    \"Sec-Fetch-Mode\": \"cors\",\n    \"Sec-Fetch-Site\": \"same-site\",\n    \"Accept-Encoding\": \"gzip, deflate, br, zstd\",\n    \"Accept-Language\": \"en-GB,en-US;q=0.9,en;q=0.8\",\n    \"X-Amzn-Trace-Id\": \"Root=1-6835a5e2-5291d44c2c702d3165875983\",\n    \"X-Forwarded-For\": \"80.1.253.245,10.0.6.43\",\n    \"Sec-Ch-Ua-Mobile\": \"?0\",\n    \"X-Forwarded-Port\": \"443\",\n    \"X-Forwarded-Proto\": \"https\",\n    \"Authorization-Hash\": \"37f53fd9408cf4920708dbc5731acace\",\n    \"Sec-Ch-Ua-Platform\": \"\\\"macOS\\\"\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/gateway/sa/api-gateway;Hash=4a74148afabd7bc011d206439ef2a2acdb2f4db3fce0a17097b4d65b1982b70a;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway\",\n    \"X-Envoy-External-Address\": \"10.0.6.43\"\n  },\n  \"request\": {\n    \"body\": \"\"\n  },\n  \"response\": {\n    \"bodyLength\": 199,\n    \"statusCode\": 200\n  },\n  \"durationMs\": 5,\n  \"remoteAddr\": \"80.1.253.245\"\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"limitations","__idx":4},"children":["Limitations"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Support for AWS Firehose only"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Logs are buffered for 15 seconds before sending to firehose"]}]}]},"headings":[{"value":"Audit Logging via Firehose","id":"audit-logging-via-firehose","depth":1},{"value":"How it works","id":"how-it-works","depth":2},{"value":"IAM Role","id":"iam-role","depth":2},{"value":"Log structure","id":"log-structure","depth":2},{"value":"Limitations","id":"limitations","depth":2}],"frontmatter":{"title":"Audit Logging via Firehose","seo":{"title":"Audit Logging via Firehose"}},"lastModified":"2026-01-29T14:21:25.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/changelogs/audit-logging-via-firehose","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}