What archiving looks like

An audit event is eligible to be archived once it is complete, including all result data for the associated activity. The audit service will allow up to one hour for missing result data to become available for an event before archiving it. After that timeout period, however, the incomplete event will become eligible for archiving.

Audit events are not saved in individual files. Instead, groups of audit events from a continuous time span are saved into a single file, with one JSON object / audit event per line. The file is compressed using gzip for efficiency. The Control Plane does not encrypt the files. If you would like the files encrypted, you will need to configure your cloud storage service to perform it.

Files are organized in cloud storage based on the dates of their timestamps, as follows:

/cdp/cp
  ∟ yyyy (four-digit year)
    ∟ MM (two-digit month)
      ∟ dd (two-digit day of month)

Audit events are not saved to cloud storage immediately after they are generated, to enable efficiency of storage and to alleviate performance concerns for the audit service. On an hourly basis, the audit service batches up audit events that are eligible for archiving and writes them to cloud storage.

An audit event is eligible to be archived once it is complete, including all result data for the associated activity. The audit service will allow up to one hour for missing result data to become available for an event before archiving it. After that timeout period, however, the incomplete event will become eligible for archiving.

The Control Plane (audit service) periodically saves audit events to your cloud storage facility, for example, an S3 bucket. Cloud storage is intended to be the primary location for storage, retrieval, and analysis of audit events in the long term.