Step 4: Call the log delivery API

This article describes how to call the log delivery API. This is the last step in the audit log delivery configuration.

To configure log delivery, you must call the log delivery API.

Required values

In your API call, specify the following values that you copied in the previous steps:

  • credentials_id: Your Databricks credential configuration ID, which represents your cross-account role credentials.

  • storage_configuration_id: Your Databricks storage configuration ID, which represents your root S3 bucket.

Also set the following fields:

  • log_type: Set to AUDIT_LOGS.

  • output_format: Set to JSON.

  • delivery_path_prefix: (Optional) Set to the path prefix. This must match the path prefix that you used in your role policy. The delivery path is <bucket-name>/<delivery-path-prefix>/workspaceId=<workspaceId>/date=<yyyy-mm-dd>/auditlogs_<internal-id>.json. If you configure audit log delivery for the entire account, account-level audit events that are not associated with any single workspace are delivered to the workspaceId=0 partition.

  • workspace_ids_filter: (Optional) To ensure delivery of account-level events, including Unity Catalog and Delta Sharing events, leave workspace_ids_filter empty. If you only want logs for select workspaces, set to an array of workspace IDs (each one is an int64). If you add specific workspace IDs in this field, you won’t receive account-level logs and or logs for workspaces created in the future.

API call example

Here is an example call to the log delivery API:

curl -X POST
  'https://accounts.cloud.databricks.com/api/2.0/accounts/<databricks-account-id>/log-delivery' \
  --header 'Authorization: Bearer $OAUTH_TOKEN'  \
  -d '{
  "log_delivery_configuration": {
    "log_type": "AUDIT_LOGS",
    "config_name": "audit log config",
    "output_format": "JSON",
    "credentials_id": "<databricks-credentials-id>",
    "storage_configuration_id": "<databricks-storage-config-id>",
    "delivery_path_prefix": "auditlogs-data",
    "workspace_ids_filter": [
        6383650456894062,
        4102272838062927
    ]
    }
}'

Example response:

{
  "log_delivery_configuration": {
      "config_id": "<config-id>",
      "config_name": "audit log config",
      "log_type": "AUDIT_LOGS",
      "output_format": "JSON",
      "account_id": "<account-id>",
      "credentials_id": "<databricks-credentials-id>",
      "storage_configuration_id": "<databricks-storage-config-id>",
      "workspace_ids_filter": [
          6383650456894062,
          4102272838062927
      ],
      "delivery_path_prefix": "auditlogs-data",
      "status": "ENABLED",
      "creation_time": 1591638409000,
      "update_time": 1593108904000,
      "log_delivery_status": {
        "status": "CREATED",
        "message": "Log Delivery Configuration is successfully created. Status will be updated after the first delivery attempt."
      }
  }
}

Note

After initial setup or other log delivery configuration changes, expect a delay of up to one hour until changes take effect. After logging delivery begins, auditable events are typically logged within 15 minutes.

Next steps

Once you’ve configured your audit log delivery, learn more about the log schema and available logs by referencing the Audit log reference.