> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-lee-google-cloud-project-mcp-setup.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# C1 system logs

> Access C1 system log via API or export log data for storage or usage in SIEM.

## What's included in C1 system logs?

System logs include a record of actions taken by the C1 API. The C1 API is used for all app-level actions and captures both end-user and administrative activities.

C1 system logs are stored in OCSF (Open Cybersecurity Schema Framework), a leading open-source data format developed by AWS, IBM, and Splunk. Learn more about OCSF by viewing the [OCSF schema documentation](https://schema.ocsf.io).

## How do I get access to the system logs?

System logs are stored internally in C1 and can be [accessed via API](/conductorone-api/api) or exported to an [external data source](/product/admin/external-datasources) such as an S3 bucket or Azure Blob container.

## Where can I see a list of all the API events included in the system logs?

You can download our authoritative list of API events, which is presented in Sigma Detection Format.

* **YAML format**: Go to `<YOUR C1 TENANT URL>/api/v1/ocsf-events.yaml`

* **JSON format**: Go to `<YOUR C1 TENANT URL>/api/v1/ocsf-events.json`

## Sync C1 system logs into your SIEM

Follow this process to import C1 logs into your security information and event management (SIEM) platform.

<Warning>
  This task requires the **Super Administrator** role in C1.
</Warning>

### Step 1: Create an external data source

If you haven't already done so, [create an external data source](/product/admin/external-datasources) to sync the system logs to.

<Tip>
  **Reusing an existing external data source?**

  If you're reusing an existing data source that you've already created and integrated with C1, ensure that it was created with the ability to accept writes. For example, for S3 buckets, the policy will require the `"s3:PutObject"` permission.
</Tip>

### Step 2: Create a system log exporter

<Steps>
  <Step>
    Navigate to **Settings** > **System log** and click **Add exporter**.
  </Step>

  <Step>
    Set up the new exporter:

    * Give the exporter a name, such as "System log to S3".
    * Select the **Datasource** you created in Step 1.
    * **Optional.** Input an file prefix.
    * Select your output format and compression algorithm.
  </Step>

  <Step>
    Click **Save**.
  </Step>
</Steps>

Your system log exporter will now run every four to five minutes. You'll see a **Waiting** status indicator between runs, and an **Error** status indicator if anything's amiss.

A new log file is generated for each run, each containing up to 2.5mb of uncompressed data. In a full day of activity, you should expect roughly 280 files to be exported to your external data source.

### Step 3: Connect your SIEM

This step will vary depending on the SIEM that you are using. In general terms, however, you will want to add the datasource to your SIEM.

A partial list of SIEM directions:

* [Import S3 buckets into Panther](https://docs.panther.com/data-onboarding/data-transports/aws/s3)
* [Import S3 buckets into Splunk](https://splunkbase.splunk.com/app/1876)
* [Import S3 buckets into CrowdStrike Falcon Next-Gen SIEM](https://marketplace.crowdstrike.com/listings/amazon-s3-data-connector)

#### Using C1 logs with CrowdStrike Falcon Next-Gen SIEM

<Note>
  Ingesting an S3 bucket via the Amazon S3 Data Connector requires a **Falcon Next-Gen SIEM** subscription. Without it, the connector appears in the CrowdStrike Store but can't be configured.
</Note>

Because C1 system logs are OCSF, they map cleanly to CrowdStrike's data model. When you set up the [Amazon S3 Data Connector](https://marketplace.crowdstrike.com/listings/amazon-s3-data-connector) to ingest your external data source, select an **OCSF parser** so events normalize to the CrowdStrike Parsing Standard (CPS) rather than authoring your own. CrowdStrike's [Amazon Security Lake Data Connector](https://marketplace.crowdstrike.com/listings/amazon-security-lake-data-connector/) includes an OCSF-to-CPS parser you can reference, and Next-Gen SIEM can also generate a parser for you.

The connector listing covers the AWS resources you'll create (an SQS queue for object-created notifications and an IAM role CrowdStrike assumes) and the current console steps. Once ingested, C1 access events are searchable and alertable alongside the rest of your Falcon telemetry.

## Reading system log files

C1 system logs use the Open Cybersecurity Schema Framework (OCSF) to format log events. Check out the OCSF documentation for full details of [OCSF API activity formatting](https://schema.ocsf.io/1.3.0/classes/api_activity?extensions=), but here are a few key details to help you quickly make sense of C1 system log output.

* **"activity\_id"**: The "activity\_id" entry in a log line tells you what type of API call activity triggered the event. By filtering logs by these activity IDs, you can zero in on key types of activity in the C1 system.

  * "activity\_id":1 - "Create" activity
  * "activity\_id":2 - "Read" activity
  * "activity\_id":3 - "Update" activity
  * "activity\_id":4 - "Delete" activity
