Audit Logs API

Access audit logs programmatically using the Audit Logs API.
Available Plans
  • enterprise

The Audit Logs API lets you programmatically access audit logs for running your security audits. You can use the API to:

  • Access all existing audit logs.
  • Access the audit logs generated after the last access.
  • Filter audit logs based on workspaces, date, etc.
success
You can also view audit logs in the RudderStack dashboard.

Prerequisites

info
For production use cases, RudderStack recommends using a service access token instead of personal access token.

Authentication

The Audit Logs API uses Bearer authentication in the following format:

Authorization: Bearer <SERVICE_ACCESS_TOKEN>

Base URL

Use the base URL for your API requests depending on your region:

Access audit logs

You can access audit logs using the below endpoint:

GET
/v2/audit-logs

Query parameters:

per_page
optional, default is 100
integer
Indicates the number of items per page. You can set its value anywhere between the range of 1 to 100.
workspace_id
optional
string
Fetches the audit logs corresponding to the workspace ID. If not provided, all the audit logs corresponding to the organization are fetched.
created_after
optional
string
Date and time in the ISO date-time format after which you want to fetch the audit logs.


  • Example request:
  • Example response:
{
  "data": [{
      "id": "2CHj1PJ61lv1NPyQtCiFi2KVX2y",
      "actorId": "1vtoxffVBhY2c2iIS6o3GeM0O5B",
      "actorType": "user",
      "targetId": "2CHj1QBfmNWmpHOMAAkfDZ66fCr",
      "targetType": "destination",
      "action": "created",
      "ip": "::ffff:10.1.3.23",
      "createdAt": "2022-07-22T05:03:08.928Z",
      "workspaceId": "1vtp6E0bfo3FoGChWFW2f81fogc",
      "organizationId": "1vtp6F2GdSqeAHciTsEpNaW9mKy"
    },
    {
      "id": "2CHj6cFHxk11t2QekhPzKhuu7BK",
      "actorId": "1vtoxffVBhY2c2iIS6o3GeM0O5B",
      "actorType": "user",
      "targetId": "2CHj1QBfmNWmpHOMAAkfDZ66fCr",
      "targetType": "destination",
      "action": "updated",
      "ip": "::ffff:10.1.3.23",
      "createdAt": "2022-07-22T05:03:49.495Z",
      "workspaceId": "1vtp6E0bfo3FoGChWFW2f81fogc",
      "organizationId": "1vtp6F2GdSqeAHciTsEpNaW9mKy"
    }
  ],
  "paging": {
    "next": "/v2/audit-logs?after_cursor=2CHj6cFHxk11t2QekhPzKhuu7BK&per_page=2&workspace_id=1vtp6E0bfo3FoGChWFW2f81fogc",
    "total": 200
  }
}
info
RudderStack supports specific values for the targetType and action parameters. See Supported target types and actions for more information.

Response object parameters:

data
optional
object
Contains the audit logs array.
id
optional
string
Unique identifier for the audit log entry.
actorId
optional
string
Unique identifier for the user who performed the action.
actorType
optional
string
Describes who performed the action. RudderStack currently supports only user actor type.
targetId
optional
string
Unique identifier for the target of the action.
targetType
optional
string
Describes the target on which the action is performed.
action
optional
string
Action performed by the user.
ip
optional
string
IP address of the user who performed the action.
createdAt
optional
string
Timestamp when the audit log was created
workspaceId
optional
string
Unique identifier for the workspace where the action was performed.
organizationId
optional
string
Unique identifier for the organization where the action was performed.
paging
optional
object
Contains the pagination information.
next
optional
string
Endpoint to fetch the next page.
total
required
integer
Total number of audit logs resulting from the query.

Supported target types and actions

RudderStack currently supports following values for the targetType and action parameters pair:

targetType parameteraction parameter
destinationconnected_source
destinationconnected_transformation
destinationcreated
destinationdeleted
destinationdisconnected_source
destinationdisconnected_transformation
destinationupdated
destinationupdated_transformation
notificationupdated
permissiondeleted_user_permissions
permissionresource_access_updated
permissionresource_locked
profilescreated
profilesdeleted
profilesupdated
sourceconnected_sql_model
sourceconnected_tracking_plan
sourcecreated
sourcedeleted
sourcedisconnected_sql_model
sourcedisconnected_tracking_plan
sourceupdated
sourceupdated_tracking_plan_config
sql_modelcreated
sql_modeldeleted
sql_modelupdated
transformationcreated
transformationdeleted
transformationupdated
transformation_librarycreated
transformation_librarydeleted
transformation_libraryupdated
useradded_to_organization
userchanged_permission
userdisabled_mfa
userenabled_mfa
userremoved_from_organization
userupdated_phone_number
user_invitationcreated
user_invitationdeleted
user_invitationupdated
workspacedeleted
workspaceupdated_data_retention

Questions? Contact us by email or on Slack