Retrieve audit log events
Last updated on
Changes on organizations, folders and projects and respective cloud resources are logged and collected in the audit log.
Prerequisites
Section titled “Prerequisites”To access the audit log with a user account, you must have the audit-log.entry.get permission. This permission is currently granted to users with the project owner, editor, reader or audit-log.reader role.
Service accounts require the audit-log.reader role to access audit logs. To assign this role to a user or service account, follow these steps:
- Navigate to IAM and management > Access.
- Click Grant access.
- Paste the email address into the Subject field and click +Add.
- In the role dropdown select By products or services > Audit log > Audit log reader.
- Click Save.
Organization events
Section titled “Organization events”You can view organization events under the Audit log section in the main navigation. A list of all events from the last 90 days is displayed. It shows information about the event name, the initiator, and the time the action was carried out.
Each event in the log has the following information:
- stackit.action: The action that triggered the event.
- stackit.log.id: A unique identifier for tracing the event.
- timeUnixNano: The creation time of the event.
- stackit.initiator: The global user ID of the user who performed the action. In the STACKIT Portal, this ID is converted to an email address.
- client.address: The IP address of the user who performed the action.
- stackit.resource.id: The ID of the organization the event belongs to.
Audit Logs can be routed to any Opentelemetry or S3 compatible destination by setting up a Telemetry Router. Refer to the Telemetry Router Documentation to get started.
For a full log example you can refer to the (Data Formats)[https://docs.stackit.cloud/products/logging-and-monitoring/telemetry-router/basics/dataformats/] of the Telemetry Router.
Folder events
Section titled “Folder events”You can view folder events under the Audit log section in the main navigation. A list of all events from the last 90 days is displayed. It shows information about the event name, the initiator, and the time the action was carried out.
Each event in the log has the following information:
- stackit.action: The action that triggered the event.
- stackit.log.id: A unique identifier for tracing the event.
- timeUnixNano: The creation time of the event.
- stackit.initiator: The global user ID of the user who performed the action. In the STACKIT Portal, this ID is converted to an email address.
- client.address: The IP address of the user who performed the action.
- stackit.resource.id: The ID of the folder the event belongs to.
Audit Logs can be routed to any Opentelemetry or S3 compatible destination by setting up a Telemetry Router. Refer to the Telemetry Router Documentation to get started.
For a full log example you can refer to the (Data Formats)[https://docs.stackit.cloud/products/logging-and-monitoring/telemetry-router/basics/dataformats/] of the Telemetry Router.
Project events
Section titled “Project events”You find the project audit log under Information > Audit log in the side navigation menu.
The project audit log shows all log events for a specific project. It can’t be changed or accessed by another project. When a user takes an action in a project, the action is sent as an event to that project’s audit log.
Each event in the log has the following information:
- stackit.action: The action that triggered the event.
- stackit.log.id: A unique identifier for tracing the event.
- timeUnixNano: The creation time of the event.
- stackit.initiator: The global user ID of the user who performed the action. In the STACKIT Portal, this ID is converted to an email address.
- client.address: The IP address of the user who performed the action.
- stackit.resource.id: The ID of the project the event belongs to.
Audit Logs can be routed to any Opentelemetry or S3 compatible destination by setting up a Telemetry Router. Refer to the Telemetry Router Documentation to get started.