Retrieve audit log events

Changes on organizations, folders and projects and respective cloud resources are logged and collected in the audit log.

Prerequisites

To access the audit log with a user account, you must have the audit-log.entry.get permission. This permission is currently granted to users with the project owner, editor, reader or audit-log.reader role.

Service accounts require the audit-log.reader role to access audit logs. To assign this role to a user or service account, follow these steps:

3. Navigate to IAM and management > Access.
4. Click Grant access.
5. Paste the email address into the Subject field and click +Add.
6. In the role dropdown select By products or services > Audit log > Audit log reader.
7. Click Save.

Organization events

STACKIT Portal

You can view organization events under the Audit log section in the main navigation. A list of all events from the last 90 days is displayed. It shows information about the event name, the initiator, and the time the action was carried out.

STACKIT API

Refer to the Audit log API in the API Explorer.

The maximum duration that can be queried at once is 24 hours. Audit log messages are available to download for the last 90 days.

Audit log messages on organization level can be queried as follows:

curl --location --request GET 'https://auditlog.api.stackit.cloud/v2/organizations/<organizationId>?start-time-range=<startTimeRange>&end-time-range=<endTimeRange>&limit=<limit>&cursor=<cursor>' \
--header 'Authorization: Bearer <accessToken>'

Meaning:

• <organizationId> UUID of the organization from the STACKIT Portal
• <startTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <endTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <limit> Optional parameter to specify the page size (default 50, maximum 100)
• <cursor> Optional parameter returned by previous calls of the API containing information about the pagination offset

Audit log messages are not aggregated, i.e. audit log messages for changes related to nested folders or projects are not returned when querying this API. The API only returns messages directly related to changes on the requested organization.

Folder events

STACKIT Portal

You can view folder events under the Audit log section in the main navigation. A list of all events from the last 90 days is displayed. It shows information about the event name, the initiator, and the time the action was carried out.

STACKIT API

Refer to the Audit log API in the API Explorer.

Audit log messages on folder level can be queried as follows:

curl --location --request GET 'https://auditlog.api.stackit.cloud/v2/folders/<folderId>?start-time-range=<startTimeRange>&end-time-range=<endTimeRange>&limit=<limit>&cursor=<cursor>' \
--header 'Authorization: Bearer <accessToken>'

Meaning:

• <folderId> UUID of the folder from the STACKIT Portal
• <startTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <endTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <limit> Optional parameter to specify the page size (default 50, maximum 100)
• <cursor> Optional parameter returned by previous calls of the API containing information about the pagination offset

Audit log messages are not aggregated, i.e. audit log messages for changes related to nested projects are not returned when querying this API. The API only returns messages directly related to changes on the requested folder.

Project events

STACKIT Portal

You find the project audit log under Information > Audit log in the side navigation menu.

The project audit log shows all log events for a specific project. It can’t be changed or accessed by another project. When a user takes an action in a project, the action is sent as an event to that project’s audit log.

Each event in the log has the following details:

• Event Name: The action that triggered the event.
• Event ID: A unique identifier for tracing the event.
• Time Stamp: The creation time of the event.
• Initiator: The global user ID of the user who performed the action. In the portal, this ID is converted to an email address.
• Initiator IP: The IP address of the user who performed the action.
• Project ID: The ID of the project the event belongs to.
• Additional Event Data: Extra event data displayed in JSON format. This can include, for example, the metadata of a newly created security rule.

STACKIT API

Refer to the Audit log API in the API Explorer.

Audit log messages on project level can be queried as follows:

curl --location --request GET 'https://auditlog.api.stackit.cloud/v2/projects/<projectId>?start-time-range=<startTimeRange>&end-time-range=<endTimeRange>&limit=<limit>&cursor=<cursor>' \
--header 'Authorization: Bearer <accessToken>'

Meaning:

• <projectId> UUID of the project from the STACKIT Portal
• <startTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <endTimeRange> An ISO 8601 formatted timestamp like 2025-04-01T14:50:57Z or 2022-03-18T14:50:57.12345Z
• <limit> Optional parameter to specify the page size (default 50, maximum 100)
• <cursor> Optional parameter returned by previous calls of the API containing information about the pagination offset