Audit Logs

Enterprise
Premium

Audit Logs allows Auditors to monitor user operations in their deployment.

Tracked Events

We track the following resources:

Resource
APIKey
login, logout, register, create, delete
FieldTracked
created_attrue
expires_attrue
hashed_secretfalse
idfalse
ip_addressfalse
last_usedtrue
lifetime_secondsfalse
login_typefalse
scopefalse
token_namefalse
updated_atfalse
user_idtrue
AuditOAuthConvertState
FieldTracked
created_attrue
expires_attrue
from_login_typetrue
to_login_typetrue
user_idtrue
Group
create, write, delete
FieldTracked
avatar_urltrue
display_nametrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
sourcefalse
AuditableOrganizationMember
FieldTracked
created_attrue
organization_idfalse
rolestrue
updated_attrue
user_idtrue
usernametrue
CustomRole
FieldTracked
created_atfalse
display_nametrue
idfalse
nametrue
org_permissionstrue
organization_idfalse
site_permissionstrue
updated_atfalse
user_permissionstrue
GitSSHKey
create
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
HealthSettings
FieldTracked
dismissed_healthcheckstrue
idfalse
License
create, delete
FieldTracked
exptrue
idfalse
jwtfalse
uploaded_attrue
uuidtrue
NotificationTemplate
FieldTracked
actionstrue
body_templatetrue
grouptrue
idfalse
kindtrue
methodtrue
nametrue
title_templatetrue
NotificationsSettings
FieldTracked
idfalse
notifier_pausedtrue
OAuth2ProviderApp
FieldTracked
callback_urltrue
created_atfalse
icontrue
idfalse
nametrue
updated_atfalse
OAuth2ProviderAppSecret
FieldTracked
app_idfalse
created_atfalse
display_secretfalse
hashed_secretfalse
idfalse
last_used_atfalse
secret_prefixfalse
Organization
FieldTracked
created_atfalse
descriptiontrue
display_nametrue
icontrue
idfalse
is_defaulttrue
nametrue
updated_attrue
Template
write, delete
FieldTracked
active_version_idtrue
activity_bumptrue
allow_user_autostarttrue
allow_user_autostoptrue
allow_user_cancel_workspace_jobstrue
autostart_block_days_of_weektrue
autostop_requirement_days_of_weektrue
autostop_requirement_weekstrue
created_atfalse
created_bytrue
created_by_avatar_urlfalse
created_by_usernamefalse
default_ttltrue
deletedfalse
deprecatedtrue
descriptiontrue
display_nametrue
failure_ttltrue
group_acltrue
icontrue
idtrue
max_port_sharing_leveltrue
nametrue
organization_display_namefalse
organization_iconfalse
organization_idfalse
organization_namefalse
provisionertrue
require_active_versiontrue
time_til_dormanttrue
time_til_dormant_autodeletetrue
updated_atfalse
user_acltrue
TemplateVersion
create, write
FieldTracked
archivedtrue
created_atfalse
created_bytrue
created_by_avatar_urlfalse
created_by_usernamefalse
external_auth_providersfalse
idtrue
job_idfalse
messagefalse
nametrue
organization_idfalse
readmetrue
source_example_idfalse
template_idtrue
updated_atfalse
User
create, write, delete
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
github_com_user_idfalse
hashed_one_time_passcodefalse
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typetrue
nametrue
one_time_passcode_expires_attrue
quiet_hours_scheduletrue
rbac_rolestrue
statustrue
theme_preferencefalse
updated_atfalse
usernametrue
WorkspaceBuild
start, stop
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_by_avatar_urlfalse
initiator_by_usernamefalse
initiator_idfalse
job_idfalse
max_deadlinefalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
WorkspaceProxy
FieldTracked
created_attrue
deletedfalse
derp_enabledtrue
derp_onlytrue
display_nametrue
icontrue
idtrue
nametrue
region_idtrue
token_hashed_secrettrue
updated_atfalse
urltrue
versiontrue
wildcard_hostnametrue
WorkspaceTable
FieldTracked
automatic_updatestrue
autostart_scheduletrue
created_atfalse
deletedfalse
deleting_attrue
dormant_attrue
favoritetrue
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse

Filtering logs

In the Coder UI you can filter your audit logs using the pre-defined filter or by using the Coder's filter query like the examples below:

  • resource_type:workspace action:delete to find deleted workspaces
  • resource_type:template action:create to find created templates

The supported filters are:

  • resource_type - The type of the resource. It can be a workspace, template, user, etc. You can find here all the resource types that are supported.
  • resource_id - The ID of the resource.
  • resource_target - The name of the resource. Can be used instead of resource_id.
  • action- The action applied to a resource. You can find here all the actions that are supported.
  • username - The username of the user who triggered the action. You can also use me as a convenient alias for the logged-in user.
  • email - The email of the user who triggered the action.
  • date_from - The inclusive start date with format YYYY-MM-DD.
  • date_to - The inclusive end date with format YYYY-MM-DD.
  • build_reason - To be used with resource_type:workspace_build, the initiator behind the build start or stop.

Capturing/Exporting Audit Logs

In addition to the user interface, there are multiple ways to consume or query audit trails.

REST API

Audit logs can be accessed through our REST API. You can find detailed information about this in our endpoint documentation.

Service Logs

Audit trails are also dispatched as service logs and can be captured and categorized using any log management tool such as Splunk.

Example of a JSON formatted audit log entry:

{
	"ts": "2023-06-13T03:45:37.294730279Z",
	"level": "INFO",
	"msg": "audit_log",
	"caller": "/home/runner/work/coder/coder/enterprise/audit/backends/slog.go:36",
	"func": "github.com/coder/coder/enterprise/audit/backends.slogBackend.Export",
	"logger_names": ["coderd"],
	"fields": {
		"ID": "033a9ffa-b54d-4c10-8ec3-2aaf9e6d741a",
		"Time": "2023-06-13T03:45:37.288506Z",
		"UserID": "6c405053-27e3-484a-9ad7-bcb64e7bfde6",
		"OrganizationID": "00000000-0000-0000-0000-000000000000",
		"Ip": "{IPNet:{IP:\u003cnil\u003e Mask:\u003cnil\u003e} Valid:false}",
		"UserAgent": "{String: Valid:false}",
		"ResourceType": "workspace_build",
		"ResourceID": "ca5647e0-ef50-4202-a246-717e04447380",
		"ResourceTarget": "",
		"Action": "start",
		"Diff": {},
		"StatusCode": 200,
		"AdditionalFields": {
			"workspace_name": "linux-container",
			"build_number": "9",
			"build_reason": "initiator",
			"workspace_owner": ""
		},
		"RequestID": "bb791ac3-f6ee-4da8-8ec2-f54e87013e93",
		"ResourceIcon": ""
	}
}

Example of a human readable audit log entry:

2023-06-13 03:43:29.233 [info]  coderd: audit_log  ID=95f7c392-da3e-480c-a579-8909f145fbe2  Time="2023-06-13T03:43:29.230422Z"  UserID=6c405053-27e3-484a-9ad7-bcb64e7bfde6  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=<nil>  UserAgent=<nil>  ResourceType=workspace_build  ResourceID=988ae133-5b73-41e3-a55e-e1e9d3ef0b66  ResourceTarget=""  Action=start  Diff="{}"  StatusCode=200  AdditionalFields="{\"workspace_name\":\"linux-container\",\"build_number\":\"7\",\"build_reason\":\"initiator\",\"workspace_owner\":\"\"}"  RequestID=9682b1b5-7b9f-4bf2-9a39-9463f8e41cd6  ResourceIcon=""

Enabling this feature

This feature is only available with an premium license. Learn more

See an opportunity to improve our docs? Make an edit.