Coder maintains records of all user actions on system resources for auditing purposes.
Any user who is a Site Manager or an Auditor can log into Coder, go to Manage > Audit, and view the Audit Logs.
By default, this page displays a chronological list of all actions taken on the system.
You can filter the logs displayed using the search filters available at the top:
The audit logs capture information about the following actions (those who
export Coder logs will see this information under
When reviewing Coder's audit logs, specifically, you will see the following actions included:
auto_off: Coder automatically turned off a workspace due to inactivity
auto_start: Coder automatically turned on a workspace at the time preset by its owner
connect: a user connected to an existing workspace
cordon: a workspace provider became unavailable for new workspace creation requests.
create: the user created a Coder entity (e.g., dev URL, image/image tag, workspace, etc.)
delete: a user deleted a Coder entity (e.g., workspace or image)
enqueue: a user added a new job to the queue (e.g., workspace build, user deletion, workspace deletion)
login: a user logs in via basic authentication or OIDC, with Coder exchanging a token as a result
open: a user opened a workspace using an IDE through the browser
ssh: a user opened a web terminal or used SSH to access Coder
stop: a user manually stopped a workspace
uncordon: a workspace provider became available for new workspace creation requests.
view: the Coder CLI used a secret
write: the user made a change to a Coder entity (e.g., workspace, user, resource pool, etc.)