Tracked Events

We track the following resources:

Resource

APIKey
login, logout, register, create, delete

Field	Tracked
created_at	true
expires_at	true
hashed_secret	false
id	false
ip_address	false
last_used	true
lifetime_seconds	false
login_type	false
scope	false
token_name	false
updated_at	false
user_id	true

AuditOAuthConvertState

Field	Tracked
created_at	true
expires_at	true
from_login_type	true
to_login_type	true
user_id	true

Group
create, write, delete

Field	Tracked
avatar_url	true
display_name	true
id	true
members	true
name	true
organization_id	false
quota_allowance	true
source	false

GitSSHKey
create

Field	Tracked
created_at	false
private_key	true
public_key	true
updated_at	false
user_id	true

License
create, delete

Field	Tracked
exp	true
id	false
jwt	false
uploaded_at	true
uuid	true

Template
write, delete

Field	Tracked
active_version_id	true
allow_user_autostart	true
allow_user_autostop	true
allow_user_cancel_workspace_jobs	true
autostop_requirement_days_of_week	true
autostop_requirement_weeks	true
created_at	false
created_by	true
created_by_avatar_url	false
created_by_username	false
default_ttl	true
deleted	false
description	true
display_name	true
failure_ttl	true
group_acl	true
icon	true
id	true
max_ttl	true
name	true
organization_id	false
provisioner	true
time_til_dormant	true
time_til_dormant_autodelete	true
updated_at	false
user_acl	true

TemplateVersion
create, write

Field	Tracked
created_at	false
created_by	true
created_by_avatar_url	false
created_by_username	false
git_auth_providers	false
id	true
job_id	false
message	false
name	true
organization_id	false
readme	true
template_id	true
updated_at	false

User
create, write, delete

Field	Tracked
avatar_url	false
created_at	false
deleted	true
email	true
hashed_password	true
id	true
last_seen_at	false
login_type	true
quiet_hours_schedule	true
rbac_roles	true
status	true
updated_at	false
username	true

Workspace
create, write, delete

Field	Tracked
autostart_schedule	true
created_at	false
deleted	false
deleting_at	true
dormant_at	true
id	true
last_used_at	false
name	true
organization_id	false
owner_id	true
template_id	true
ttl	true
updated_at	false

WorkspaceBuild
start, stop

Field	Tracked
build_number	false
created_at	false
daily_cost	false
deadline	false
id	false
initiator_by_avatar_url	false
initiator_by_username	false
initiator_id	false
job_id	false
max_deadline	false
provisioner_state	false
reason	false
template_version_id	true
transition	false
updated_at	false
workspace_id	false

WorkspaceProxy

Field	Tracked
created_at	true
deleted	false
derp_enabled	true
derp_only	true
display_name	true
icon	true
id	true
name	true
region_id	true
token_hashed_secret	true
updated_at	false
url	true
wildcard_hostname	true

Filtering logs

In the Coder UI you can filter your audit logs using the pre-defined filter or by using the Coder's filter query like the examples below:

resource_type:workspace action:delete to find deleted workspaces
resource_type:template action:create to find created templates

The supported filters are:

resource_type - The type of the resource. It can be a workspace, template, user, etc. You can find here all the resource types that are supported.
resource_id - The ID of the resource.
resource_target - The name of the resource. Can be used instead of resource_id.
action- The action applied to a resource. You can find here all the actions that are supported.
username - The username of the user who triggered the action. You can also use me as a convenient alias for the logged-in user.
email - The email of the user who triggered the action.
date_from - The inclusive start date with format YYYY-MM-DD.
date_to - The inclusive end date with format YYYY-MM-DD.
build_reason - To be used with resource_type:workspace_build, the initiator behind the build start or stop.

Capturing/Exporting Audit Logs

In addition to the user interface, there are multiple ways to consume or query audit trails.

REST API

Audit logs can be accessed through our REST API. You can find detailed information about this in our endpoint documentation.

Service Logs

Audit trails are also dispatched as service logs and can be captured and categorized using any log management tool such as Splunk.

Example of a JSON formatted audit log entry:

{
  "ts": "2023-06-13T03:45:37.294730279Z",
  "level": "INFO",
  "msg": "audit_log",
  "caller": "/home/runner/work/coder/coder/enterprise/audit/backends/slog.go:36",
  "func": "github.com/coder/coder/enterprise/audit/backends.slogBackend.Export",
  "logger_names": ["coderd"],
  "fields": {
    "ID": "033a9ffa-b54d-4c10-8ec3-2aaf9e6d741a",
    "Time": "2023-06-13T03:45:37.288506Z",
    "UserID": "6c405053-27e3-484a-9ad7-bcb64e7bfde6",
    "OrganizationID": "00000000-0000-0000-0000-000000000000",
    "Ip": "{IPNet:{IP:\u003cnil\u003e Mask:\u003cnil\u003e} Valid:false}",
    "UserAgent": "{String: Valid:false}",
    "ResourceType": "workspace_build",
    "ResourceID": "ca5647e0-ef50-4202-a246-717e04447380",
    "ResourceTarget": "",
    "Action": "start",
    "Diff": {},
    "StatusCode": 200,
    "AdditionalFields": {
      "workspace_name": "linux-container",
      "build_number": "9",
      "build_reason": "initiator",
      "workspace_owner": ""
    },
    "RequestID": "bb791ac3-f6ee-4da8-8ec2-f54e87013e93",
    "ResourceIcon": ""
  }
}

Example of a human readable audit log entry:

2023-06-13 03:43:29.233 [info]  coderd: audit_log  ID=95f7c392-da3e-480c-a579-8909f145fbe2  Time="2023-06-13T03:43:29.230422Z"  UserID=6c405053-27e3-484a-9ad7-bcb64e7bfde6  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=<nil>  UserAgent=<nil>  ResourceType=workspace_build  ResourceID=988ae133-5b73-41e3-a55e-e1e9d3ef0b66  ResourceTarget=""  Action=start  Diff="{}"  StatusCode=200  AdditionalFields="{\"workspace_name\":\"linux-container\",\"build_number\":\"7\",\"build_reason\":\"initiator\",\"workspace_owner\":\"\"}"  RequestID=9682b1b5-7b9f-4bf2-9a39-9463f8e41cd6  ResourceIcon=""

Enabling this feature

This feature is only available with an enterprise license. Learn more

See an opportunity to improve our docs? Make an edit.

On this page