Audit Logs

Overview

Audit logs enable you to track the activity of users within an organization. They attempt to answer what a user did, when they did it and where. They help answer these questions by recording user actions.

Pulumi’s audit logs allow you to account for the activity your users are taking within your organization. These logs are available to organizations with an Enterprise level subscription. The logs are immutable and and record all user actions. Auditing makes the activity of members in an organization attributable. The logs capture the UNIX timestamp of the event, the user who invoked the action, the event that took place, and the source IP of the call the user made.

Viewing Audit Logs in the Console

Audit logs are available to organizations with an Enterprise level subscription only. If you are an organization administrator, you can view your organization’s audit logs, by selecting your organization from the organization drop down. Then click on the settings tab. On the left nav-bar you should see a tab called Audit Logs. Clicking here will allow you to view the most recent audit logs for your organization.

This will show the most recent events in decending order. You can also filter logs by a particular user by clicking on the user’s avatar. Doing so will filter out the events performed by the user you selected.

Audit logs can also be exported to a downloadable csv format. The logs can be exported through the UI Console by clicking on the DOWNLOAD button in the upper left hand corner of the audit logs view.

Exporting Audit Logs through the API

The audit logs can be exported through the API using the following endpoint. A startTime query parameter must be passed and is used to query audit records before the specified startTime (UNIX timestamp).

GET https://api.pulumi.com/api/orgs/${org}/auditlogs/export?startTime=${time}

Optionally, a user to filter by can also be specified as a query parameter to filter audit logs pertaining only to a specifc user.

GET https://api.pulumi.com/api/orgs/${org}/auditlogs/export?startTime=${time}&userFilter=${user}

Example using curl:

curl \
    -H 'Accept: application/vnd.pulumi+4' \
    -H 'Authorization: token abcdefghijklmnopqrstuvwxyz' \
    -H 'Content-Type: application/csv' \
    --compressed \
    'https://api.pulumi.com/api/orgs/${org}/auditlogs/export?startTime=${startTime}'

Note: Substitute ${org}, ${user}, and ${time} for your actual values - e.g. org, username, and 1583460637.

Supported Audit Log Formats

Pulumi supports multiple formats for exporting audit logs. These formats can be specified by appending the format query parameter, for example, format=csvor format=cef.

CSV Format

CSV (comma separated values) is the default format returned when exporting logs through the API. If the format query param is not specified, the logs will be returned in CSV format.

GET https://api.pulumi.com/api/orgs/${org}/auditlogs/export?startTime=${time}&format=csv

The CSV is composed of the following fields:

Timestamp, Name, Login, Event, Description ,SourceIP, RequireOrgAdmin, RequireStackAdmin, AuthenticationFailure
FieldDescription
Timestampthe RFC3339 timestamp of when the event was recorded.
Namename of the user invoking the event
Loginusername of the user invoking the event
Eventthe name of the event
Descriptiondetailed description of the event that occurred
SourceIPIP Address of the client originating the request to invoke this event
RequireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
RequireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
AuthenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

CEF Format

CEF (common event format) is an audit and logging event format supported by a wide range of SIEM (security information and event management) systems. Specify the query param format=cef to retrieve audit logs in CEF format:

GET https://api.pulumi.com/api/orgs/${org}/auditlogs/export?startTime=${time}&format=cef

The format is as follows:

MMM dd hh:mm:ss host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

The following fields are part of the standard header defined by CEF:

Device Vendor, Device Product, Device Version: these are strings that uniquely identify the sending device

Device Event Class ID: string or integer identifying the type of event reported

Name: a human readable description of the event

Severity: severity level reflecting the importance of the event

Extensions: the extensions field is collection of key-value pairs. These keys come from a pre-defined set as well as some keys that we have defined on our own. The following is a list of the keys we are setting on the extention field.

Pre-defined keys by the CEF standard:

KeyDescription
dvchostidentifies the device host name.
rtidentifies the time at which the event related to the activity was received.
srcidentifies the source that an event refers to in an IP network.
suseridentifies the source user by user name.

Custom defined keys:

KeyDescription
orgIDthe ID of the organization this event belongs to.
userIDthe ID of the user who invoked this event.
requireOrgAdminindicates whether the event required organizational admin level permissions, the value will either be “true” or “false”
requireStackAdminindicates whether the event required stack admin level permissions, the value will either be “true” or “false”
authenticationFailureindicates whether the event occurred due to an authentication failure, the value will either be “true” or “false”

List of Audit Log Events

This is a list of the audit log events currently being recorded.

EventDescription
Auth Failure Organization Roleindicates that a user tried to perform an operation but did not have the necessary organization role to do so
Auth Failure SCIM Access Tokenindicates that a request to use an organization’s SCIM support was made, but the provided auth token was invalid
Auth Failure Stack Permissionindicates that a user tried to perform an operation but did not have the necessary stack permissions to do so
Member Addedindicates the adding of a member to an organization
Member Removedindicates the removal of a member from an organization
Member Role Changedindicates the changing of a member’s role in an organization
Organization Settings Changedindicates a change in organization settings
Policy Group Createdindicates the creation of a policy group
Policy Group Deletedindicates the deletion of a policy group
Policy Group Updatedindicates the updating of a policy group
Policy Pack Createdindicates the creation of a policy pack
Policy Pack Deletedindicates the deletion of a policy pack
Policy Pack Disabledindicates the disabling of a policy pack
Policy Pack Enabledindicates the enabling of a policy pack
Stack Collaborator Addedindicates the adding of a collaborator to a stack
Stack Collaborator Permissions Changedindicates a change in permissions for a stack collaborator
Stack Collaborator Removedindicates the removal of a collaborator to a stack
Stack Created From Templateindicates the creation of a stack from a template
Stack Createdindicates the creation of a stack
Stack Deletedindicates the deletion of a stack
Stack Exportedindicates the exporting of a stack
Stack Importedindicates the importing of a stack
Stack Renamedindicates the renaming of a stack
Stack Transferred to Organizationindicates the transfer of a stack from one organization to another
Stack Update Canceledindicates the canceling of a stack update
Stack Update Completedindicates the completion of a stack update
Stack Update Startedindicates the starting of a stack update
Team Createdindicates the creation of a team in an organization
Team Deletedindicates the deletion of a team from organization
Team Updatedindicates the updating of a team in an organization
User Added New Identity to Their Accountindicates a user has associated a new identity with their Pulumi account
User Loginindicates a user has successfully logged into the Pulumi Console
User Login Failedindicates a user tried and failed to log into the Pulumi Console