Overview
Audit logs give you a 90-day history of who did what in your cloud, when, where, and with what result. They span resource actions such as create/start/stop/delete, administrative actions such as role changes or successful/failed logins, and billing actions such as managing reservations.
Details
Audit logs are currently available to users with the admin role.
The audit log exposes actions taken through our control plane; for example, via our Console, API, Crusoe CLI, Terraform, etc. It does not report on actions taken within a resource, such as ssh events. Note that the audit log does not have entries for data access events (i.e. GET/view/list-like actions from users in your organization).
We do not charge for audit log generation up to 90 days.
Accessing Audit Logs in the UI
The UI shows audit logs of the past 1 day by default. If you are a user with an admin role in your organization:
- Select "Usage" in the sidebar of the Console
- Select "Audit logs" tab on top
Example: Audit log entry via API
This is an example entry for starting a VM (see below for how to query this). This gives you readable visibility into who did the action (actor) on what resource (target) in what environment (organization, project, location). There are other helpful details such as the actor's control plane surface, error message if there was one, and their IP.
{
"action": "Start",
"action_detail": "",
"actor_id": "ab4a6b00-aa5f-408e-a9fb-ac6de5eb45ab",
"actor_email": "[email protected]",
"actor_type": "User",
"client_ip": "10.192.200.155:12345",
"end_time": "2024-07-21T23:10:29.157Z",
"error_message": "",
"locations": "[us-northcentral1-a]",
"organization_id": "804bf3a2-81f2-4d78-9a9e-dc6a55ed33d8",
"organization_name": "My Company",
"project_id": "ca39e669-47ee-456b-968d-303234fbf99f",
"project_name": "renewable-ocean-807",
"target_ids": "[123e4567-e89b-12d3-a456-426614174000]",
"target_names": "[my-vm]",
"target_type": "VM",
"result": "OK",
"start_time": "2024-07-21T23:10:11.982Z",
"surface": "Console"
}
Example: Querying audit logs via API
Below is an example of calling the audit log API endpoint via Python. You can learn more about authenticated API requests here, and find the audit log API spec here.
import hmac
import hashlib
import base64
import datetime
import requests
import json
# AT MINIMUM, FILL OUT THESE 3 VARIABLES AND RUN THE SCRIPT
# BY DEFAULT YOU WILL GET 1-DAY HISTORY OF AUDIT LOGS
api_access_key = ""
api_secret_key = ""
org_id = ""
# OPTIONAL: TO FILTER OUTPUT WITH QUERY PARAMS
# 1. add them to query_params_dict
# 2. sort them alphabetically, seperate by &, and add to query_params_string
#
# Example:
# query_params_dict = {
# "target_types" : "VM",
# "project_ids" : "fc9hyy16-305c-k8fg-8d70-b474fec1f009"
# }
# query_params_string = "project_ids=fc9hyy16-305c-k8fg-8d70-b474fec1f009&target_types=VM"
#
# See all supported query parameters at https://docs.crusoecloud.com/api/index.html
query_params_dict = {}
query_params_string = ""
########################################
# ----- DON'T EDIT BELOW THIS ------- #
########################################
request_path = "/organizations/" + org_id + "/audit-logs"
request_verb = "GET"
signature_version = "1.0"
api_version = "/v1alpha5"
dt = str(datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0))
dt = dt.replace(" ", "T")
payload = api_version + request_path + "\n" + query_params_string + "\n" + request_verb + "\n{0}\n".format(dt)
decoded = base64.urlsafe_b64decode(api_secret_key + '=' * (-len(api_secret_key) % 4))
signature = base64.urlsafe_b64encode(hmac.new(decoded, msg = bytes(payload, 'ascii'), digestmod=hashlib.sha256).digest()).decode('ascii').rstrip("=")
response = requests.get(
'https://api.crusoecloud.com' + api_version + request_path,
headers={
'X-Crusoe-Timestamp': dt,
'Authorization': 'Bearer {0}:{1}:{2}'.format(signature_version, api_access_key, signature)
},
params=query_params_dict
)
data = response.text
mydata = json.loads(data)
print(json.dumps(mydata, indent=4))