Skip to main content

Export Astro audit logs

This feature is available only if you are on the Team tier or above.
warning

This feature is in Public Preview.

Astro audit logs record administrative activities and events in your Organization. You can use the audit logs to determine who did what, where, and when. You can also use audit logs to ensure your Organization is meeting its security and regulatory requirements. For example, you can use audit logs to determine when users were added to your Organization or to individual Workspaces.

See Reference: Astro audit log fields for a complete list of available fields in audit logs.

Export audit logs

Audit logs are retained for 90 days. Organization Owner permissions are required to export audit logs.

  1. Click Organization Settings in the Astro UI.

  2. In the Audit Logs menu, select the number days of audit data to export and then click Export.

    The extracted audit log data is saved as a newline delimited JSON (ndjson) file with the default filename <astro-organization-name>-logs-<number-of-days>-days-<date>.ndjson.

cli

You can also export logs using the Astro CLI. Run the following command to export audit logs as a GZIP file to your current directory:

astro organization audit-logs export --organization-name="<your-organization-name>"

Audit logs reference

This section is a reference for all available fields in Astro audit logs.

The following categories of event data are available in an audit log:

  • API events: The data generated by user actions in the Astro UI, Astro CLI, or from internal processing actions in the Astro control plane.
  • Airflow UI access: The data generated when users access the Airflow UI.
  • Astronomer container registry access: The data generated when users access the Astronomer container registry with the Astro CLI.
  • Astro Cloud IDE access: The data generated when users access the Astro Cloud IDE.

The audit log file is provided as a newline delimited JSON (NDJSON) file. Every entry in the audit log file corresponds to an event, and event attributes provide additional information about each event.

Common fields

The following table lists the common fields shared by all categories of event data.

Table: Common fields in audit logs

FieldDescription
subjectIdA unique identifier that identifies the initiator of the request. The value can be user ID.
subjectTypeA unique identifier that identifies the subject of the request. The value can be USER or SERVICEKEY.
organizationIdA unique identifier that identifies your organization. This is the value displayed in the Astro UI Settings page.
timestampThe date and time the event occurred.
sourceIpThe IP address of the originating request.
userAgentThe application used to make the request.
info

To link the user ID back to a user, Organization Owners can use the Astro Access Management UI by clicking Access Management in their Organization Settings.

API event fields

Audit log events can be generated from the v1 API or the v2 API. Each API generates different fields for the same actions, and your audit log might include events from both APIs. Audit log event frequency for the v1 API are expected to decline as Astronomer transitions to the v2 API.

Table: v1 API event fields

FieldDescription
correlationIdA unique identifier for the request.
graphqlClientNameThe type of client making the request. The values are cloud-ui or cli.
operationNameThe name of the API event. For example, createUserInvite or workspaceCreate.
requestBodyRaw graphQL for the event.
requestInputThe input for the API request.

The following table maps some common operationName attributes to their corresponding requestInput attributes.

Table: operationName attribute mappings

EventoperationName attributerequestInput attributes
A new Deployment is created.createDeploymentlabel, workspaceId
A Deployment is updated.updateDeploymentdeploymentSpec
A Deployment variable is updated.updateDeploymentVariablesisSecret, key
The code for a Deployment is updated.ImageCreatedeploymentId

Table: v2 API event fields

FieldDescription
methodThe HTTP request type sent to REST API.
pathThe path to the invoked REST API.
requestBodyThe parameters passed as input to the API call.
requestIdA unique identifier for the request.
response statusThe HTTP response status code.

The following table maps some common path attributes to their corresponding requestBody attributes.

Table: path attribute mappings

Eventpath attributerequestBody attributes
An Organization is created./v1alpha1/organizationsmetadata, name
An Organization is updated./v1alpha1/organizations/{orgShortNameId}billingEmail, isScimEnabled, metadata, name
A managed domain for an Organization is created./v1alpha1/organizations/{orgShortNameId}/domainsenforcedLogins name
A managed domain for an Organization is updated./v1alpha1/organizations/{orgShortNameId}/domains/{domainId}enforcedLogins
A managed domain for an Organization is deleted./v1alpha1/organizations/{orgShortNameId}/domains/{domainId}
A managed domain for an Organization is verified./v1alpha1/organizations/{orgShortNameId}/domains/{domainId}/verify
An SSO Bypass Key for an Organization is created./v1alpha1/organizations/{orgShortNameId}/sso-bypass-key
An SSO Bypass Key for an Organization is deleted./v1alpha1/organizations/{orgShortNameId}/sso-bypass-key
An SSO Connection for an Organization is created./v1alpha1/organizations/{orgShortNameId}/sso-connections
An SSO Connection for an Organization is updated./v1alpha1/organizations/{orgShortNameId}/sso-connections/{connectionId}
An SSO Connection for an Organization is deleted./v1alpha1/organizations/{orgShortNameId}/sso-connections/{connectionId}
A new user is invited to an Organization./v1alpha1/organizations/{orgShortNameId}/invitesinviteEmail, role
A invite to the Organization is updated./v1alpha1/users/self/invites/{inviteId}inviteStatus
A invite to the Organization is deleted./v1alpha1/organizations/{orgShortNameId}/invites/{inviteId}
A user is deleted from an organization./v1alpha1/organizations/{orgShortNameId}/users/{userId}
A user is assigned a new organization role./v1alpha1/organizations/{orgShortNameId}/users/{userId}/rolerole
A user is assigned a new workspace role./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/users/{userId}/rolerole
A user is removed from a workspace./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/users/{userId}
A Workspace is created./v1alpha1/organizations/{orgShortNameId}/workspacesapiKeyOnlyDeploymentsDefault, description, name
A Workspace is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}apiKeyOnlyDeploymentsDefault, description, name
A Workspace is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}
A deployment is transferred to another workspace./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/deployments/{deploymentId}workspaceIdTarget
An AWS cluster is created./v1alpha1/organizations/{orgShortNameId}/clusters/awsdbInstanceType, k8sTags, name, nodePools, templateVersion
An AWS cluster is updated./v1alpha1/organizations/{orgShortNameId}/clusters/aws/{clusterId}dbInstanceType, k8sTags, name, nodePools, templateVersion
An Azure cluster is created./v1alpha1/organizations/{orgShortNameId}/clusters/azuredbInstanceType, k8sTags, name, nodePools, providerAccount, region, templateVersion, tenantId, type, vpcSubnetRange
An Azure cluster is updated./v1alpha1/organizations/{orgShortNameId}/clusters/azure/{clusterId}dbInstanceType, k8sTags, name, nodePools, templateVersion,
A GCP cluster is created./v1alpha1/organizations/{orgShortNameId}/clusters/gcpdbInstanceType, k8sTags, name, nodePools, podSubnetRange providerAccount, region, servicePeeringRange, serviceSubnetRange, templateVersion, type, vpcSubnetRange
A GCP cluster is updated./v1alpha1/organizations/{orgShortNameId}/clusters/gcp/{clusterId}dbInstanceType, k8sTags, name, nodePools, templateVersion
A cluster is deleted./v1alpha1/organizations/{orgShortNameId}/clusters/{clusterId}
An Organization API token is created./v1alpha1/organizations/{orgShortNameId}/api-tokensdescription, name, role, tokenExpiryPeriodInDays
An Organization API token is updated./v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}description, name, roles
An Organization API token is deleted./v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}
An Organization API token is rotated./v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}/rotate
A Workspace API token is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokensdescription, name, role, tokenExpiryPeriodInDays
A Workspace API token is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}description, name, role
A Workspace API token is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}
A Workspace API token is rotated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}/rotate
A Team is created./v1alpha1/organizations/{orgShortNameId}/teamsdescription, name, memberIds
A Team is updated./v1alpha1/organizations/{orgShortNameId}/teams/{teamId}description, name
A Team is deleted./v1alpha1/organizations/{orgShortNameId}/teams/{teamId}
A Team is created via SCIM./scim/v2/{orgShortNameId}/GroupsdisplayName, members, value, display
A Team is updated via SCIM./scim/v2/{orgShortNameId}/Groups/{teamId}displayName, members, value, display
A Team is deleted via SCIM./scim/v2/{orgShortNameId}/Groups/{teamId}
A User is created via SCIM./scim/v2/{orgShortNameId}/UsersuserName, name, emails, displayName
A User is updated via SCIM./scim/v2/{orgShortNameId}/Users/{userId}userName, name, emails, displayName
A User is deleted via SCIM./scim/v2/{orgShortNameId}/Users/{userId}
A user is added to a Team./v1alpha1/organizations/{orgShortNameId}/teams/{teamId}/membersmemberIds
A user is removed from a Team/v1alpha1/organizations/{orgShortNameId}/teams/{teamId}/members
A Team is removed from a Workspace./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/teams/{teamId}
A Team's role in a Workspace is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/teams/{teamId}/rolerole
A DAG is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}isPaused
A DAG run is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runslogicalDate
A DAG run has its state updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}state
A DAG run is cleared./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}/clearisDryRun
A task instance for a DAG run is cleared./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/clear-task-instancesendDate, includeDownstream, includeFuture, includeParentPipelines, includePast, includeSubPipelines, includeUpstream, onlyFailed, onlyRunning, pipelineRunId, resetPipelineRuns, startDate, taskIds
A task instance's state is set./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}/tasks/{taskId}state
A task instance's state is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/update-task-instances-stateexecutionDate, includeDownstream, includeFuture, includePast, includeUpstream, isDryRun, pipelineRunId, state, taskId

Use your analytics or audit tool to view additional attribute mapping information.

Table: Astro Cloud IDE path mappings

Eventpath attributerequestBody attributes
An pipeline is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelinesdescription, name, scheduleInterval, startDate, timezone
A pipeline is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}cellPositions, description, imports name, scheduleInterval, startDate, timezone
A pipeline is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}
A project is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projectsdescription, name
A project is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}connections, git, includes, requirements, variables, description, name
A project is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}
A branch for a project is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/git/branchesfrom, name
A commit for a project branch is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/git/commitsbranch, message, paths
A connection is tested in a project./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/test-connectionextra, host, id, login, password, port, schema, type
A custom operator cell type is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/cell-typesbehavior, configs, datatype, display, name
A custom operator cell type is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/cell-types/{cellTypeName}behavior, configs, datatype, display, name
A custom operator cell type is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/cell-types/{cellTypeName}
A custom operator cell type is tested./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/validate-cell-typebehavior, configs, datatype, display, name
A cell instance is created./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}/cellsdependenciesExplicit, name, type, typeConfigForms, typeConfigs
A cell instance is updated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}/cells/{cellId}dependenciesExplicit, name, type, typeConfigForms, typeConfigs
A cell instance is deleted./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}/cells/{cellId}
A cell instance is duplicated./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}/cells/{cellId}/duplicatename
A cell run is triggered./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}/cells/{cellId}/runspipelineSessionId
A pipeline run is triggered./v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/projects/{projectId}/pipelines/{pipelineId}pipelineSessionId

Airflow UI access event fields

The following table lists the fields that are unique to Airflow UI access events.

Table: Airflow UI access event fields

FieldDescription
methodThe HTTP method for the request.
pathThe relative path of the page being accessed. For example, /dzl9chy4/configuration.
targetUrlThe URL for the canonical name record in the Airflow webserver that runs in the Astro data plane. For example, https://cl8gwrnw601f10tyxhgrhaayw.astronomer.run.

The following table lists the fields that are unique to Astronomer container registry access events.

Table: Astronomer container registry access event fields

FieldDescription
deploymentIdA unique identifier that identifies the Deployment on which the event occurred.
methodThe HTTP method for the request.
pathThe path to the image in the registry.

Astro CLI access event fields

The following table lists the fields that are unique to Astro CLI access events.

Table: Astro CLI access event fields

FieldDescription
astroClientA unique identifier for the API client. cli means the request came from the Astro CLI.
astroClientVersionA unique identifier for the API client version.
userAgentA unique identifier for the API client type and version. astro-cli/1.15.1 means the request came from version 1.15.1 of the Astro CLI.

The Astro Cloud IDE uses the same unique events as the v2 API. The following table maps some common path attributes to their corresponding requestBody attributes.

Was this page helpful?