Export Astro audit logs | Astronomer Documentation

This feature is in Public Preview.

Astro audit logs record administrative activities and events in your Organization. You can use the audit logs to determine who did what, where, and when. You can also use audit logs to ensure your Organization is meeting its security and regulatory requirements. For example, you can use audit logs to determine when users were added to your Organization or to individual Workspaces.

See Reference: Astro audit log fields for a complete list of available fields in audit logs.

Export audit logs

Audit logs are retained for 90 days. Organization Owner permissions are required to export audit logs.

Click Organization Settings in the Astro UI.
In the Audit Logs menu, select the number days of audit data to export and then click Export.

The extracted audit log data is saved as a newline delimited JSON (ndjson) file with the default filename <astro-organization-name>-logs-<number-of-days>-days-<date>.ndjson.

CLI

You can also export logs using the Astro CLI. Run the following command to export audit logs as a GZIP file to your current directory:

1 astro organization audit-logs export --organization-name="<your-organization-name>"

Audit logs reference

This section is a reference for all available fields in Astro audit logs.

The following categories of event data are available in an audit log:

API events: The data generated by user actions in the Astro UI, Astro CLI, or from internal processing actions in the Astro control plane.
Airflow UI access: The data generated when users access the Airflow UI.
Astronomer container registry access: The data generated when users access the Astronomer container registry with the Astro CLI.

The audit log file is provided as a newline delimited JSON (NDJSON) file. Every entry in the audit log file corresponds to an event, and event attributes provide additional information about each event.

Common fields

The following table lists the common fields shared by all categories of event data.

Table: Common fields in audit logs

Field	Description
`subjectId`	A unique identifier that identifies the initiator of the request. The value can be user ID.
`subjectType`	A unique identifier that identifies the subject of the request. The value can be `USER` or `SERVICEKEY`.
`organizationId`	A unique identifier that identifies your organization. This is the value displayed in the Astro UI Settings page.
`timestamp`	The date and time the event occurred.
`sourceIp`	The IP address of the originating request.
`userAgent`	The application used to make the request.

To link the user ID back to a user, Organization Owners can use the Astro Access Management UI by clicking Access Management in their Organization Settings.

API event fields

Audit log events can be generated from the v1 API or the v2 API. Each API generates different fields for the same actions, and your audit log might include events from both APIs. Audit log event frequency for the v1 API are expected to decline as Astronomer transitions to the v2 API.

Table: v1 API event fields

Field	Description
`correlationId`	A unique identifier for the request.
`graphqlClientName`	The type of client making the request. The values are `cloud-ui` or `cli`.
`operationName`	The name of the API event. For example, `createUserInvite` or `workspaceCreate`.
`requestBody`	Raw graphQL for the event.
`requestInput`	The input for the API request.

The following table maps some common operationName attributes to their corresponding requestInput attributes.

Table: `operationName` attribute mappings

Event	`operationName` attribute	`requestInput` attributes
A new Deployment is created.	`createDeployment`	`label`, `workspaceId`
A Deployment is updated.	`updateDeployment`	`deploymentSpec`
A Deployment variable is updated.	`updateDeploymentVariables`	`isSecret`, `key`
The code for a Deployment is updated.	`ImageCreate`	`deploymentId`

Table: v2 API event fields

Field	Description
`method`	The HTTP request type sent to REST API.
`path`	The path to the invoked REST API.
`requestBody`	The parameters passed as input to the API call.
`requestId`	A unique identifier for the request.
`response status`	The HTTP response status code.

The following table maps some common path attributes to their corresponding requestBody attributes.

Table: `path` attribute mappings

Event	`path` attribute	`requestBody` attributes
An Organization is created.	`/v1alpha1/organizations`	`metadata`, `name`
An Organization is updated.	`/v1alpha1/organizations/{orgShortNameId}`	`billingEmail`, `isScimEnabled`, `metadata`, `name`
A managed domain for an Organization is created.	`/v1alpha1/organizations/{orgShortNameId}/domains`	`enforcedLogins` `name`
A managed domain for an Organization is updated.	`/v1alpha1/organizations/{orgShortNameId}/domains/{domainId}`	`enforcedLogins`
A managed domain for an Organization is deleted.	`/v1alpha1/organizations/{orgShortNameId}/domains/{domainId}`
A managed domain for an Organization is verified.	`/v1alpha1/organizations/{orgShortNameId}/domains/{domainId}/verify`
An SSO Bypass Key for an Organization is created.	`/v1alpha1/organizations/{orgShortNameId}/sso-bypass-key`
An SSO Bypass Key for an Organization is deleted.	`/v1alpha1/organizations/{orgShortNameId}/sso-bypass-key`
An SSO Connection for an Organization is created.	`/v1alpha1/organizations/{orgShortNameId}/sso-connections`
An SSO Connection for an Organization is updated.	`/v1alpha1/organizations/{orgShortNameId}/sso-connections/{connectionId}`
An SSO Connection for an Organization is deleted.	`/v1alpha1/organizations/{orgShortNameId}/sso-connections/{connectionId}`
A new user is invited to an Organization.	`/v1alpha1/organizations/{orgShortNameId}/invites`	`inviteEmail`, `role`
A invite to the Organization is updated.	`/v1alpha1/users/self/invites/{inviteId}`	`inviteStatus`
A invite to the Organization is deleted.	`/v1alpha1/organizations/{orgShortNameId}/invites/{inviteId}`
A user is deleted from an organization.	`/v1alpha1/organizations/{orgShortNameId}/users/{userId}`
A user is assigned a new organization role.	`/v1alpha1/organizations/{orgShortNameId}/users/{userId}/role`	`role`
A user is assigned a new workspace role.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/users/{userId}/role`	`role`
A user is removed from a workspace.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/users/{userId}`
A Workspace is created.	`/v1alpha1/organizations/{orgShortNameId}/workspaces`	`apiKeyOnlyDeploymentsDefault`, `description`, `name`
A Workspace is updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}`	`apiKeyOnlyDeploymentsDefault`, `description`, `name`
A Workspace is deleted.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}`
A deployment is transferred to another workspace.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/deployments/{deploymentId}`	`workspaceIdTarget`
An AWS cluster is created.	`/v1alpha1/organizations/{orgShortNameId}/clusters/aws`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `templateVersion`
An AWS cluster is updated.	`/v1alpha1/organizations/{orgShortNameId}/clusters/aws/{clusterId}`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `templateVersion`
An Azure cluster is created.	`/v1alpha1/organizations/{orgShortNameId}/clusters/azure`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `providerAccount`, `region`, `templateVersion`, `tenantId`, `type`, `vpcSubnetRange`
An Azure cluster is updated.	`/v1alpha1/organizations/{orgShortNameId}/clusters/azure/{clusterId}`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `templateVersion`,
A GCP cluster is created.	`/v1alpha1/organizations/{orgShortNameId}/clusters/gcp`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `podSubnetRange` `providerAccount`, `region`, `servicePeeringRange`, `serviceSubnetRange`, `templateVersion`, `type`, `vpcSubnetRange`
A GCP cluster is updated.	`/v1alpha1/organizations/{orgShortNameId}/clusters/gcp/{clusterId}`	`dbInstanceType`, `k8sTags`, `name`, `nodePools`, `templateVersion`
A cluster is deleted.	`/v1alpha1/organizations/{orgShortNameId}/clusters/{clusterId}`
An Organization API token is created.	`/v1alpha1/organizations/{orgShortNameId}/api-tokens`	`description`, `name`, `role`, `tokenExpiryPeriodInDays`
An Organization API token is updated.	`/v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}`	`description`, `name`, `roles`
An Organization API token is deleted.	`/v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}`
An Organization API token is rotated.	`/v1alpha1/organizations/{orgShortNameId}/api-tokens/{apiTokenId}/rotate`
A Workspace API token is created.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens`	`description`, `name`, `role`, `tokenExpiryPeriodInDays`
A Workspace API token is updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}`	`description`, `name`, `role`
A Workspace API token is deleted.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}`
A Workspace API token is rotated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/api-tokens/{apiTokenId}/rotate`
A Team is created.	`/v1alpha1/organizations/{orgShortNameId}/teams`	`description`, `name`, `memberIds`
A Team is updated.	`/v1alpha1/organizations/{orgShortNameId}/teams/{teamId}`	`description`, `name`
A Team is deleted.	`/v1alpha1/organizations/{orgShortNameId}/teams/{teamId}`
A Team is created via SCIM.	`/scim/v2/{orgShortNameId}/Groups`	`displayName`, `members`, `value`, `display`
A Team is updated via SCIM.	`/scim/v2/{orgShortNameId}/Groups/{teamId}`	`displayName`, `members`, `value`, `display`
A Team is deleted via SCIM.	`/scim/v2/{orgShortNameId}/Groups/{teamId}`
A User is created via SCIM.	`/scim/v2/{orgShortNameId}/Users`	`userName`, `name`, `emails`, `displayName`
A User is updated via SCIM.	`/scim/v2/{orgShortNameId}/Users/{userId}`	`userName`, `name`, `emails`, `displayName`
A User is deleted via SCIM.	`/scim/v2/{orgShortNameId}/Users/{userId}`
A user is added to a Team.	`/v1alpha1/organizations/{orgShortNameId}/teams/{teamId}/members`	`memberIds`
A user is removed from a Team	`/v1alpha1/organizations/{orgShortNameId}/teams/{teamId}/members`
A Team is removed from a Workspace.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/teams/{teamId}`
A Team’s role in a Workspace is updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/teams/{teamId}/role`	`role`
A dag is updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}`	`isPaused`
A dag run is created.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs`	`logicalDate`
A dag run has its state updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}`	`state`
A dag run is cleared.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}/clear`	`isDryRun`
A task instance for a dag run is cleared.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/clear-task-instances`	`endDate`, `includeDownstream`, `includeFuture`, `includeParentPipelines`, `includePast`, `includeSubPipelines`, `includeUpstream`, `onlyFailed`, `onlyRunning`, `pipelineRunId`, `resetPipelineRuns`, `startDate`, `taskIds`
A task instance’s state is set.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/runs/{pipelineRunId}/tasks/{taskId}`	`state`
A task instance’s state is updated.	`/v1alpha1/organizations/{orgShortNameId}/workspaces/{workspaceId}/runtimes/{runtimeId}/pipelines/{pipelineName}/update-task-instances-state`	`executionDate`, `includeDownstream`, `includeFuture`, `includePast`, `includeUpstream`, `isDryRun`, `pipelineRunId`, `state`, `taskId`

Use your analytics or audit tool to view additional attribute mapping information.

Airflow UI access event fields

The following table lists the fields that are unique to Airflow UI access events.

Table: Airflow UI access event fields

Field	Description
`method`	The HTTP method for the request.
`path`	The relative path of the page being accessed. For example, `/dzl9chy4/configuration`.
`targetUrl`	The URL for the canonical name record in the Airflow webserver that runs in the Astro data plane. For example, `https://cl8gwrnw601f10tyxhgrhaayw.astronomer.run`.

The following table lists the fields that are unique to Astronomer container registry access events.

Table: Astronomer container registry access event fields

Field	Description
`deploymentId`	A unique identifier that identifies the Deployment on which the event occurred.
`method`	The HTTP method for the request.
`path`	The path to the image in the registry.

Astro CLI access event fields

The following table lists the fields that are unique to Astro CLI access events.

Table: Astro CLI access event fields

Field	Description
`astroClient`	A unique identifier for the API client. `cli` means the request came from the Astro CLI.
`astroClientVersion`	A unique identifier for the API client version.
`userAgent`	A unique identifier for the API client type and version. `astro-cli/1.15.1` means the request came from version 1.15.1 of the Astro CLI.