Audit log schema

Each audit log entry is a single-line JSON object. This page describes the format.

Audit log entries are modeled after Elastic Common Schema (ECS). For more general information, refer to Audit Logs.

Log record

{
  "level": "I",
  "ts": "1766435832.671421000",
  "organization": { "id": "my-tenant" },
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["file"],
    "type": ["access"],
    "action": "action-cache-get"
  },
  "error": { "code": "NOT_FOUND" },
  "user": {
    "email": "alice@example.com",
    "roles": ["admin"]
  },
  "source": { "ip": "203.0.113.4" },
  "user_agent": { "original": "grpc-go/1.57.0" }
}

Common fields

Field	Type	Always present	Description
level	string	Yes	Log level. Value is always "I" (info).
ts	string	Yes	Event timestamp as <seconds>.<nanoseconds> since Unix epoch.
organization	organization	No	Present if the event is scoped to a tenant.
event	event	Yes	What happened. See event.
error	error	No	Present when event.outcome is "failure".
user	user	Yes	The principal that triggered the event.
source	source	No	Network source of the request.
user_agent	user_agent	No	Client that sent the request.

Depending on the event action, one or more additional payload fields appear at the top level. See Additional fields.

event

Field	Type	Description
kind	string	Value is always "event".
outcome	string	"success", "failure", or "unknown".
category	string[]	Elastic Common Schema (ECS) event category. One of "authentication", "file", "iam".
type	string[]	ECS event type. One of "access", "change", "creation", "deletion". Omitted for authentication events.
action	string	The specific action that occurred. See Event types.

organization

Field	Type	Description
id	string	The tenant identifier (instance_name in the Remote Execution API).

error

Field	Type	Description
code	string	The gRPC status code (e.g. "NOT_FOUND") or HTTP status code indicating why the operation failed.

user

Field	Type	Description
email	string	The principal's email address. Set to "scim-client" for operations performed via the SCIM API.
roles	string[]	The principal's roles at the time of the event. May be empty.

source

Field	Type	Description
ip	string	Source IP address where the event originated.

user_agent

Field	Type	Description
original	string	Raw user agent string from the client.

---

Additional fields

Additional fields appear at the top level of the log record depending on the event action.

Field	Present for	Type	Description
action-result	action-cache-get	digest	The action result digest that was queried.
files	action-cache-upsert, action-cache-delete	digest[]	The action result and associated output files involved in the operation.
url	fetch-fetch-blob	url	The remote URL that was fetched.
file	fetch-fetch-blob, content-addressable-storage-http-get-blob	digest	The blob that was fetched or accessed.
blobs	content-addressable-storage-batch-read-blobs, content-addressable-storage-batch-update-blobs	digest[]	List of blobs that were read or written.
root	content-addressable-storage-get-tree	digest	The root directory digest of the tree that was read.
scim_user	scim-user-create, scim-user-update, scim-user-delete	scim_user	The SCIM user affected by the operation.

Digest object

Used as items in action-result, file, root, and as elements of the files and blobs arrays. Based on ECS file fields.

Field	Type	Description
name	string	File or directory path. Present for output files and directories in action-cache-upsert and action-cache-delete.
type	string	One of "action-result", "blob", "file", "directory".
size	number	Size in bytes.
hash.sha256	string	SHA-256 hex digest.

url

Based on ECS url fields.

Field	Type	Description
full	string	The complete URL that was fetched.

scim_user

Field	Type	Description
user_name	string	Username of the affected user.
roles	string[]	Roles assigned to the user. Present for scim-user-create and scim-user-update; absent for scim-user-delete.

---

Event details

event.action	event.category	event.type	Description
login	authentication	—	A user authenticated and established a web UI session.
logout	authentication	—	A user signed out of the web UI.
action-cache-get	file	access	An action result was read from the action cache.
action-cache-upsert	file	change	An action result and its output files were written to the action cache.
action-cache-delete	file	deletion	An action result was deleted from the action cache.
fetch-fetch-blob	file	change	A URL was fetched and its contents were stored in the CAS.
content-addressable-storage-batch-read-blobs	file	access	A batch of blobs was read from the CAS.
content-addressable-storage-batch-update-blobs	file	change	A batch of blobs was written to the CAS.
content-addressable-storage-get-tree	file	access	A directory tree was read from the CAS.
content-addressable-storage-http-get-blob	file	access	A blob was accessed via the HTTP API.
scim-user-create	iam	creation	A user was provisioned via the SCIM API.
scim-user-update	iam	change	A user's attributes or roles were updated via the SCIM API.
scim-user-delete	iam	deletion	A user was deprovisioned via the SCIM API.

---

Example Audit Logs

Authentication events

login

```json
{
  "level": "I",
  "ts": "1766435832.671421000",
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["authentication"],
    "action": "login"
  },
  "user": {
    "email": "alice@example.com",
    "roles": ["admin"]
  },
  "source": { "ip": "10.0.1.27" },
  "user_agent": { "original": "Mozilla/5.0 ..." }
}
```

logout

```json
{
  "level": "I",
  "ts": "1766435911.000000000",
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["authentication"],
    "action": "logout"
  },
  "user": {
    "email": "alice@example.com",
    "roles": ["admin"]
  },
  "source": { "ip": "10.0.1.27" },
  "user_agent": { "original": "Mozilla/5.0 ..." }
}
```

Action cache events

action-cache-get

```json
{
  "level": "I",
  "ts": "1766435832.671421000",
  "organization": { "id": "my-tenant" },
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["file"],
    "type": ["access"],
    "action": "action-cache-get"
  },
  "action-result": {
    "type": "action-result",
    "size": 512,
    "hash": { "sha256": "409a7f83ac6b31dc8c77e3ec18038f209bd2f545e0f4177c2e2381aa4e067b49" }
  },
  "user": {
    "email": "alice@example.com",
    "roles": ["user"]
  },
  "source": { "ip": "10.0.0.1" },
  "user_agent": { "original": "grpc-go/1.57.0" }
}
```

action-cache-upsert

```json
{
  "level": "I",
  "ts": "1766435832.671421000",
  "organization": { "id": "my-tenant" },
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["file"],
    "type": ["change"],
    "action": "action-cache-upsert"
  },
  "files": [
    {
      "type": "action-result",
      "size": 512,
      "hash": { "sha256": "409a7f83ac6b31dc8c77e3ec18038f209bd2f545e0f4177c2e2381aa4e067b49" }
    },
    {
      "name": "bazel-out/k8-fastbuild/bin/foo.o",
      "type": "file",
      "size": 8187,
      "hash": { "sha256": "171ae5fcf32ecdd00b9c506ba6ed5aaaac2fea7345fd2a8bd4cd90b4d2fb1e7a" }
    }
  ],
  "user": {
    "email": "alice@example.com",
    "roles": ["user"]
  },
  "source": { "ip": "10.0.0.1" },
  "user_agent": { "original": "grpc-go/1.57.0" }
}
```

Content Addressable Storage events

batch-read-blobs

```json
{
  "level": "I",
  "ts": "1766435911.779699000",
  "organization": { "id": "my-tenant" },
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["file"],
    "type": ["access"],
    "action": "content-addressable-storage-batch-read-blobs"
  },
  "blobs": [
    {
      "type": "blob",
      "size": 8187,
      "hash": { "sha256": "171ae5fcf32ecdd00b9c506ba6ed5aaaac2fea7345fd2a8bd4cd90b4d2fb1e7a" }
    }
  ],
  "user": {
    "email": "alice@example.com",
    "roles": ["user"]
  },
  "source": { "ip": "10.0.0.1" },
  "user_agent": { "original": "grpc-go/1.57.0" }
}
```

get-tree

```json
{
  "level": "I",
  "ts": "1766435911.779699000",
  "organization": { "id": "my-tenant" },
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["file"],
    "type": ["access"],
    "action": "content-addressable-storage-get-tree"
  },
  "root": {
    "type": "directory",
    "size": 256,
    "hash": { "sha256": "a3f1c9e2d4b7084f5e6091c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2" }
  },
  "user": {
    "email": "alice@example.com",
    "roles": ["user"]
  },
  "source": { "ip": "10.0.0.1" },
  "user_agent": { "original": "grpc-go/1.57.0" }
}
```

IAM events

scim-user-create

```json
{
  "level": "I",
  "ts": "1766435911.779699000",
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["iam"],
    "type": ["creation"],
    "action": "scim-user-create"
  },
  "scim_user": {
    "user_name": "alice@example.com",
    "roles": ["user", "viewer"]
  },
  "user": {
    "email": "scim-client",
    "roles": []
  },
  "source": { "ip": "192.168.1.1" },
  "user_agent": { "original": "OKTA SCIM Integration" }
}
```

scim-user-update

```json
{
  "level": "I",
  "ts": "1766435911.779699000",
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["iam"],
    "type": ["change"],
    "action": "scim-user-update"
  },
  "scim_user": {
    "user_name": "alice@example.com",
    "roles": ["user", "admin"]
  },
  "user": {
    "email": "scim-client",
    "roles": []
  },
  "source": { "ip": "192.168.1.1" },
  "user_agent": { "original": "OKTA SCIM Integration" }
}
```

scim-user-delete

```json
{
  "level": "I",
  "ts": "1766435911.779699000",
  "event": {
    "kind": "event",
    "outcome": "success",
    "category": ["iam"],
    "type": ["deletion"],
    "action": "scim-user-delete"
  },
  "scim_user": {
    "user_name": "alice@example.com"
  },
  "user": {
    "email": "scim-client",
    "roles": []
  },
  "source": { "ip": "192.168.1.1" },
  "user_agent": { "original": "OKTA SCIM Integration" }
}
```