Audit log streams is a paid feature.

If you’re using Infisical Cloud, then it is available under the Enterprise Tier. If you’re self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.

Infisical Audit Log Streaming enables you to transmit your organization’s Audit Logs to external logging providers for monitoring and analysis.

The logs are formatted in JSON, requiring your logging provider to support JSON-based log parsing.

Overview

1

Navigate to Organization Settings in your sidebar.

2

Select Audit Log Streams Tab.

3

Click on Create

Provide the following values

Endpoint URL
string
required

The HTTPS endpoint URL of the logging provider that collects the JSON stream.

Headers
string

The HTTP headers for the logging provider for identification and authentication.

Your Audit Logs are now ready to be streamed.

Example Providers

Better Stack

1

Select Connect Source

2

Provide a name and select platform

3

Provide Audit Log Stream inputs

  1. Copy the endpoint from Better Stack to the Endpoint URL field.
  2. Create a new header with key Authorization and set the value as Bearer <source token from betterstack>.

Datadog

1

Navigate to API Keys section

2

Select New Key and provide a key name

3

Find your Datadog region specific logging endpoint.

  1. Navigate to the Datadog Send Logs API documentation.
  2. Pick your Datadog account region.
  3. Obtain your Datadog logging endpoint URL.
4

Provide audit log stream inputs

  1. Copy the logging endpoint from Datadog to the Endpoint URL field.
  2. Copy the API Key from previous step
  3. Create a new header with key DD-API-KEY and set the value as API Key.

Audit Log Stream Data

Each log entry sent to the external logging provider will follow the same structure.

Example Log Entry

{
  "id": "7dc1713b-d787-4147-9e21-770be01cc992",
  "actor": "user",
  "actorMetadata": {
    "email": "[email protected]",
    "userId": "7383b701-d83f-45c0-acb4-04e138b987ab",
    "username": "[email protected]"
  },
  "ipAddress": "127.0.0.1",
  "eventType": "create-secret",
  "eventMetadata": {
    "secretId": "3e5c796e-6599-4181-8dca-51133bb3acd0",
    "secretKey": "TEST-SECRET",
    "secretPath": "/",
    "environment": "dev",
    "secretVersion": 1
  },
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
  "userAgentType": "web",
  "expiresAt": "2025-01-18T01:11:25.552Z",
  "createdAt": "2025-01-15T01:11:25.552Z",
  "updatedAt": "2025-01-15T01:11:25.552Z",
  "orgId": "785649f1-ff4b-4ef9-a40a-9b9878e46e57",
  "projectId": "09bfcc01-0917-4bea-9c7a-2d320584d5b1",
  "projectName": "example-project"
}

Audit Logs Structure

id
string
required

The unique identifier for the log entry.

actor
platform | user | service | identity | scimClient | unknownUser
required

The entity responsible for performing or causing the event; this can be a user or service.

actorMetadata
object
required

The metadata associated with the actor. This varies based on the actor type.

If the actor field is set to platform, scimClient, or unknownUser, the actorMetadata field will be an empty object.

ipAddress
string
required

The IP address of the actor.

eventType
string
required

The type of event that occurred. Below you can see a list of possible event types. More event types will be added in the future as we expand our audit logs further.

get-secrets, delete-secrets, get-secret, create-secret, update-secret, delete-secret, get-workspace-key, authorize-integration, update-integration-auth, unauthorize-integration, create-integration, delete-integration, add-trusted-ip, update-trusted-ip, delete-trusted-ip, create-service-token, delete-service-token, create-identity, update-identity, delete-identity, login-identity-universal-auth, add-identity-universal-auth, update-identity-universal-auth, get-identity-universal-auth, create-identity-universal-auth-client-secret, revoke-identity-universal-auth-client-secret, get-identity-universal-auth-client-secret, create-environment, update-environment, delete-environment, add-workspace-member, remove-workspace-member, create-folder, update-folder, delete-folder, create-webhook, update-webhook-status, delete-webhook, get-secret-imports, create-secret-import, update-secret-import, delete-secret-import, update-user-workspace-role, update-user-workspace-denied-permissions, create-certificate-authority, get-certificate-authority, update-certificate-authority, delete-certificate-authority, get-certificate-authority-csr, get-certificate-authority-cert, sign-intermediate, import-certificate-authority-cert, get-certificate-authority-crl, issue-cert, get-cert, delete-cert, revoke-cert, get-cert-body, create-pki-alert, get-pki-alert, update-pki-alert, delete-pki-alert, create-pki-collection, get-pki-collection, update-pki-collection, delete-pki-collection, get-pki-collection-items, add-pki-collection-item, delete-pki-collection-item, org-admin-accessed-project, create-certificate-template, update-certificate-template, delete-certificate-template, get-certificate-template, create-certificate-template-est-config, update-certificate-template-est-config, get-certificate-template-est-config, update-project-slack-config, get-project-slack-config, integration-synced, create-shared-secret, delete-shared-secret, read-shared-secret.

eventMetadata
object
required

The metadata associated with the event. This varies based on the event type.

userAgent
string

The user agent of the actor, if applicable.

userAgentType
web | cli | k8-operator | terraform | other | InfisicalPythonSDK | InfisicalNodeSDK

The type of user agent.

expiresAt
string
required

The expiration date of the log entry. When this date is reached, the log entry will be deleted from Infisical.

createdAt
string
required

The creation date of the log entry.

updatedAt
string
required

The last update date of the log entry. This is unlikely to be out of sync with the createdAt field, as we do not update log entries after they’ve been created.

orgId
string
required

The unique identifier for the organization where the event occurred.

projectId
string

The unique identifier for the project where the event occurred.

The projectId field will only be present if the event occurred at the project level, not the organization level.

projectName
string

The name of the project where the event occurred.

The projectName field will only be present if the event occurred at the project level, not the organization level.

Was this page helpful?

Suggest editsRaise issue