Audit log streams is a paid feature.If you’re using Infisical Cloud, then it is available under the Enterprise Tier. If you’re self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.
Infisical Audit Log Streaming enables you to transmit your organization’s audit logs to external logging providers for monitoring and analysis.

Overview

1

Create Stream

  1. Navigate to Organization Settings
  2. Select the Audit Log Streams tab
  3. Click Add Log Stream stream create
2

Select Provider

If your log provider is included in this list, select it. Otherwise click on Custom to input your own Endpoint URL and headers.select provider
3

Input Credentials

Depending on your chosen provider, you’ll be asked to input different credentials.For Custom, you need to input an endpoint URL and headers.custom providerOnce you’re finished, click Create Log Stream.
4

Log Stream Created

Your audit logs are now ready to be streamed.stream list

Example Providers

Example Log Entry

{
  "id": "7dc1713b-d787-4147-9e21-770be01cc992",
  "actor": "user",
  "actorMetadata": {
    "email": "[email protected]",
    "userId": "7383b701-d83f-45c0-acb4-04e138b987ab",
    "username": "[email protected]"
  },
  "ipAddress": "127.0.0.1",
  "eventType": "create-secret",
  "eventMetadata": {
    "secretId": "3e5c796e-6599-4181-8dca-51133bb3acd0",
    "secretKey": "TEST-SECRET",
    "secretPath": "/",
    "environment": "dev",
    "secretVersion": 1
  },
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
  "userAgentType": "web",
  "expiresAt": "2025-01-18T01:11:25.552Z",
  "createdAt": "2025-01-15T01:11:25.552Z",
  "updatedAt": "2025-01-15T01:11:25.552Z",
  "orgId": "785649f1-ff4b-4ef9-a40a-9b9878e46e57",
  "projectId": "09bfcc01-0917-4bea-9c7a-2d320584d5b1",
  "projectName": "example-project"
}

Audit Logs Structure

Streamed audit log structure varies based on provider, but they all share the audit log fields shown below.
id
string
required
The unique identifier for the log entry.
actor
platform | user | service | identity | scimClient | unknownUser
required
The entity responsible for performing or causing the event; this can be a user or service.
actorMetadata
object
required
The metadata associated with the actor. This varies based on the actor type.
If the actor field is set to platform, scimClient, or unknownUser, the actorMetadata field will be an empty object.
ipAddress
string
required
The IP address of the actor.
eventType
string
required
The type of event that occurred. Below you can see a list of possible event types. More event types will be added in the future as we expand our audit logs further.get-secrets, delete-secrets, get-secret, create-secret, update-secret, delete-secret, get-workspace-key, authorize-integration, update-integration-auth, unauthorize-integration, create-integration, delete-integration, add-trusted-ip, update-trusted-ip, delete-trusted-ip, create-service-token, delete-service-token, create-identity, update-identity, delete-identity, login-identity-universal-auth, add-identity-universal-auth, update-identity-universal-auth, get-identity-universal-auth, create-identity-universal-auth-client-secret, revoke-identity-universal-auth-client-secret, get-identity-universal-auth-client-secret, create-environment, update-environment, delete-environment, add-workspace-member, remove-workspace-member, create-folder, update-folder, delete-folder, create-webhook, update-webhook-status, delete-webhook, webhook-triggered, get-secret-imports, create-secret-import, update-secret-import, delete-secret-import, update-user-workspace-role, update-user-workspace-denied-permissions, create-certificate-authority, get-certificate-authority, update-certificate-authority, delete-certificate-authority, get-certificate-authority-csr, get-certificate-authority-cert, sign-intermediate, import-certificate-authority-cert, get-certificate-authority-crl, issue-cert, get-cert, delete-cert, revoke-cert, get-cert-body, create-pki-alert, get-pki-alert, update-pki-alert, delete-pki-alert, create-pki-collection, get-pki-collection, update-pki-collection, delete-pki-collection, get-pki-collection-items, add-pki-collection-item, delete-pki-collection-item, org-admin-accessed-project, create-certificate-template, update-certificate-template, delete-certificate-template, get-certificate-template, create-certificate-template-est-config, update-certificate-template-est-config, get-certificate-template-est-config, update-project-slack-config, get-project-slack-config, integration-synced, create-shared-secret, delete-shared-secret, read-shared-secret.
eventMetadata
object
required
The metadata associated with the event. This varies based on the event type.
userAgent
string
The user agent of the actor, if applicable.
userAgentType
web | cli | k8-operator | terraform | other | InfisicalPythonSDK | InfisicalNodeSDK
The type of user agent.
expiresAt
string
required
The expiration date of the log entry. When this date is reached, the log entry will be deleted from Infisical.
createdAt
string
required
The creation date of the log entry.
updatedAt
string
required
The last update date of the log entry. This is unlikely to be out of sync with the createdAt field, as we do not update log entries after they’ve been created.
orgId
string
required
The unique identifier for the organization where the event occurred.
projectId
string
The unique identifier for the project where the event occurred.The projectId field will only be present if the event occurred at the project level, not the organization level.
projectName
string
The name of the project where the event occurred.The projectName field will only be present if the event occurred at the project level, not the organization level.