Audit log streams is a paid feature.If you’re using Infisical Cloud, then it is available under the Enterprise Tier. If you’re self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.
Infisical Audit Log Streaming enables you to transmit your organization’s Audit Logs to external logging providers for monitoring and analysis. The logs are formatted in JSON, requiring your logging provider to support JSON-based log parsing.

Overview

1

Navigate to Organization Settings in your sidebar.

2

Select Audit Log Streams Tab.

stream create
3

Click on Create

stream createProvide the following values
Endpoint URL
string
required
The HTTPS endpoint URL of the logging provider that collects the JSON stream.
Headers
string
The HTTP headers for the logging provider for identification and authentication.
stream listt Your Audit Logs are now ready to be streamed.

Example Providers

Better Stack

1

Select Connect Source

better stack connect source
2

Provide a name and select platform

3

Provide Audit Log Stream inputs

better stack connect
  1. Copy the endpoint from Better Stack to the Endpoint URL field.
  2. Create a new header with key Authorization and set the value as Bearer <source token from betterstack>.

Datadog

1

Navigate to API Keys section

api key create
2

Select New Key and provide a key name

api key formapi key form
3

Find your Datadog region specific logging endpoint.

datadog url
  1. Navigate to the Datadog Send Logs API documentation.
  2. Pick your Datadog account region.
  3. Obtain your Datadog logging endpoint URL.
4

Provide audit log stream inputs

datadog api key details
  1. Copy the logging endpoint from Datadog to the Endpoint URL field.
  2. Copy the API Key from previous step
  3. Create a new header with key DD-API-KEY and set the value as API Key.

Audit Log Stream Data

Each log entry sent to the external logging provider will follow the same structure.

Example Log Entry

{
  "id": "7dc1713b-d787-4147-9e21-770be01cc992",
  "actor": "user",
  "actorMetadata": {
    "email": "[email protected]",
    "userId": "7383b701-d83f-45c0-acb4-04e138b987ab",
    "username": "[email protected]"
  },
  "ipAddress": "127.0.0.1",
  "eventType": "create-secret",
  "eventMetadata": {
    "secretId": "3e5c796e-6599-4181-8dca-51133bb3acd0",
    "secretKey": "TEST-SECRET",
    "secretPath": "/",
    "environment": "dev",
    "secretVersion": 1
  },
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
  "userAgentType": "web",
  "expiresAt": "2025-01-18T01:11:25.552Z",
  "createdAt": "2025-01-15T01:11:25.552Z",
  "updatedAt": "2025-01-15T01:11:25.552Z",
  "orgId": "785649f1-ff4b-4ef9-a40a-9b9878e46e57",
  "projectId": "09bfcc01-0917-4bea-9c7a-2d320584d5b1",
  "projectName": "example-project"
}

Audit Logs Structure

id
string
required
The unique identifier for the log entry.
actor
platform | user | service | identity | scimClient | unknownUser
required
The entity responsible for performing or causing the event; this can be a user or service.
actorMetadata
object
required
The metadata associated with the actor. This varies based on the actor type.
If the actor field is set to platform, scimClient, or unknownUser, the actorMetadata field will be an empty object.
ipAddress
string
required
The IP address of the actor.
eventType
string
required
The type of event that occurred. Below you can see a list of possible event types. More event types will be added in the future as we expand our audit logs further.get-secrets, delete-secrets, get-secret, create-secret, update-secret, delete-secret, get-workspace-key, authorize-integration, update-integration-auth, unauthorize-integration, create-integration, delete-integration, add-trusted-ip, update-trusted-ip, delete-trusted-ip, create-service-token, delete-service-token, create-identity, update-identity, delete-identity, login-identity-universal-auth, add-identity-universal-auth, update-identity-universal-auth, get-identity-universal-auth, create-identity-universal-auth-client-secret, revoke-identity-universal-auth-client-secret, get-identity-universal-auth-client-secret, create-environment, update-environment, delete-environment, add-workspace-member, remove-workspace-member, create-folder, update-folder, delete-folder, create-webhook, update-webhook-status, delete-webhook, webhook-triggered, get-secret-imports, create-secret-import, update-secret-import, delete-secret-import, update-user-workspace-role, update-user-workspace-denied-permissions, create-certificate-authority, get-certificate-authority, update-certificate-authority, delete-certificate-authority, get-certificate-authority-csr, get-certificate-authority-cert, sign-intermediate, import-certificate-authority-cert, get-certificate-authority-crl, issue-cert, get-cert, delete-cert, revoke-cert, get-cert-body, create-pki-alert, get-pki-alert, update-pki-alert, delete-pki-alert, create-pki-collection, get-pki-collection, update-pki-collection, delete-pki-collection, get-pki-collection-items, add-pki-collection-item, delete-pki-collection-item, org-admin-accessed-project, create-certificate-template, update-certificate-template, delete-certificate-template, get-certificate-template, create-certificate-template-est-config, update-certificate-template-est-config, get-certificate-template-est-config, update-project-slack-config, get-project-slack-config, integration-synced, create-shared-secret, delete-shared-secret, read-shared-secret.
eventMetadata
object
required
The metadata associated with the event. This varies based on the event type.
userAgent
string
The user agent of the actor, if applicable.
userAgentType
web | cli | k8-operator | terraform | other | InfisicalPythonSDK | InfisicalNodeSDK
The type of user agent.
expiresAt
string
required
The expiration date of the log entry. When this date is reached, the log entry will be deleted from Infisical.
createdAt
string
required
The creation date of the log entry.
updatedAt
string
required
The last update date of the log entry. This is unlikely to be out of sync with the createdAt field, as we do not update log entries after they’ve been created.
orgId
string
required
The unique identifier for the organization where the event occurred.
projectId
string
The unique identifier for the project where the event occurred.The projectId field will only be present if the event occurred at the project level, not the organization level.
projectName
string
The name of the project where the event occurred.The projectName field will only be present if the event occurred at the project level, not the organization level.