Audit log API

Audit log API provides access to system audit logs that track user actions across the platform made to critical parts such as settings, host data, users, roles, Build projects, etc.

Get audit logs

URI: https://hub.cfengine.com/api/audit-log

Method: GET

Parameters:

• actor (string) Filter by user who performed the action.
• object_type (string) Filter by object type (see Allowed object types).
• action (string) Filter by action type (see Allowed actions).
• object_name (integer) Filter by object name.
• created_after (integer) Unix timestamp to filter logs after this time.
• created_before (integer) Unix timestamp to filter logs before this time.
• page (integer) Page number for pagination (default: 1).
• offset (integer) Number of results to skip for the processed query.
• sort_column (string) Column to sort by. Allowed values:
  • time
  • actor
  • action
  • object_id
  • object_name
  • object_type
• sort_direction (string, default: “DESC”) Sort direction. Allowed values:
  • ASC (ascending)
  • DESC (descending)

Example request (curl):

curl --user <username>:<password> -X GET https://hub.cfengine.com/api/audit-log

Successful response example:

HTTP 200 OK
{
    "data": [
        {
            "id": 4,
            "time": "2024-10-24 09:47:08.329041",
            "actor": "admin",
            "action": "created",
            "object_type": "user",
            "object_name": "test",
            "object_id": "test",
            "details": [
                "Created user `test`."
            ]
        },
        {
            "id": 3,
            "time": "2024-10-24 09:46:56.204391",
            "actor": "admin",
            "action": "created",
            "object_name": "test",
            "object_type": "role",
            "object_id": "test",
            "details": [
                "Created role `test`.",
                {
                    "description": "test",
                    "excludeContext": "",
                    "includedContext": "test"
                }
            ]
        },
        {
            "id": 2,
            "time": "2024-10-24 09:46:42.595813",
            "actor": "admin",
            "action": "updated",
            "object_type": "settings",
            "object_name": "Preferences",
            "object_id": null,
            "details": [
                "Settings updated.",
                {
                    "changes": [
                        "minPasswordLength"
                    ]
                }
            ]
        }
    ],
    "meta": {
        "count": 4,
        "page": 1,
        "timestamp": 1729763237,
        "total": 4
    }
}

Responses:

Allowed actions

Allowed object types

Get audit logs actors

Returns list of users who performed actions.

URI: https://hub.cfengine.com/api/audit-log/actors

Method: GET

Example request (curl):

curl --user <username>:<password> -X GET https://hub.cfengine.com/api/audit-log/actors

Successful response example:

HTTP 200 OK
[
    "admin",
    "test"
]

Get audit logs object name by type

Returns list of object names filtered by type.

URI: https://hub.cfengine.com/api/audit-log/:type/names

Method: GET

Parameters:

• object_type (string) Filter by object type (see Allowed object types).

Example request (curl):

curl --user <username>:<password> -X GET https://hub.cfengine.com/api/audit-log/Settings/names

Successful response example:

HTTP 200 OK
[
    "Preferences",
    "Mail",
    "VCS",
    "Authentication",
]

Permissions

All Audit log API endpoints require the audit-log.view RBAC permission. This permission is granted to the admin role by default and can be assigned to other roles via the Web RBAC API.

Retention

Audit log entries are stored in the audit_log table of the cfsettings PostgreSQL database (see the schema reference) and are retained indefinitely. No automatic pruning is performed.

Operators are expected to apply their own retention policy. See Audit log retention for inspection queries and pruning recipes.