Audit Log

The audit log tracks user actions across the system. It can answer questions like when a certain authentication event happened and what actions were taken by whom on instances and disks. The log is accessible to users with the fleet viewer role via the audit_log_list API endpoint.

Overview

Audit log entries correspond one-to-one with API calls. Each entry includes a time_started and time_completed, but the log is ordered by time_completed. Operations only appear in the audit log once they are complete. Currently there is only one system-level log endpoint returning operations from all silos; in a future release we will add silo-scoped logs accessible to silo administrators.

Audit log entries are immutable: once you see an entry, fetching it again will never get you a different result. If you fetch the log for a time range that is fully in the past, the resulting list is guaranteed to be complete, i.e., fetching the same timespan again later will always produce the same set of entries. Entries will never be inserted after the fact.

Events logged

All mutating API requests are captured in the audit log. In practice this means nearly all non-GET endpoints, with a small number of exceptions (such as read-only OxQL endpoints that use POST bodies for queries).

Viewing the log

Use the audit_log_list endpoint or the oxide audit-log list CLI command to fetch the log. Fleet viewer permissions are required. Callers are responsible for filtering, e.g., by operation ID, as there is no filtering built in.

The request requires a start_time (inclusive) and accepts an end_time (exclusive). Results are ordered by time_completed and a unique id, which you can use to deduplicate entries from overlapping time ranges. Results are paginated; use the page_token returned in the response to fetch subsequent pages.

Actor types

The actor field identifies who made the request:

silo_user

A user in a silo, identified by silo_user_id and silo_id

scim

A silo’s SCIM client, identified by silo_id

user_builtin

An internal system user

unauthenticated

No authenticated identity (e.g., login attempts)

user_builtin is an internal actor type included only for completeness; it should never appear in the log because there is no way for built-in users to make an external API request.

Authentication method and credential ID

For authenticated requests, auth_method indicates the type of credential used and credential_id identifies the specific session or token:

session_cookie

Console session

access_token

Device auth / OAuth 2.0 token

scim_token

SCIM client bearer token

Login endpoints (login_local and login_saml) are logged but have no auth_method, credential_id, or identified actor because the login request itself is not authenticated by one of the above methods. In a future release, successful logins will log the actor and resulting session ID.

Success result

{
  "id": "224ea169-1b08-42c5-8349-86517083641d",
  "time_started": "2025-08-12T00:03:45.439Z",
  "time_completed": "2025-08-12T00:03:45.611Z",
  "request_id": "e5cb503e-7af6-4620-b3d4-4b683eac2b7d",
  "request_uri": "https://corp.sys.oxide.acme.com/v1/projects/hello",
  "operation_id": "project_delete",
  "source_ip": "172.20.17.118",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0",
  "actor": {
    "kind": "silo_user",
    "silo_user_id": "dcef2ede-a083-4826-805e-b79d05007aec",
    "silo_id": "7bd7623a-68ed-4636-8ecb-b59e3b068787"
  },
  "auth_method": "session_cookie",
  "credential_id": "dd423500-8578-47de-897c-20a287559369",
  "result": {
    "kind": "success",
    "http_status_code": 204
  }
}

Error result

When the operation fails, the audit log entry looks the same except for the result value.

{
  // ...
  "result": {
    "kind": "error",
    "http_status_code": 400,
    "error_code": "InvalidRequest",
    "error_message": "project to be deleted contains a vpc: default"
  }
}

Unknown result

In rare cases — for example, if an internal error prevents the result from being recorded at completion time — the result kind is unknown:

{
  // ...
  "result": {
    "kind": "unknown"
  }
}

Planned features

  • Retention period (currently indefinite)

  • Silo-scoped log list endpoint for silo administrators

  • Log ID of resource created

  • Log more details about changes made in create and update requests