Audit Log

The audit log tracks user actions across the system. It can answer questions like when a certain authentication event happened and what actions were taken by whom on instances and disks. The log is accessible to users with the fleet viewer role via the audit_log_list API endpoint.

Overview

Audit log entries correspond one-to-one with API calls. Each entry includes a time_started and time_completed, but the log is ordered by time_completed. Operations only appear in the audit log once they are complete. Currently there is only one system-level log endpoint returning operations from all silos; in a future release we will add silo-scoped logs accessible to silo administrators.

Audit log entries are immutable: once you see an entry, fetching it again will never get you a different result. If you fetch the log for a time range that is fully in the past, the resulting list is guaranteed to be complete, i.e., fetching the same timespan again later will always produce the same set of entries. Entries will never be inserted after the fact.

Events logged

In the initial version of this feature, we are logging only a small set of API operations:

login_saml: last step of SAML login, creates web session
login_local: username/password login, creates web session
device_auth_confirm: last step of API token creation
project_create and project_delete
instance_create and instance_delete
disk_create and disk_delete

Important

In later releases we will log a more comprehensive set of operations, as well as more data about what took place, such as the ID of created resources and the ID of the token or session used.

Viewing the log

Use the audit_log_list endpoint or the oxide audit-log list CLI command to fetch the log. Fleet viewer permissions are required. Callers are responsible for filtering, e.g., by operation ID, as there is no filtering built in.

The request requires a start_time (inclusive) and accepts an end_time (exclusive). Results are ordered by time_completed and a unique id, which you can use to deduplicate entries from overlapping time ranges. Results are paginated; use the page_token returned in the response to fetch subsequent pages.

For authenticated requests, auth_method is set to session_cookie or access_token. Unauthenticated operations like login attempts have no auth_method.

Success result

{
  "id": "224ea169-1b08-42c5-8349-86517083641d",
  "time_started": "2025-08-12T00:03:45.439Z",
  "time_completed": "2025-08-12T00:03:45.611Z",
  "request_id": "e5cb503e-7af6-4620-b3d4-4b683eac2b7d",
  "request_uri": "https://corp.sys.oxide.acme.com/v1/projects/hello",
  "operation_id": "project_delete",
  "source_ip": "172.20.17.118",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0",
  "actor": {
    "kind": "silo_user",
    "silo_user_id": "dcef2ede-a083-4826-805e-b79d05007aec",
    "silo_id": "7bd7623a-68ed-4636-8ecb-b59e3b068787"
  },
  "auth_method": "session_cookie",
  "result": {
    "kind": "success",
    "http_status_code": 204
  }
}

Error result

When the operation fails, the audit log entry looks the same except for the result value.

{
  // ...
  "result": {
    "kind": "error",
    "http_status_code": 400,
    "error_code": "InvalidRequest",
    "error_message": "project to be deleted contains a vpc: default"
  }
}

Planned features

Retention period (currently indefinite)
Silo-scoped log list endpoint for silo administrators
Log ID of resource created
Log ID of token or session used for request
Log a more comprehensive set of operations
Log more details about changes made in create and update requests