Audit Logs Overview
AstroPulse's enterprise-grade audit logging system provides comprehensive visibility into every action taken within your organization. Track who did what, when, and from where—essential for security, compliance, and operational insights.
Enterprise Feature
Audit Logs are available exclusively for Enterprise plan organizations. Upgrade your plan to access audit capabilities.
What You Can Do
- Track All Operations: Monitor cluster, application, organization, and user operations
- User Attribution: Know exactly who performed each action with full user profiles
- Security Forensics: IP address and user agent tracking for incident investigation
- Compliance Ready: SOC2, GDPR, and regulatory compliance support
- Export & Analyze: Export audit data in CSV or JSON format
- Real-time Stats: Get insights into activity patterns across your organization
Audited Operations
Event Types
| Event Type | Description |
|---|---|
CLUSTER | Kubernetes cluster operations |
APPLICATION | Application deployment operations |
APP_PROFILE | Application profile management |
ORGANIZATION | Organization settings and membership |
USER | User account operations |
API_KEY | API key lifecycle management |
PROVIDER | Cloud provider integrations (GitHub, etc.) |
NOTIFICATION | Notification configuration changes |
AUDIT | Audit log access (self-auditing) |
Actions
| Action | Description |
|---|---|
CREATE | Resource creation |
UPDATE | Resource modification |
DELETE | Resource deletion |
UPGRADE | Kubernetes version upgrade (irreversible) |
REVOKE | API key revocation |
RESYNC | Application resync operation |
READ | Access to sensitive data (audit logs) |
Resource Operations
| Resource | Actions Tracked |
|---|---|
| Clusters | CREATE, DELETE, UPDATE, UPGRADE |
| Applications | CREATE, DELETE, RESYNC |
| App Profiles | CREATE, DELETE |
| Organizations | CREATE, UPDATE |
| Users | CREATE, UPDATE |
| API Keys | CREATE, DELETE, REVOKE |
| Providers | CREATE, DELETE |
| Notifications | CREATE, UPDATE, DELETE |
Captured Metadata
Every audit event includes:
- Timestamp: When the action occurred (ISO 8601 format)
- User Profile: Name and email of the actor (masked for GDPR compliance)
- User Roles: Roles assigned to the user at time of action
- IP Address: Source IP for security tracking
- User Agent: Browser/client information
- Request ID: For correlation with system logs
- Success/Failure: Outcome of the operation
- Resource Details: What was affected and additional context
Quick Start
Using the Console
- Navigate to Settings → Audit Logs in the AstroPulse Console
- Select your organization from the dropdown at the top
- Use the available filters to narrow down events:
- Action: Filter by operation type (CREATE, DELETE, UPDATE, etc.)
- Event Type: Filter by resource type (CLUSTER, APPLICATION, etc.)
- Date Range: Set start and end dates to view specific time periods
- View the Stats cards for a quick summary of total events and breakdown by action
- Browse the events table with pagination controls
- Click Export CSV to download audit data for external analysis
Using the CLI
# List recent audit events
astroctl audit list
# List audit events with pagination
astroctl audit list --page 2 --page-size 25
# Filter by event type
astroctl audit list --event-type CLUSTER
# Filter by action
astroctl audit list --action CREATE
# Filter by user (Admin/Owner only for other users)
astroctl audit list --user-id 660d8b8d09e3ce662ee63de6
# Filter by date range
astroctl audit list --start-date 2024-01-15 --end-date 2024-01-16
# Get specific audit event details
astroctl audit get audit_20240115143045_660d8b8d_API_KEY
# Export audit events as JSON
astroctl audit export
# Export audit events as CSV
astroctl audit export --format csv
# Export to file
astroctl audit export --format csv --output audit-report.csv
# Get audit statistics for the last 30 days
astroctl audit stats
# Get audit statistics for the last 7 days
astroctl audit stats --period 7d
Access Control
Audit logs follow strict role-based access control:
| Role | List Events | View Details | Export | Stats |
|---|---|---|---|---|
| Org Owner | ✅ All events | ✅ | ✅ | ✅ |
| Org Admin | ✅ All events | ✅ | ✅ | ✅ |
| Org Editor | Own events only | Own events only | Own events only | ❌ |
| Org Viewer | Own events only | Own events only | Own events only | ❌ |
note
Organization owners and admins can access all audit logs. Regular members can only view their own activity. Statistics are restricted to admins and owners only.
Event Structure
Each audit event contains the following information:
{
"timestamp": "2024-01-15T10:30:45Z",
"request_id": "abc123def456",
"event_type": "CLUSTER",
"user_id": "660d8b8d09e3ce662ee63de6",
"user_profile": {
"name": "J*** D***",
"email": "j***@company.com",
"roles": ["developer", "admin"]
},
"org_id": "org_12345",
"action": "DELETE",
"resource": "CLUSTER",
"resource_id": "prod-cluster-1",
"source": "api",
"success": true,
"status_code": 200,
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"details": {}
}
PII Protection
User names and emails are automatically masked for GDPR/PII compliance:
- Email:
john.doe@example.com→j***@example.com - Name:
John Doe→J*** D***
The user_id field is the authoritative identifier for user lookup when full details are needed.
Storage & Retention
- Immutable: Audit logs cannot be modified or deleted
- Encrypted: All data encrypted at rest and in transit
- Partitioned: Events organized by date for efficient querying
- Regional: Data stored in your organization's designated region for compliance
Compliance Support
SOC2
- ✅ Complete audit trail of all resource operations
- ✅ User identification and attribution
- ✅ Immutable log storage
- ✅ Access control enforcement
GDPR
- ✅ Data minimization (only essential fields captured)
- ✅ PII masking (names and emails automatically masked)
- ✅ Right to access (export your audit data)
- ✅ Encryption at rest and in transit
- ✅ Data residency options
Query Options
Filtering Parameters
| Parameter | Description | Example |
|---|---|---|
event-type | Filter by resource type | CLUSTER, APPLICATION, API_KEY |
action | Filter by action | CREATE, DELETE, UPDATE, REVOKE |
user-id | Filter by user | 660d8b8d09e3ce662ee63de6 |
start-date | Start of date range | 2024-01-01 |
end-date | End of date range | 2024-01-31 |
page | Page number | 1 |
page-size | Items per page (max 100) | 50 |
Export Formats
- JSON: Full structured data for programmatic processing
- CSV: Spreadsheet-compatible for reporting and analysis
Statistics Periods
7d: Last 7 days30d: Last 30 days (default)90d: Last 90 days
Best Practices
- Regular Reviews: Schedule periodic audit log reviews for security compliance
- Export for Backup: Regularly export audit data for long-term retention
- Monitor Sensitive Operations: Pay attention to DELETE, UPGRADE, and API_KEY operations
- Correlate with Incidents: Use request IDs and timestamps to correlate with system logs
- Role-Based Access: Limit audit access to authorized administrators only
Self-Auditing
For complete compliance, accessing audit logs generates its own audit events. This means:
- Every query to the audit API is logged with
event_type: AUDIT - Export operations are tracked
- Statistics requests are recorded
This ensures full accountability for audit log access itself.
Need Help?
- CLI Reference: See the astroctl audit commands
- Support: Contact support@astropulse.io