List Audit Log events - Audit log event

The Audit Logs API is for monitoring the audit events happening in an Enterprise project to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.

The idea is to give Enterprise organization owners the ability to query user actions in a project. With this API, you could:

Automatically feed DatoCMS access data into an SIEM or other auditing tool
Proactively monitor for potential security issues or malicious access attempts
Write custom apps to gain insight into how your organization uses DatoCMS

The Audit Logs API provides insight into audit events that are actually happening across a DatoCMS organization and is therefore read only. There are no write methods for Audit Log events.

DatoCMS also does not perform any kind of automated intrusion detection. The Audit Logs API will return the data but can not automatically determine or indicate whether an action was appropriate.

Pagination

A single request might not return the full results. To get the remaining results, you can use the meta.next_token of a response as a next_token attribute for the next request, until the response returns null as the next token.

Filtering events

You can use the filter parameter to pass an SQL-like query to filter events. Any attribute of the event payload can be used in a condition.

To filter for date, you can use the event id attribute, which is an ULID (Universally Unique Lexicographically Sortable Identifier) togheter with the min_ulid() function, which takes a Unix timestamp.

The following query returns actions performed in Q1 2021 (January to March):

id >= min_ulid(1609455600) AND id < min_ulid(1617228000)

Other query examples will follow:

# Return actions of type 'items.update'
action_name = 'items.update'
# Return actions performed by a collaborator
actor.type = 'user'
# Return actions performed by a specific collaborator
actor.type = 'user' AND actor.id = '4845293'
# Return publishing actions for the record 239408
request.path = '/items/239408/publish'
# Return all record creations for the model 855832
action_name = 'items.create' AND request.payload.data.relationships.item_type.data.id = '855832'

Parameters

filter string Optional

An SQL-like expression to filter the events

nextToken string Optional

Set this value to get remaining results, if a meta.next_token was returned in the previous query response

detailedLog boolean Optional

Whether a detailed log complete with full request and response payload must be returned or not

Returns

Returns an array of audit_log_event objects.

Examples

Example code:

const SiteClient = require('datocms-client').SiteClient;
const client = new SiteClient('YOUR-API-TOKEN');
client.auditLogEvent.query({
  filter: 'id > min_ulid(1624452728)',
  nextToken: 'E5188+SCXtvvXVUFkqmwtQJd3V3lJIOsZBjHvTYz',
  detailedLog: true
})
.then((auditLogEvents) => {
    auditLogEvents.forEach((auditLogEvent) => {
      console.log(auditLogEvent);
    });
  })
.catch((error) => {
  console.error(error);
});

Returned output:

> node example.js
{
  "id": "01F8WDQJR03M4VC6NTK49R83QW",
  "actionName": "items.publish",
  "actor": {
    "type": "user",
    "id": "3845289",
    "name": "mark@acme.com"
  },
  "role": {
    "id": "455281",
    "name": "Editor"
  },
  "environment": {
    "id": "main",
    "primary": true
  },
  "request": {
    "id": "894f9f6c-a693-4f93-a3fb-452454b41313",
    "method": "PUT",
    "path": "/items/37823421/publish",
    "payload": {}
  },
  "response": {
    "status": 200,
    "payload": {}
  },
  "meta": {
    "occurred_at": "2016-09-20T18:50:24.914Z"
  }
}

Questions?

We're always happy to help with code or other questions you might have. Search our documentation, forum, contact support, or connect with our sales team. You can chat live with other developers in our Slack channel.