What Are Console Audit Logs?
Every action that administrators perform in the Console is recorded as a log entry — who performed the action, what resource was affected, when it happened, and whether it succeeded or failed. Publishing a config bundle, inviting a team member, updating a deployment, uploading a TLS certificate — each of these actions produces a structured audit record. Audit logs matter for three reasons:- Compliance evidence — Audit logs provide the admin-action audit trail required by frameworks like SOC 2, HIPAA, and GDPR. They prove who made configuration changes, when, and whether those changes were authorized.
- Security investigations — When something goes wrong — a misconfigured policy, an unauthorized deployment publish — audit logs let you trace the exact sequence of actions that led to the issue, including the actor, IP address, and timestamp.
- Operational accountability — In multi-admin environments, audit logs establish clear ownership of every change. You can answer “who published that config?” or “who removed that team member?” without guessing.
Console Logs vs. Orchestrator Logs
Console audit logs capture management plane actions: configuration changes, bundle publishing, team membership, organization settings — everything administrators do in the Console UI. The Orchestrator, by contrast, captures data plane actions: user authentication events, authorization decisions, token issuance, and proxy requests — everything that happens at runtime when end users interact with protected applications. Together, Console audit logs and Orchestrator logs provide complete audit coverage across both administrative and runtime operations. For Orchestrator-side logging, see the Compliance and Audit guide and the Telemetry Reference.Accessing Audit Logs
Audit logs are accessible through the Console UI. You can filter by time range, event category, and specific event type to find relevant entries. JSON/CSV export and SIEM streaming are on the roadmap — see Export and Integration below.Schema (v1.0)
Every audit log entry follows the v1.0 schema. The top-level structure contains identifying information, the event classification, and nested objects describing the actor, target, source, context, and request.Top-Level Fields
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for this audit log entry |
version | string | Schema version (currently "1.0") |
timestamp | string (RFC 3339) | When the event occurred |
eventType | string | Specific event identifier (e.g., deployment.publish) |
category | string | Event category (e.g., deployment_management) |
outcome | object | Result of the action — see Outcome |
actor | object | Who performed the action — see Actor |
target | object | What was acted upon — see Target |
source | object | Where the request came from — see Source |
context | object | Tracing and service information — see Context |
request | object | HTTP request details — see Request |
metadata | object | Additional event-specific data (varies by event type) |
Outcome
The outcome object records whether the action succeeded or failed.| Field | Type | Description |
|---|---|---|
status | string | "success" or "failure" |
statusCode | integer | HTTP status code of the response |
errorMsg | string | Error message (present on failure) |
reason | string | Human-readable reason for the outcome |
"success". All other status codes are recorded as "failure".
Actor
The actor object identifies who performed the action.| Field | Type | Description |
|---|---|---|
type | string | Actor type (e.g., "user") |
id | string | Unique identifier for the actor |
email | string | Actor’s email address |
displayName | string | Actor’s display name |
organizationID | string | ID of the actor’s organization |
organizationName | string | Name of the actor’s organization |
Target
The target object identifies what was acted upon.| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the target resource |
arn | string | Amazon Resource Name or resource identifier |
type | string | Target resource type (e.g., "deployment", "application") |
name | string | Human-readable name of the target resource |
organizationID | string | ID of the organization that owns the target |
Source
The source object records where the request originated.| Field | Type | Description |
|---|---|---|
ipAddress | string | IP address of the client |
clientType | string | Type of client that made the request |
userAgent | string | User-Agent header from the HTTP request |
Context
The context object provides tracing and service metadata for correlating events across services.| Field | Type | Description |
|---|---|---|
region | string | Region where the request was processed |
service | string | Service that handled the request |
serviceVersion | string | Version of the service |
traceID | string | Distributed trace identifier |
spanID | string | Span identifier within the trace |
Request
The request object captures HTTP-level details about the API call.| Field | Type | Description |
|---|---|---|
method | string | HTTP method (e.g., GET, POST, PUT, DELETE) |
path | string | Request URL path |
queryParams | string | Query string parameters |
referrer | string | HTTP Referer header value |
contentLength | integer | Size of the request body in bytes |
contentType | string | Content-Type header value |
The API uses camelCase JSON serialization for all fields (e.g.,
eventType, statusCode, displayName, ipAddress, clientType, userAgent, traceID, spanID, queryParams, contentLength, contentType).Event Categories and Types
The Console captures over 80 distinct event types organized into 9 categories. Each event type represents a specific API action.deployment_management (35 event types)
deployment_management (35 event types)
All operations related to creating, configuring, publishing, and managing Orchestrator deployments.
| Event Type | Description |
|---|---|
deployment.list | List all deployments |
deployment.create | Create a new deployment |
deployment.update | Update deployment settings |
deployment.view | View deployment details |
deployment.delete | Delete a deployment |
deployment.purge | Permanently remove a deleted deployment |
deployment.publish | Publish a config bundle to the deployment provider |
deployment.restore | Restore a previously deleted deployment |
deployment.download | Download the deployment’s config bundle |
deployment.config.view | View deployment configuration |
deployment.config.update | Update deployment configuration |
deployment.config.download | Download deployment configuration |
deployment.settings.update | Update deployment-level settings |
deployment.storage.update | Update the deployment’s storage provider |
deployment.key.download | Download the deployment’s public key |
deployment.service.create | Create a service extension |
deployment.service.view | View a service extension |
deployment.service.update | Update a service extension |
deployment.service.delete | Delete a service extension |
deployment.service.jwks.create | Create a JWKS entry for a service |
deployment.service.jwks.list | List JWKS entries for a service |
deployment.service.jwks.delete | Delete a JWKS entry for a service |
deployment.application.attach | Attach an application to a deployment |
deployment.application.detach | Detach an application from a deployment |
deployment.cache.create | Create a cache configuration |
deployment.cache.list | List cache configurations |
deployment.cache.delete | Delete a cache configuration |
deployment.cache.update | Update a cache configuration |
deployment.cache.view | View a cache configuration |
deployment.tls.create | Create a TLS certificate |
deployment.tls.list | List TLS certificates |
deployment.tls.update | Update a TLS certificate |
deployment.orchestrator.view | View Orchestrator instance details |
deployment.revision.list | List deployment revisions |
deployment.revision.view | View a specific deployment revision |
organization_management (4 event types)
organization_management (4 event types)
Operations for managing organization settings and configuration.
| Event Type | Description |
|---|---|
organization.list | List organizations |
organization.view | View organization details |
organization.update | Update organization settings |
organization.delete | Delete an organization |
membership_management (13 event types)
membership_management (13 event types)
Operations for invitations, roles, team membership, and organizational units.
| Event Type | Description |
|---|---|
member.list | List organization members |
member.invite | Invite a new member to the organization |
member.remove | Remove a member from the organization |
member.join | A member accepts an invitation |
member.decline | A member declines an invitation |
member.invitation.list | List pending invitations |
member.invitation.cancel | Cancel a pending invitation |
member.role.update | Update a member’s role |
ownership.transfer | Transfer organization ownership |
organization_unit.create | Create an organizational unit |
organization_unit.update | Update an organizational unit |
organization_unit.list | List organizational units |
organization_unit.view | View an organizational unit |
application_management (5 event types)
application_management (5 event types)
CRUD operations for applications managed through the Console.
| Event Type | Description |
|---|---|
application.list | List applications |
application.view | View application details |
application.create | Create a new application |
application.update | Update an application |
application.delete | Delete an application |
identity_fabric_management (7 event types)
identity_fabric_management (7 event types)
Operations for managing identity fabrics and service extensions.
| Event Type | Description |
|---|---|
identity_fabric.list | List identity fabrics |
identity_fabric.create | Create an identity fabric |
identity_fabric.view | View identity fabric details |
identity_fabric.update | Update an identity fabric |
identity_fabric.delete | Delete an identity fabric |
service_extension.list | List service extensions |
service_extension.compile | Compile a service extension |
user_flow_management (9 event types)
user_flow_management (9 event types)
Operations for managing user flows and their policies.
| Event Type | Description |
|---|---|
user_flow.list | List user flows |
user_flow.create | Create a user flow |
user_flow.delete | Delete a user flow |
user_flow.view | View user flow details |
user_flow.update | Update a user flow |
user_flow.policy.create | Create a policy on a user flow |
user_flow.policy.view | View a user flow policy |
user_flow.policy.update | Update a user flow policy |
user_flow.policy.delete | Delete a user flow policy |
security_configuration (5 event types)
security_configuration (5 event types)
TLS certificate management operations.
| Event Type | Description |
|---|---|
tls.list | List TLS certificates |
tls.view | View TLS certificate details |
tls.create | Upload or create a TLS certificate |
tls.update | Update a TLS certificate |
tls.delete | Delete a TLS certificate |
audit_log (2 event types)
audit_log (2 event types)
Operations for viewing audit logs themselves.
| Event Type | Description |
|---|---|
audit_log.list | List audit log entries |
audit_log.view | View a single audit log entry |
user_management (1 event type)
user_management (1 event type)
User account operations.
| Event Type | Description |
|---|---|
user.delete | Delete a user account |
Storage and Retention
Audit log storage is automatic when audit logging is enabled for your organization. There is no additional configuration required. Logs are currently retained indefinitely and are accessible through the Console UI. A formal retention policy, including default retention periods, will be defined in a future release as export and SIEM streaming capabilities become available.Export and Integration
The following export capabilities are on the Strata product roadmap and are not yet available. Contact your Strata account team for the latest availability.
- JSON export — Download audit log data as JSON files for offline analysis and archival
- CSV export — Export audit logs in CSV format for spreadsheet analysis and reporting
- SIEM streaming — Stream audit log events to your cloud-based SIEM solution for centralized security monitoring and alerting