What Are Console Audit Logs?
Every action that administrators perform in the Console is recorded as a log entry — who performed the action, what resource was affected, when it happened, and whether it succeeded or failed. Publishing a config bundle, inviting a team member, updating a deployment, uploading a TLS certificate — each of these actions produces a structured audit record. Audit logs matter for three reasons:- Compliance evidence — Audit logs provide the admin-action audit trail required by frameworks like SOC 2, HIPAA, and GDPR. They prove who made configuration changes, when, and whether those changes were authorized.
- Security investigations — When something goes wrong — a misconfigured policy, an unauthorized deployment publish — audit logs let you trace the exact sequence of actions that led to the issue, including the actor, IP address, and timestamp.
- Operational accountability — In multi-admin environments, audit logs establish clear ownership of every change. You can answer “who published that config?” or “who removed that team member?” without guessing.
Console Logs vs. Orchestrator Logs
Console audit logs capture management plane actions: configuration changes, bundle publishing, team membership, organization settings — everything administrators do in the Console UI. The Orchestrator, by contrast, captures data plane actions: user authentication events, authorization decisions, token issuance, and proxy requests — everything that happens at runtime when end users interact with protected applications. Together, Console audit logs and Orchestrator logs provide complete audit coverage across both administrative and runtime operations. For Orchestrator-side logging, see the Compliance and Audit guide and the Telemetry Reference.Accessing Audit Logs
Audit logs are accessible through the Console UI. You can filter by time range, event category, and specific event type to find relevant entries. JSON/CSV export and SIEM streaming are on the roadmap — see Export and Integration below.Schema (v1.0)
Every audit log entry follows the v1.0 schema. The top-level structure contains identifying information, the event classification, and nested objects describing the actor, target, source, context, and request.Top-Level Fields
| Field | Type | Description |
|---|---|---|
id | string (MRN) | Maverics Resource Notation identifier for the audit event |
version | string | Schema version (currently "1.0") |
timestamp | string (RFC 3339) | When the event occurred |
eventType | string | Specific event identifier (e.g., deployment.publish) |
category | string | Event category (e.g., deployment_management) |
outcome | object | Result of the action — see Outcome |
actor | object | Who performed the action — see Actor |
target | object | What was acted upon — see Target |
source | object | Where the request came from — see Source |
context | object | Tracing and service information — see Context |
request | object | HTTP request details — see Request |
metadata | object | Additional event-specific data — see Metadata |
id field and target.id use Maverics Resource Notation (MRN), a structured identifier with the format:
maverics:us-west-2:550e8400-e29b-41d4-a716-446655440000:audit-log:7c9e6679-7425-40de-944b-e07fc1f90ae7
Outcome
The outcome object records the result of the action.| Field | Type | Description |
|---|---|---|
status | string | Outcome status (see values below) |
statusCode | integer | HTTP status code of the response |
errorMsg | string | Detailed error message for debugging |
reason | string | Human-readable explanation of the outcome |
| Value | Description |
|---|---|
success | Action completed successfully |
failure | Action failed due to validation or business logic |
partial | Action partially completed (e.g., bulk operation with some failures) |
denied | Action blocked by authorization policy |
error | System error prevented action completion |
Actor
The actor object identifies who performed the action.| Field | Type | Description |
|---|---|---|
type | string | Actor type (see values below) |
id | string | Unique identifier (user ID, API key ID, or service name) |
email | string | Actor’s email address (for user and admin_user actors) |
displayName | string | Human-readable name |
organizationID | string | Organization context for the action |
organizationName | string | Organization name for readability |
| Value | Description |
|---|---|
user | Human user authenticated via UI or API |
admin_user | Platform administrator authenticated via admin console |
api_key | Programmatic access via API key |
system | Automated system process (e.g., scheduled jobs) |
service | Internal service-to-service calls |
Target
The target object identifies what was acted upon.| Field | Type | Description |
|---|---|---|
type | string | Resource type (see values below) |
id | string | MRN (Maverics Resource Notation) identifier for the target resource |
name | string | Human-readable resource name |
organizationID | string | Owning organization |
| Value | Description |
|---|---|
organization | Organization/account |
organization_unit | Organizational unit |
user | User account |
membership | Organization membership |
invitation | User invitation |
deployment | Deployment/environment |
deployment_revision | Deployment revision/version |
identity_fabric | Identity Fabric configuration |
user_flow | Authentication user flow |
user_flow_policy | User flow policy rule |
application | Application registration |
service | Provider service (OIDC, SAML, LDAP, MCP) |
tls_config | TLS configuration |
cache | Deployment cache |
api_key | API key |
service_extension | Custom service extension |
orchestrator | Orchestrator instance |
feature_flag | Feature flag (global or account-level) |
sso_domain | SSO domain configuration |
admin_user | Platform administrator user |
database_migration | Database migration job |
Source
The source object records where the request originated.| Field | Type | Description |
|---|---|---|
ipAddress | string | Client IP address |
userAgent | string | Raw User-Agent header |
clientType | string | Client type (see values below) |
browser, api_client, sdk, service, unknown
Context
The context object provides tracing and service metadata for correlating events across services.| Field | Type | Description |
|---|---|---|
region | string | Region where the request was processed |
service | string | Service that handled the request |
serviceVersion | string | Version of the service |
traceID | string | Distributed trace identifier |
spanID | string | Span identifier within the trace |
Request
The request object captures HTTP-level details about the API call.| Field | Type | Description |
|---|---|---|
method | string | HTTP method (e.g., GET, POST, PUT, DELETE, PATCH) |
path | string | Request URL path |
queryParams | string | Query string parameters |
referrer | string | HTTP Referer header value |
contentLength | integer | Size of the request body in bytes |
contentType | string | Content-Type header value |
The API uses camelCase JSON serialization for all fields (e.g.,
eventType, statusCode, displayName, ipAddress, clientType, userAgent, traceID, spanID, queryParams, contentLength, contentType).Metadata
The metadata object is a flexible key-value store for domain-specific context that doesn’t fit the standard schema fields. The keys present in metadata vary by event type, providing additional detail relevant to the specific action.Reserved Metadata Keys
The following keys have a defined meaning across all event types:| Key | Type | Description |
|---|---|---|
bulk_operation | string ("true") | Present when the audit log entry is part of a bulk action (e.g., deleting multiple applications in a single request). Each item in the bulk action gets its own audit log entry with this key set. Use context.traceID to correlate all entries from the same bulk request. |
Common Metadata Keys by Event Category
Authentication events
Authentication events
| Key | Type | Description |
|---|---|---|
auth_method | string | Authentication method used (e.g., "sso") |
auth_provider | string | Identity provider type (e.g., "azure_oidc") |
Deployment events
Deployment events
| Key | Type | Description |
|---|---|---|
deployment_is_production | boolean | Whether the deployment targets a production environment |
revision_number | integer | Revision number of the published config bundle |
bundle_hash | string | SHA-256 hash of the published config bundle |
Membership events
Membership events
| Key | Type | Description |
|---|---|---|
invitedUsers | array | List of users being invited, each containing role and email |
Authorization events
Authorization events
Security configuration events
Security configuration events
| Key | Type | Description |
|---|---|---|
identity_fabric_type | string | Type of identity provider (e.g., "azure_oidc") |
Platform administration events
Platform administration events
| Key | Type | Description |
|---|---|---|
feature_name | string | Name of the feature flag (e.g., "orchestrator_telemetry") |
operation_scope | string | Scope of the operation (e.g., "global", "account") |
confirmation_required | boolean | Whether the action required explicit confirmation |
grace_period_hours | integer | Hours before a deletion takes effect (e.g., 24) |
can_cancel_until | string (RFC 3339) | Deadline to cancel a pending deletion |
role_granted | string | Role granted to a user (e.g., "DSO") |
privilege_level | string | Level of privilege associated with the role (e.g., "elevated") |
Metadata keys are not guaranteed to be present on every event. They appear only when relevant to the specific action being recorded.
Event Categories and Types
The Console captures over 75 distinct event types organized into 8 categories. Each event type represents a specific API action.deployment_management (35 event types)
deployment_management (35 event types)
All operations related to creating, configuring, publishing, and managing Orchestrator deployments.
| Event Type | Description |
|---|---|
deployment.list | List all deployments |
deployment.create | Create a new deployment |
deployment.update | Update deployment settings |
deployment.view | View deployment details |
deployment.delete | Delete a deployment |
deployment.purge | Permanently remove a deleted deployment |
deployment.publish | Publish a config bundle to the deployment provider |
deployment.restore | Restore a previously deleted deployment |
deployment.download | Download the deployment’s config bundle |
deployment.config.view | View deployment configuration |
deployment.config.update | Update deployment configuration |
deployment.config.download | Download deployment configuration |
deployment.settings.update | Update deployment-level settings |
deployment.storage.update | Update the deployment’s storage provider |
deployment.key.download | Download the deployment’s public key |
deployment.service.create | Create a service extension |
deployment.service.view | View a service extension |
deployment.service.update | Update a service extension |
deployment.service.delete | Delete a service extension |
deployment.service.jwks.create | Create a JWKS entry for a service |
deployment.service.jwks.list | List JWKS entries for a service |
deployment.service.jwks.delete | Delete a JWKS entry for a service |
deployment.application.attach | Attach an application to a deployment |
deployment.application.detach | Detach an application from a deployment |
deployment.cache.create | Create a cache configuration |
deployment.cache.list | List cache configurations |
deployment.cache.delete | Delete a cache configuration |
deployment.cache.update | Update a cache configuration |
deployment.cache.view | View a cache configuration |
deployment.tls.create | Create a TLS certificate |
deployment.tls.list | List TLS certificates |
deployment.tls.update | Update a TLS certificate |
deployment.orchestrator.view | View Orchestrator instance details |
deployment.revision.list | List deployment revisions |
deployment.revision.view | View a specific deployment revision |
organization_management (3 event types)
organization_management (3 event types)
Operations for managing organization settings and configuration.
| Event Type | Description |
|---|---|
organization.view | View organization details |
organization.update | Update organization settings |
organization.delete | Delete an organization |
membership_management (12 event types)
membership_management (12 event types)
Operations for invitations, roles, team membership, and organizational units.
| Event Type | Description |
|---|---|
member.list | List organization members |
member.invite | Invite a new member to the organization |
member.remove | Remove a member from the organization |
member.join | A member accepts an invitation |
member.decline | A member declines an invitation |
member.invitation.cancel | Cancel a pending invitation |
member.role.update | Update a member’s role |
ownership.transfer | Transfer organization ownership |
organization_unit.create | Create an organizational unit |
organization_unit.update | Update an organizational unit |
organization_unit.list | List organizational units |
organization_unit.view | View an organizational unit |
application_management (5 event types)
application_management (5 event types)
CRUD operations for applications managed through the Console.
| Event Type | Description |
|---|---|
application.list | List applications |
application.view | View application details |
application.create | Create a new application |
application.update | Update an application |
application.delete | Delete an application |
identity_fabric_management (6 event types)
identity_fabric_management (6 event types)
Operations for managing identity fabrics and service extensions.
| Event Type | Description |
|---|---|
identity_fabric.list | List identity fabrics |
identity_fabric.create | Create an identity fabric |
identity_fabric.view | View identity fabric details |
identity_fabric.update | Update an identity fabric |
identity_fabric.delete | Delete an identity fabric |
service_extension.list | List service extensions |
user_flow_management (9 event types)
user_flow_management (9 event types)
Operations for managing user flows and their policies.
| Event Type | Description |
|---|---|
user_flow.list | List user flows |
user_flow.create | Create a user flow |
user_flow.delete | Delete a user flow |
user_flow.view | View user flow details |
user_flow.update | Update a user flow |
user_flow.policy.create | Create a policy on a user flow |
user_flow.policy.view | View a user flow policy |
user_flow.policy.update | Update a user flow policy |
user_flow.policy.delete | Delete a user flow policy |
security_configuration (5 event types)
security_configuration (5 event types)
TLS certificate management operations.
| Event Type | Description |
|---|---|
tls.list | List TLS certificates |
tls.view | View TLS certificate details |
tls.create | Upload or create a TLS certificate |
tls.update | Update a TLS certificate |
tls.delete | Delete a TLS certificate |
user_management (1 event type)
user_management (1 event type)
User account operations.
| Event Type | Description |
|---|---|
user.delete | Delete a user account |
Storage and Retention
Audit log storage is automatic when audit logging is enabled for your organization. There is no additional configuration required. Logs are currently retained indefinitely and are accessible through the Console UI. A formal retention policy, including default retention periods, will be defined in a future release as export and SIEM streaming capabilities become available.Export and Integration
The following export capabilities are on the Strata product roadmap and are not yet available. Contact your Strata account team for the latest availability.
- JSON export — Download audit log data as JSON files for offline analysis and archival
- CSV export — Export audit logs in CSV format for spreadsheet analysis and reporting
- SIEM streaming — Stream audit log events to your cloud-based SIEM solution for centralized security monitoring and alerting