> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit Logs

<Warning>
  Audit Logs is a beta feature. This feature is functional and supported, but is still undergoing regular changes. Audit logging requires enablement for your organization -- contact your Strata account team or [Strata support](https://strataidentity.my.site.com/support/s/) to enable it.
</Warning>

Console audit logs give you a complete record of every administrative action taken in your Maverics Console. Whether you need to investigate a misconfigured deployment, demonstrate compliance to an auditor, or simply answer "who changed that?" -- audit logs provide the evidence.

## What Are Console Audit Logs?

Every action that administrators perform in the Console is recorded as a log entry -- who performed the action, what resource was affected, when it happened, and whether it succeeded or failed. Publishing a config bundle, inviting a team member, updating a deployment, uploading a TLS certificate -- each of these actions produces a structured audit record.

Audit logs matter for three reasons:

* **Compliance evidence** -- Audit logs provide the admin-action audit trail required by frameworks like SOC 2, HIPAA, and GDPR. They prove who made configuration changes, when, and whether those changes were authorized.
* **Security investigations** -- When something goes wrong -- a misconfigured policy, an unauthorized deployment publish -- audit logs let you trace the exact sequence of actions that led to the issue, including the actor, IP address, and timestamp.
* **Operational accountability** -- In multi-admin environments, audit logs establish clear ownership of every change. You can answer "who published that config?" or "who removed that team member?" without guessing.

### Console Logs vs. Orchestrator Logs

Console audit logs capture **management plane** actions: configuration changes, bundle publishing, team membership, organization settings -- everything administrators do in the Console UI. The Orchestrator, by contrast, captures **data plane** actions: user authentication events, authorization decisions, token issuance, and proxy requests -- everything that happens at runtime when end users interact with protected applications.

Together, Console audit logs and Orchestrator logs provide complete audit coverage across both administrative and runtime operations. For Orchestrator-side logging, see the [Compliance and Audit guide](/guides/security/compliance) and the [Telemetry Reference](/reference/orchestrator/telemetry).

### Accessing Audit Logs

Audit logs are accessible through the Console UI. You can filter by time range, event category, and specific event type to find relevant entries. JSON/CSV export and SIEM streaming are on the roadmap -- see [Export and Integration](#export-and-integration) below.

## Schema (v1.0)

Every audit log entry follows the v1.0 schema. The top-level structure contains identifying information, the event classification, and nested objects describing the actor, target, source, context, and request.

### Top-Level Fields

| Field       | Type              | Description                                                 |
| ----------- | ----------------- | ----------------------------------------------------------- |
| `id`        | string (MRN)      | Maverics Resource Notation identifier for the audit event   |
| `version`   | string            | Schema version (currently `"1.0"`)                          |
| `timestamp` | string (RFC 3339) | When the event occurred                                     |
| `eventType` | string            | Specific event identifier (e.g., `deployment.publish`)      |
| `category`  | string            | Event category (e.g., `deployment_management`)              |
| `outcome`   | object            | Result of the action -- see [Outcome](#outcome)             |
| `actor`     | object            | Who performed the action -- see [Actor](#actor)             |
| `target`    | object            | What was acted upon -- see [Target](#target)                |
| `source`    | object            | Where the request came from -- see [Source](#source)        |
| `context`   | object            | Tracing and service information -- see [Context](#context)  |
| `request`   | object            | HTTP request details -- see [Request](#request)             |
| `metadata`  | object            | Additional event-specific data -- see [Metadata](#metadata) |

**MRN format:** The `id` field and `target.id` use Maverics Resource Notation (MRN), a structured identifier with the format:

```
maverics:{region}:{organization_id}:{resource_type}:{resource_id}
```

For example: `maverics:us-west-2:550e8400-e29b-41d4-a716-446655440000:audit-log:7c9e6679-7425-40de-944b-e07fc1f90ae7`

### Outcome

The outcome object records the result of the action.

| Field        | Type    | Description                               |
| ------------ | ------- | ----------------------------------------- |
| `status`     | string  | Outcome status (see values below)         |
| `statusCode` | integer | HTTP status code of the response          |
| `errorMsg`   | string  | Detailed error message for debugging      |
| `reason`     | string  | Human-readable explanation of the outcome |

**Status values:**

| Value     | Description                                                          |
| --------- | -------------------------------------------------------------------- |
| `success` | Action completed successfully                                        |
| `failure` | Action failed due to validation or business logic                    |
| `partial` | Action partially completed (e.g., bulk operation with some failures) |
| `denied`  | Action blocked by authorization policy                               |
| `error`   | System error prevented action completion                             |

### Actor

The actor object identifies who performed the action.

| Field              | Type   | Description                                              |
| ------------------ | ------ | -------------------------------------------------------- |
| `type`             | string | Actor type (see values below)                            |
| `id`               | string | Unique identifier (user ID, API key ID, or service name) |
| `email`            | string | Actor's email address (for user and admin\_user actors)  |
| `displayName`      | string | Human-readable name                                      |
| `organizationID`   | string | Organization context for the action                      |
| `organizationName` | string | Organization name for readability                        |

**Actor types:**

| Value        | Description                                            |
| ------------ | ------------------------------------------------------ |
| `user`       | Human user authenticated via UI or API                 |
| `admin_user` | Platform administrator authenticated via admin console |
| `api_key`    | Programmatic access via API key                        |
| `system`     | Automated system process (e.g., scheduled jobs)        |
| `service`    | Internal service-to-service calls                      |

### Target

The target object identifies what was acted upon.

| Field            | Type   | Description                                                         |
| ---------------- | ------ | ------------------------------------------------------------------- |
| `type`           | string | Resource type (see values below)                                    |
| `id`             | string | MRN (Maverics Resource Notation) identifier for the target resource |
| `name`           | string | Human-readable resource name                                        |
| `organizationID` | string | Owning organization                                                 |

**Resource types:**

| Value                 | Description                              |
| --------------------- | ---------------------------------------- |
| `organization`        | Organization/account                     |
| `organization_unit`   | Organizational unit                      |
| `user`                | User account                             |
| `membership`          | Organization membership                  |
| `invitation`          | User invitation                          |
| `deployment`          | Deployment/environment                   |
| `deployment_revision` | Deployment revision/version              |
| `identity_fabric`     | Identity Fabric configuration            |
| `application`         | Application registration                 |
| `service`             | Provider service (OIDC, SAML, LDAP, MCP) |
| `tls_config`          | TLS configuration                        |
| `cache`               | Deployment cache                         |
| `api_key`             | API key                                  |
| `service_extension`   | Custom service extension                 |
| `orchestrator`        | Orchestrator instance                    |
| `feature_flag`        | Feature flag (global or account-level)   |
| `sso_domain`          | SSO domain configuration                 |
| `admin_user`          | Platform administrator user              |
| `database_migration`  | Database migration job                   |

### Source

The source object records where the request originated.

| Field        | Type   | Description                    |
| ------------ | ------ | ------------------------------ |
| `ipAddress`  | string | Client IP address              |
| `userAgent`  | string | Raw User-Agent header          |
| `clientType` | string | Client type (see values below) |

**Client types:** `browser`, `api_client`, `sdk`, `service`, `unknown`

### Context

The context object provides tracing and service metadata for correlating events across services.

| Field            | Type   | Description                            |
| ---------------- | ------ | -------------------------------------- |
| `region`         | string | Region where the request was processed |
| `service`        | string | Service that handled the request       |
| `serviceVersion` | string | Version of the service                 |
| `traceID`        | string | Distributed trace identifier           |
| `spanID`         | string | Span identifier within the trace       |

### Request

The request object captures HTTP-level details about the API call.

| Field           | Type    | Description                                                 |
| --------------- | ------- | ----------------------------------------------------------- |
| `method`        | string  | HTTP method (e.g., `GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
| `path`          | string  | Request URL path                                            |
| `queryParams`   | string  | Query string parameters                                     |
| `referrer`      | string  | HTTP Referer header value                                   |
| `contentLength` | integer | Size of the request body in bytes                           |
| `contentType`   | string  | Content-Type header value                                   |

<Info>
  The API uses camelCase JSON serialization for all fields (e.g., `eventType`, `statusCode`, `displayName`, `ipAddress`, `clientType`, `userAgent`, `traceID`, `spanID`, `queryParams`, `contentLength`, `contentType`).
</Info>

### Metadata

The metadata object is a flexible key-value store for domain-specific context that doesn't fit the standard schema fields. The keys present in metadata vary by event type, providing additional detail relevant to the specific action.

#### Reserved Metadata Keys

The following keys have a defined meaning across all event types:

| Key              | Type              | Description                                                                                                                                                                                                                                                                   |
| ---------------- | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `bulk_operation` | string (`"true"`) | Present when the audit log entry is part of a bulk action (e.g., deleting multiple applications in a single request). Each item in the bulk action gets its own audit log entry with this key set. Use `context.traceID` to correlate all entries from the same bulk request. |

#### Common Metadata Keys by Event Category

<AccordionGroup>
  <Accordion title="Authentication events">
    | Key             | Type   | Description                                   |
    | --------------- | ------ | --------------------------------------------- |
    | `auth_method`   | string | Authentication method used (e.g., `"sso"`)    |
    | `auth_provider` | string | Identity provider type (e.g., `"azure_oidc"`) |
  </Accordion>

  <Accordion title="Deployment events">
    | Key                        | Type    | Description                                             |
    | -------------------------- | ------- | ------------------------------------------------------- |
    | `deployment_is_production` | boolean | Whether the deployment targets a production environment |
    | `revision_number`          | integer | Revision number of the published config bundle          |
    | `bundle_hash`              | string  | SHA-256 hash of the published config bundle             |
  </Accordion>

  <Accordion title="Membership events">
    | Key            | Type  | Description                                                     |
    | -------------- | ----- | --------------------------------------------------------------- |
    | `invitedUsers` | array | List of users being invited, each containing `role` and `email` |

    Example:

    ```json theme={null}
    {
      "invitedUsers": [
        {
          "role": "member",
          "email": "user@example.com"
        }
      ]
    }
    ```
  </Accordion>

  <Accordion title="Authorization events">
    | Key               | Type   | Description                                                                          |
    | ----------------- | ------ | ------------------------------------------------------------------------------------ |
    | `policy_action`   | string | The policy action being evaluated (e.g., `"deployDeployment"`, `"deleteDeployment"`) |
    | `policy_resource` | string | MRN of the resource the policy applies to                                            |
    | `required_roles`  | array  | Roles required to perform the denied action                                          |
  </Accordion>

  <Accordion title="Security configuration events">
    | Key                    | Type   | Description                                      |
    | ---------------------- | ------ | ------------------------------------------------ |
    | `identity_fabric_type` | string | Type of identity provider (e.g., `"azure_oidc"`) |
  </Accordion>

  <Accordion title="Platform administration events">
    | Key                     | Type              | Description                                                      |
    | ----------------------- | ----------------- | ---------------------------------------------------------------- |
    | `feature_name`          | string            | Name of the feature flag (e.g., `"orchestrator_telemetry"`)      |
    | `operation_scope`       | string            | Scope of the operation (e.g., `"global"`, `"account"`)           |
    | `confirmation_required` | boolean           | Whether the action required explicit confirmation                |
    | `grace_period_hours`    | integer           | Hours before a deletion takes effect (e.g., `24`)                |
    | `can_cancel_until`      | string (RFC 3339) | Deadline to cancel a pending deletion                            |
    | `role_granted`          | string            | Role granted to a user (e.g., `"DSO"`)                           |
    | `privilege_level`       | string            | Level of privilege associated with the role (e.g., `"elevated"`) |
  </Accordion>
</AccordionGroup>

<Note>
  Metadata keys are not guaranteed to be present on every event. They appear only when relevant to the specific action being recorded.
</Note>

## Event Categories and Types

The Console captures over 65 distinct event types organized into 7 categories. Each event type represents a specific API action.

<AccordionGroup>
  <Accordion title="deployment_management (35 event types)">
    All operations related to creating, configuring, publishing, and managing Orchestrator deployments.

    | Event Type                       | Description                                        |
    | -------------------------------- | -------------------------------------------------- |
    | `deployment.list`                | List all deployments                               |
    | `deployment.create`              | Create a new deployment                            |
    | `deployment.update`              | Update deployment settings                         |
    | `deployment.view`                | View deployment details                            |
    | `deployment.delete`              | Delete a deployment                                |
    | `deployment.purge`               | Permanently remove a deleted deployment            |
    | `deployment.publish`             | Publish a config bundle to the deployment provider |
    | `deployment.restore`             | Restore a previously deleted deployment            |
    | `deployment.download`            | Download the deployment's config bundle            |
    | `deployment.config.view`         | View deployment configuration                      |
    | `deployment.config.update`       | Update deployment configuration                    |
    | `deployment.config.download`     | Download deployment configuration                  |
    | `deployment.settings.update`     | Update deployment-level settings                   |
    | `deployment.storage.update`      | Update the deployment's storage provider           |
    | `deployment.key.download`        | Download the deployment's public key               |
    | `deployment.service.create`      | Create a service extension                         |
    | `deployment.service.view`        | View a service extension                           |
    | `deployment.service.update`      | Update a service extension                         |
    | `deployment.service.delete`      | Delete a service extension                         |
    | `deployment.service.jwks.create` | Create a JWKS entry for a service                  |
    | `deployment.service.jwks.list`   | List JWKS entries for a service                    |
    | `deployment.service.jwks.delete` | Delete a JWKS entry for a service                  |
    | `deployment.application.attach`  | Attach an application to a deployment              |
    | `deployment.application.detach`  | Detach an application from a deployment            |
    | `deployment.cache.create`        | Create a cache configuration                       |
    | `deployment.cache.list`          | List cache configurations                          |
    | `deployment.cache.delete`        | Delete a cache configuration                       |
    | `deployment.cache.update`        | Update a cache configuration                       |
    | `deployment.cache.view`          | View a cache configuration                         |
    | `deployment.tls.create`          | Create a TLS certificate                           |
    | `deployment.tls.list`            | List TLS certificates                              |
    | `deployment.tls.update`          | Update a TLS certificate                           |
    | `deployment.orchestrator.view`   | View Orchestrator instance details                 |
    | `deployment.revision.list`       | List deployment revisions                          |
    | `deployment.revision.view`       | View a specific deployment revision                |
  </Accordion>

  <Accordion title="organization_management (3 event types)">
    Operations for managing organization settings and configuration.

    | Event Type            | Description                  |
    | --------------------- | ---------------------------- |
    | `organization.view`   | View organization details    |
    | `organization.update` | Update organization settings |
    | `organization.delete` | Delete an organization       |
  </Accordion>

  <Accordion title="membership_management (12 event types)">
    Operations for invitations, roles, team membership, and organizational units.

    | Event Type                 | Description                             |
    | -------------------------- | --------------------------------------- |
    | `member.list`              | List organization members               |
    | `member.invite`            | Invite a new member to the organization |
    | `member.remove`            | Remove a member from the organization   |
    | `member.join`              | A member accepts an invitation          |
    | `member.decline`           | A member declines an invitation         |
    | `member.invitation.cancel` | Cancel a pending invitation             |
    | `member.role.update`       | Update a member's role                  |
    | `ownership.transfer`       | Transfer organization ownership         |
    | `organization_unit.create` | Create an organizational unit           |
    | `organization_unit.update` | Update an organizational unit           |
    | `organization_unit.list`   | List organizational units               |
    | `organization_unit.view`   | View an organizational unit             |
  </Accordion>

  <Accordion title="application_management (5 event types)">
    CRUD operations for applications managed through the Console.

    | Event Type           | Description              |
    | -------------------- | ------------------------ |
    | `application.list`   | List applications        |
    | `application.view`   | View application details |
    | `application.create` | Create a new application |
    | `application.update` | Update an application    |
    | `application.delete` | Delete an application    |
  </Accordion>

  <Accordion title="identity_fabric_management (6 event types)">
    Operations for managing identity fabrics and service extensions.

    | Event Type               | Description                  |
    | ------------------------ | ---------------------------- |
    | `identity_fabric.list`   | List identity fabrics        |
    | `identity_fabric.create` | Create an identity fabric    |
    | `identity_fabric.view`   | View identity fabric details |
    | `identity_fabric.update` | Update an identity fabric    |
    | `identity_fabric.delete` | Delete an identity fabric    |
    | `service_extension.list` | List service extensions      |
  </Accordion>

  <Accordion title="security_configuration (5 event types)">
    TLS certificate management operations.

    | Event Type   | Description                        |
    | ------------ | ---------------------------------- |
    | `tls.list`   | List TLS certificates              |
    | `tls.view`   | View TLS certificate details       |
    | `tls.create` | Upload or create a TLS certificate |
    | `tls.update` | Update a TLS certificate           |
    | `tls.delete` | Delete a TLS certificate           |
  </Accordion>

  <Accordion title="user_management (1 event type)">
    User account operations.

    | Event Type    | Description           |
    | ------------- | --------------------- |
    | `user.delete` | Delete a user account |
  </Accordion>
</AccordionGroup>

## Storage and Retention

Audit log storage is automatic when audit logging is enabled for your organization. There is no additional configuration required.

Logs are currently retained indefinitely and are accessible through the Console UI. A formal retention policy, including default retention periods, will be defined in a future release as export and SIEM streaming capabilities become available.

## Export and Integration

<Note>
  The following export capabilities are on the Strata product roadmap and are not yet available. Contact your Strata account team for the latest availability.
</Note>

Planned export and integration capabilities for audit logs include:

* **JSON export** -- Download audit log data as JSON files for offline analysis and archival
* **CSV export** -- Export audit logs in CSV format for spreadsheet analysis and reporting
* **SIEM streaming** -- Stream audit log events to your cloud-based SIEM solution for centralized security monitoring and alerting

## Related Pages

<CardGroup cols={2}>
  <Card title="Compliance Guide" icon="shield-check" href="/guides/security/compliance">
    Security and compliance best practices for Maverics deployments
  </Card>

  <Card title="Telemetry" icon="chart-line" href="/reference/orchestrator/telemetry">
    Logger, telemetry, and health check configuration for the Orchestrator
  </Card>

  <Card title="Console Overview" icon="browser" href="/reference/console/overview">
    Console administration overview and capabilities
  </Card>
</CardGroup>
