View the audit log

The audit log is your organization’s administrative history, including changes to user accounts, user roles, and more. Audit logs are available in intervals of 30, 60, and 90 days.

View an audit log

  1. In the Astra Portal navigation menu, click Settings, and then click Security.

  2. In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.

Audit log content

Audit logs include the following fields:

  • typename: The log record type, such as AuditEvent.

  • actionResult: The outcome of the event, such as SUCCESS.

  • userID: The UUID of the user who triggered the event.

  • event: Detailed event data, such as the response from the underlying API call associated with the event.

  • eventTime: The date and time that the event occurred in the format YYYY-MM-DDTHH:MM:SS.SSSZ.

  • eventType: The event category.

Possible eventTypes include the following:

  • ACCEPT_USER_TO_ORGANIZATION: A user accepted an invitation to an organization.

  • ADD_SAML_IDP: Added a single sign-on (SSO) identity provider (IdP) configuration in active (enabled) status.

  • CDC_ENABLED: Enabled Change Data Capture (CDC) for a database.

  • COPY_ROLE: Copied an existing role.

  • CP_ACL_DELETED: A Control Plane IP Access Control List was deleted.

  • CREATE_ACCESS_LIST: A Control Plane IP Access Control List was created.

  • CREATE_ORG: Created an organization.

  • CREATE_ROLE: Created a custom role.

  • CREATE_USER: Created a user object in an organization. This happens when JIT provisioning adds a user to an organization, an organization administrator sends an invite to a user, or you create an organization (which creates the initial organization administrator user).

  • CUSTOM_DNS_ENABLED: Enabled custom domains.

  • CUSTOM_DNS_ADDED: Added a domain to the custom DNS configuration.

  • DB_CREATED: Created a database through the Astra Portal.

  • DB_DELETED: Terminated a database through the Astra Portal.

  • DELETE_IDP: Deleted an SSO IdP configuration.

  • DELETE_ORG: Deleted an organization.

  • DELETE_ROLE: Deleted a custom role.

  • DELETE_TOKEN_FOR_CLIENT: Deleted an application token.

  • DELETE_USER: Deleted a user object from an organization. This happens when a user deletes their personal account or an organization administrator removes the user from the organization.

  • DISABLE_IDP: Deactivated an SSO IdP configuration, but did not delete it.

  • DISABLE_ORG_SSO: Deactivated the SSO functionality for an organization. This means there are no active SSO IdP configurations.

  • DP_ACL_CREATED: A Data Plane IP Access Control List was created.

  • DP_ACL_DELETED: A Data Plane IP Access Control List was deleted.

  • DP_ACL_MODIFIED: A Data Plane IP Access Control List was modified.

  • ENABLE_IDP: Activated (enabled) an SSO IdP configuration that was previously inactive.

  • ENABLE_ORG_SSO: Activated the SSO functionality for an organization. This means there is at least one SSO IdP configuration in active (enabled) status.

  • GENERATE_TOKEN_FOR_CLIENT: Created an application token.

  • INVITE_USER_TO_ORGANIZATION: An administrator invited a user to an organization.

  • KEYSPACE_CREATED: Created a keyspace through the Astra Portal.

  • KEYSPACE_DELETED: Deleted a keyspace through the Astra Portal.

  • LAUNCHED_CQLSH: Launched the embedded CQL shell in the Astra Portal.

  • METRICS_EXPORT_CONFIGURED: Configured a metrics export.

  • METRICS_EXPORT_DELETED: Deleted a metrics export.

  • MR_ADDED: Deployed a database to an additional region.

  • PE_CONFIGURED: Added a private endpoint.

  • PE_DELETED: Deleted a private endpoint.

  • PREP_NEW_IDP: Added an SSO IdP configuration in draft (inactive) status.

  • PROVISION_SSO_USER_INTO_ORGANIZATION: SSO IdP provisioning added a user to an organization.

  • REMOVE_USER_FROM_ORG: An administrator removed a user from an organization.

  • REPLACE_EXISTING_LIST: A Control Plane IP Access Control List was modified.

  • REVOKE_INVITATION: Canceled a pending user invitation.

  • UPDATE_IDP: Edited an SSO IdP configuration.

  • UPDATE_ROLE: Edited a custom role.

Stream audit logs to Apache Pulsar™

You can stream Astra DB Serverless audit logs to your Pulsar instance:

  1. In your Pulsar instance, create a topic.

  2. In the Astra Portal, create an application token with the Organization Administrator role.

  3. Get your organization ID from any Astra Portal URL, such as astra.datastax.com/org/ORGANIZATION_ID/.

  4. To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "pulsar": {
    "endpoint": "BROKER_SERVICE_URL",
    "auth_strategy": "AUTH_TYPE",
    "topic": "PULSAR_TOPIC",
    "auth_name": "PULSAR_AUTH_NAME",
    "token": "PULSAR_TOKEN"
  }
}'

    Replace the following:

    • ORG_ID: Your Astra DB organization ID.

    • APPLICATION_TOKEN: Your Astra DB application token.

    • BROKER_SERVICE_URL: Your Pulsar Broker URL prefixed by pulsar+, such as pulsar+ssl://pulsar.example.com.

    • AUTH_TYPE: The Pulsar authentication strategy, either token or oauth2.

      • For token, include the auth_name and token parameters with your Pulsar credentials.

      • For oauth2, include the oauth2_credentials_url and oauth2_issuer_url parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provide oauth_audience and oauth2_scope. For more information, see Authentication using OAuth 2.0 access tokens.

    • PULSAR_TOPIC: The Pulsar topic where you want to publish metrics, such as persistent://test/default/audit-log-topic.

    Response 
    HTTP/1.1 202 Accepted

  5. To retrieve and review the audit log streaming configuration, send a GET request:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
    Response 
    {
  "pulsar": {
    "endpoint": "pulsar+ssl://pulsar.example.com",
    "topic": "persistent://test/default/audit-log",
    "auth_strategy": "token",
    "token": "********",
    "auth_name": "token"
  }
}

  6. Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.

To delete an audit log streaming configuration, you can send a DELETE request.

You can also configure audit log streaming with Astra Streaming.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com