View audit logs

Audit logs are your organization’s administrative history, including changes to user accounts, user roles, and more.

Through the Astra Portal, you can download control plane audit logs only.

For control plane and data plane logs, you must use the streaming option.

View control plane audit logs in the Astra Portal

In the Astra Portal, you can download control plane audit logs in intervals of 30, 60, and 90 days:

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the current organization, and then select the organization where you want to view audit logs.

  3. In the Settings navigation menu, click Security.

  4. In the Audit Logs section, click Download as CSV, and then select the audit log interval to download.

Control plane audit log contents

Audit logs include the following fields:

  • typename: The log record type, such as AuditEvent.

  • actionResult: The outcome of the event, such as SUCCESS.

  • userID: The UUID of the user who triggered the event.

  • event: Detailed event data, such as the response from the underlying API call associated with the event.

  • eventTime: The date and time that the event occurred in the format YYYY-MM-DDTHH:MM:SS.SSSZ.

  • eventType: The event category.

Possible control plane eventTypes include the following:

  • User events:

    • CREATE_USER: Created a user object in an organization. This happens when JIT provisioning adds a user to an organization, an organization administrator sends an invite to a user, or you create an organization (which creates the initial organization administrator user).

    • INVITE_USER_TO_ORGANIZATION: An administrator invited a user to an organization.

    • ACCEPT_USER_TO_ORGANIZATION: A user accepted an invitation to an organization.

    • PROVISION_SSO_USER_INTO_ORGANIZATION: Single sign-on (SSO) identity provider (IdP) provisioning added a user to an organization.

    • REVOKE_INVITATION: Canceled a pending user invitation.

    • REMOVE_USER_FROM_ORG: An administrator removed a user from an organization.

    • DELETE_USER: Deleted a user object from an organization. This happens when a user deletes their personal account or an organization administrator removes the user from the organization.

  • Token events:

    • GENERATE_TOKEN_FOR_CLIENT: Created an application token.

    • DELETE_TOKEN_FOR_CLIENT: Deleted an application token.

  • Role events:

    • CREATE_ROLE: Created a custom role.

    • COPY_ROLE: Copied an existing role.

    • UPDATE_ROLE: Edited a custom role.

    • DELETE_ROLE: Deleted a custom role.

  • Organization events:

    • CREATE_ORG: Created an organization.

    • DELETE_ORG: Deleted an organization.

  • Database events:

    • CREATE_DATABASE: Created a database through the Astra Portal.

    • DELETE_DATABASE: Terminated a database through the Astra Portal.

    • CREATE_KEYSPACE: Created a keyspace through the Astra Portal.

    • DELETE_KEYSPACE: Deleted a keyspace through the Astra Portal.

    • ADD_REGION_TO_DATABASE: Deployed a database to an additional region.

    • REMOVE_REGION_FROM_DATABASE: Removed a region from a multi-region database.

    • CONFIGURED_THIRD_PARTY_METRICS: Configured a metrics export.

    • DELETED_THIRD_PARTY_METRICS: Deleted a metrics export.

    • CDC_ENABLED: Enabled Change Data Capture (CDC) for a database.

    • LAUNCHED_CQLSH: Launched the embedded CQL shell in the Astra Portal.

  • Access list events:

  • Single sign-on (SSO) identity provider (IdP) configuration events:

    • ADD_SAML_IDP: Added an SSO IdP configuration in active (enabled) status.

    • PREP_NEW_IDP: Added an SSO IdP configuration in draft (inactive) status.

    • ENABLE_IDP: Activated (enabled) an SSO IdP configuration that was previously inactive.

    • ENABLE_ORG_SSO: Activated the SSO functionality for an organization. This means there is at least one SSO IdP configuration in active (enabled) status.

    • UPDATE_IDP: Edited an SSO IdP configuration.

    • DELETE_IDP: Deleted an SSO IdP configuration.

    • DISABLE_IDP: Deactivated an SSO IdP configuration, but did not delete it.

    • DISABLE_ORG_SSO: Deactivated the SSO functionality for an organization. This means there are no active SSO IdP configurations.

  • Other security configuration events:

    • CREATE_CLOUD_ACCOUNT: Begin the process of adding a customer-managed encryption key (CMEK) to an Astra DB organization.

    • CREATE_SERVERLESS_KEY: Add a CMEK for Astra DB Serverless databases.

    • CREATE_CLASSIC_KEY: Add a CMEK for Classic databases.

    • DELETE_SERVERLESS_KEY: Delete a CMEK for Astra DB Serverless databases.

    • DELETE_CLASSIC_KEY: Delete a CMEK for Classic databases.

    • CUSTOM_DNS_ENABLED: Enabled custom domains.

    • CUSTOM_DNS_ADDED: Added a domain to the custom DNS configuration.

    • PE_CONFIGURED: Added a private endpoint.

    • PE_DELETED: Deleted a private endpoint.

Stream control plane and data plane audit logs

Streamed audit logs contain both control plane and data plane events.

You can stream Astra DB Serverless audit logs to your Apache Pulsar™ instance with the DevOps API or through Astra Streaming.

For the Astra Streaming option, see Stream Astra DB audit logs.

For the DevOps API option, do the following:

  1. In your Pulsar instance, create a topic.

  2. In the Astra Portal, create an application token with the Organization Administrator role.

  3. Get your organization ID from any Astra Portal URL, such as astra.datastax.com/org/ORGANIZATION_ID/.

  4. To enable audit log streaming to your Pulsar instance, send a POST request to the DevOps API Audit Log Telemetry endpoint:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "pulsar": {
    "endpoint": "BROKER_SERVICE_URL",
    "auth_strategy": "AUTH_TYPE",
    "topic": "PULSAR_TOPIC",
    "auth_name": "PULSAR_AUTH_NAME",
    "token": "PULSAR_TOKEN"
  }
}'

    Replace the following:

    • ORG_ID: Your Astra DB organization ID.

    • APPLICATION_TOKEN: Your Astra DB application token.

    • BROKER_SERVICE_URL: Your Pulsar Broker URL prefixed by pulsar+, such as pulsar+ssl://pulsar.example.com.

    • AUTH_TYPE: The Pulsar authentication strategy, either token or oauth2.

      • For token, include the auth_name and token parameters with your Pulsar credentials.

      • For oauth2, include the oauth2_credentials_url and oauth2_issuer_url parameters with your Pulsar OAuth2 credentials and issuer URLs. Optionally, you can provide oauth_audience and oauth2_scope. For more information, see Authentication using OAuth 2.0 access tokens.

    • PULSAR_TOPIC: The Pulsar topic where you want to publish metrics, such as persistent://test/default/audit-log-topic.

    Response 
    HTTP/1.1 202 Accepted

  5. To retrieve and review the audit log streaming configuration, send a GET request:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/telemetry/auditLogs" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
    Response 
    {
  "pulsar": {
    "endpoint": "pulsar+ssl://pulsar.example.com",
    "topic": "persistent://test/default/audit-log",
    "auth_strategy": "token",
    "token": "********",
    "auth_name": "token"
  }
}

  6. Monitor your Pulsar instance to confirm that log streaming occurs according to your topic configuration.

To delete an audit log streaming configuration, you can send a DELETE request.

Get user information for streamed audit logs

Streamed audit logs contain user IDs instead of user email addresses.

You can use GET /v2/organizations/users/USER_ID to get the email addresses associated with streamed user IDs:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

You can use GET /v2/organizations/users to get information for all users in an Astra DB organization:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com