Audit Logging

Retrieving auditing information for core PCD services

Overview

Audit logs in Private Cloud Director provide users with the ability to view the actions that have taken place on their environment. Currently audit logging is enabled for the following services:

Identity
Compute
Networking
Volumes

Audit Log Retrieval for Admin Users

Admin users can now retrieve audit logs directly from the UI. To access the logs, navigate to Settings (gear icon) and select Audit Logs within the Private Cloud Director UI.

Mandatory Filters

When accessing audit logs, the following filters must be specified:

Region
Domain
Tenant
Service

By default, the logs from the past 24 hours are retrieved with additional filters, such as a custom time range, available by enabling the Use Optional Filters toggle.

Downloading Audit Logs

Clicking the Download Logs button will download the logs as a .ndjson file, containing one JSON object per line. An example format is shown below:

{
  "timestamp_utc": "2026-02-11T22:21:02Z",
  "region": "RegionOne",
  "project_id": "4ad1138f-880a-4c09-87b8-b70be45a12d1",
  "user_id": "e608aebe-0391-4619-855d-aad53765f0f7",
  "username": "pf9@platform9.com",
  "action_name": "create",
  "resource_type": "routers",
  "resource_id": "unknown",
  "action_result": "success",
  "source_ip": "10.144.209.1"
}

Fields that cannot be populated will display as unknown, and UUID fields will be represented as 00000000-0000-0000-0000-000000000000.

Audit Capabilities and Known Issues

Currently, auditing is enabled for compute, networking, and identity services, with more detailed capabilities planned for future releases. Note the following known issue:

Resource IDs are not populated during the creation of a resource. Subsequent actions will display the resource ID correctly.

Deployment Options for Audit Logs

Several parameters can be set through deployment options to configure audit logging:

audit_pvc_size: Size of the PVC associated with the audit database (default: 5Gi)
audit_pvc_sc: Storage class associated with the audit PVC (default: pcd-sc)
audit_retention_days: Number of days logs are retained (default: 7)

Example configuration:

{
    "audit_pvc_sc": "custom-sc",
    "audit_pvc_size": "6Gi",
    "audit_retention_days": "30"
}

More information on configuring options for Self Hosted PCD can be found here:

Storage Class Customisation

Audit Log Retrieval API:

Audit logs can also be accessed via API. This is an admin only endpoint.

Export Audit Logs

get

Streams audit logs matching the provided filters. The response is in NDJSON (Newline Delimited JSON) format to support large datasets without memory buffering.

If no start_time is provided, defaults to the last 24 hours.

Authorizations

x-auth-tokenstringRequired

Platform9 authentication token obtained from the identity service.

Query parameters

regionstringOptional

Filter by region name.

project_idstring · uuidOptional

Filter by tenant UUID.

user_idstring · uuidOptional

Filter by User ID.

usernamestringOptional

Filter by username.

actionstringOptional

Filter by action name (e.g., 'authenticate', 'create').

resource_typestringOptional

Filter by resource type (e.g., 'service/compute/server').

servicestringOptional

Filter by component/service name.

start_timestring · date-timeOptional

Start of the time range (RFC3339). Defaults to T-24h.

end_timestring · date-timeOptional

End of the time range.

limitintegerOptional

Maximum number of records to return.

Responses

200

A stream of audit logs.

application/x-ndjson

stringOptional

Stream of JSON objects (AuditLog) separated by newlines.

Example:

{"timestamp_utc":"2023-10-01T12:00:00Z","region":"us-east","action_name":"create","username":"admin"} {"timestamp_utc":"2023-10-01T12:01:00Z","region":"us-east","action_name":"delete","username":"admin"}

405

Method Not Allowed

500

Internal Server Error (Database query failed)

get

/resmgr/audit/export

GET /resmgr/audit/export HTTP/1.1
Host: your.du.url
x-auth-token: YOUR_API_KEY
Accept: */*

{"timestamp_utc":"2023-10-01T12:00:00Z","region":"us-east","action_name":"create","username":"admin"}
{"timestamp_utc":"2023-10-01T12:01:00Z","region":"us-east","action_name":"delete","username":"admin"}

Get Filter Options

get

Retrieves unique values for regions, projects, domains, and actions to populate UI filter dropdowns.

Authorizations

x-auth-tokenstringRequired

Platform9 authentication token obtained from the identity service.

Responses

200

Available filter options.

application/json

outcomesstring[]Optional

regionsstring[]Optional

project_idsstring · uuid[]Optional

domainsstring[]Optional

action_namesstring[]Optional

action_resultsstring[]Optional

405

Method Not Allowed

500

Internal Server Error

get

/resmgr/audit/filters

GET /resmgr/audit/filters HTTP/1.1
Host: your.du.url
x-auth-token: YOUR_API_KEY
Accept: */*

{
  "services": {
    "compute": [
      "instance",
      "flavor"
    ],
    "networking": [
      "network",
      "port"
    ]
  },
  "outcomes": [
    "text"
  ],
  "regions": [
    "text"
  ],
  "project_ids": [
    "123e4567-e89b-12d3-a456-426614174000"
  ],
  "domains": [
    "text"
  ],
  "action_names": [
    "text"
  ],
  "action_results": [
    "text"
  ]
}

PreviousService Health Dashboard NextOverview

Last updated 12 days ago

Was this helpful?