# Audit Logging

### Overview

Audit logs in Private Cloud Director provide users with the ability to view the actions that have taken place on their environment. Currently audit logging is enabled for the following services:

* Identity
* Compute
* Networking

#### Audit Log Retrieval for Admin Users

Admin users can now retrieve audit logs directly from the UI. To access the logs, navigate to **Settings** (gear icon) and select **Audit Logs** within the Private Cloud Director UI.

**Mandatory Filters**

When accessing audit logs, the following filters must be specified:

* Region
* Domain
* Tenant
* Service

By default, the logs from the past 24 hours are retrieved with additional filters, such as a custom time range, available by enabling the **Use Optional Filters** toggle.

**Downloading Audit Logs**

Clicking the **Download Logs** button will download the logs as a `.ndjson` file, containing one JSON object per line. An example format is shown below:

```json
{
  "timestamp_utc": "2026-02-11T22:21:02Z",
  "region": "RegionOne",
  "project_id": "4ad1138f-880a-4c09-87b8-b70be45a12d1",
  "user_id": "e608aebe-0391-4619-855d-aad53765f0f7",
  "username": "pf9@platform9.com",
  "action_name": "create",
  "resource_type": "routers",
  "resource_id": "unknown",
  "action_result": "success",
  "source_ip": "10.144.209.1"
}
```

Fields that cannot be populated will display as `unknown`, and UUID fields will be represented as `00000000-0000-0000-0000-000000000000`.

**Audit Capabilities and Known Issues**

Currently, auditing is enabled for compute, networking, and identity services, with more detailed capabilities planned for future releases. Note the following known issue:

* Resource IDs are not populated during the creation of a resource. Subsequent actions will display the resource ID correctly.

**Deployment Options for Audit Logs**

Several parameters can be set through deployment options to configure audit logging:

* `audit_pvc_size`: Size of the PVC associated with the audit database (default: `5Gi`)
* `audit_pvc_sc`: Storage class associated with the audit PVC (default: `pcd-sc`)
* `audit_retention_days`: Number of days logs are retained (default: `7`)

Example configuration:

```json
{
    "audit_pvc_sc": "custom-sc",
    "audit_pvc_size": "6Gi",
    "audit_retention_days": "30"
}

```

More information on configuring options for Self Hosted PCD can be found here: 

{% content-ref url="../../getting-started/self-hosted/self-hosted-pre-requisites#storage-class-customisation" %}
[#storage-class-customisation](https://docs.platform9.com/private-cloud-director/getting-started/self-hosted/self-hosted-pre-requisites#storage-class-customisation)
{% endcontent-ref %}

### Audit Log Retrieval API:

Audit logs can also be accessed via API. This is an admin only endpoint.

## Export Audit Logs

> Streams audit logs matching the provided filters. \
> The response is in NDJSON (Newline Delimited JSON) format to support large datasets without memory buffering.\
> \
> If no start\_time is provided, defaults to the last 24 hours.<br>

```json
{"openapi":"3.0.0","info":{"title":"Audit Service API","version":"1.0.0"},"servers":[{"url":"your.du.url"}],"security":[{"AuthToken":[]}],"components":{"securitySchemes":{"AuthToken":{"type":"apiKey","in":"header","name":"x-auth-token","description":"Platform9 authentication token obtained from the identity service."}}},"paths":{"/resmgr/audit/export":{"get":{"summary":"Export Audit Logs","description":"Streams audit logs matching the provided filters. \nThe response is in NDJSON (Newline Delimited JSON) format to support large datasets without memory buffering.\n\nIf no start_time is provided, defaults to the last 24 hours.\n","operationId":"exportLogs","parameters":[{"name":"region","in":"query","description":"Filter by region name.","schema":{"type":"string"}},{"name":"project_id","in":"query","description":"Filter by tenant UUID.","schema":{"type":"string","format":"uuid"}},{"name":"user_id","in":"query","description":"Filter by User ID.","schema":{"type":"string","format":"uuid"}},{"name":"username","in":"query","description":"Filter by username.","schema":{"type":"string"}},{"name":"action","in":"query","description":"Filter by action name (e.g., 'authenticate', 'create').","schema":{"type":"string"}},{"name":"resource_type","in":"query","description":"Filter by resource type (e.g., 'service/compute/server').","schema":{"type":"string"}},{"name":"service","in":"query","description":"Filter by component/service name.","schema":{"type":"string"}},{"name":"start_time","in":"query","description":"Start of the time range (RFC3339). Defaults to T-24h.","schema":{"type":"string","format":"date-time"}},{"name":"end_time","in":"query","description":"End of the time range.","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of records to return.","schema":{"type":"integer"}}],"responses":{"200":{"description":"A stream of audit logs.","content":{"application/x-ndjson":{"schema":{"type":"string","description":"Stream of JSON objects (AuditLog) separated by newlines."}}}},"405":{"description":"Method Not Allowed"},"500":{"description":"Internal Server Error (Database query failed)"}}}}}}
```

## Get Filter Options

> Retrieves unique values for regions, projects, domains, and actions to populate UI filter dropdowns.

```json
{"openapi":"3.0.0","info":{"title":"Audit Service API","version":"1.0.0"},"servers":[{"url":"your.du.url"}],"security":[{"AuthToken":[]}],"components":{"securitySchemes":{"AuthToken":{"type":"apiKey","in":"header","name":"x-auth-token","description":"Platform9 authentication token obtained from the identity service."}},"schemas":{"FilterOptions":{"type":"object","properties":{"services":{"type":"object","description":"Map of Service Names (Component) to a list of their Resource Types.","additionalProperties":{"type":"array","items":{"type":"string"}}},"outcomes":{"type":"array","items":{"type":"string"}},"regions":{"type":"array","items":{"type":"string"}},"project_ids":{"type":"array","items":{"type":"string","format":"uuid"}},"domains":{"type":"array","items":{"type":"string"}},"action_names":{"type":"array","items":{"type":"string"}},"action_results":{"type":"array","items":{"type":"string"}}}}}},"paths":{"/resmgr/audit/filters":{"get":{"summary":"Get Filter Options","description":"Retrieves unique values for regions, projects, domains, and actions to populate UI filter dropdowns.","operationId":"getFilters","responses":{"200":{"description":"Available filter options.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilterOptions"}}}},"405":{"description":"Method Not Allowed"},"500":{"description":"Internal Server Error"}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/monitoring-and-observability/audit-logging.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.