> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/monitoring-and-observability/audit-logging.md).

# Audit Logging

### Overview

Audit logs in Private Cloud Director provide users with the ability to view the actions that have taken place on their environment. Currently audit logging is enabled for the following services:

* Identity
* Compute
* Networking

#### Audit Log Retrieval for Admin Users

Admin users can now retrieve audit logs directly from the UI. To access the logs, navigate to **Settings** (gear icon) and select **Audit Logs** within the Private Cloud Director UI.

**Mandatory Filters**

When accessing audit logs, the following filters must be specified:

* Region
* Domain
* Tenant
* Service

By default, the logs from the past 24 hours are retrieved with additional filters, such as a custom time range, available by enabling the **Use Optional Filters** toggle.

**Downloading Audit Logs**

Clicking the **Download Logs** button will download the logs as a `.ndjson` file, containing one JSON object per line. An example format is shown below:

```json
{
  "timestamp_utc": "2026-02-11T22:21:02Z",
  "region": "RegionOne",
  "component": "compute",
  "project_id": "4ad1138f-880a-4c09-87b8-b70be45a12d1",
  "user_id": "e608aebe-0391-4619-855d-aad53765f0f7",
  "request_id": "req-1a2b3c4d-5e6f-7890-abcd-ef1234567890",
  "username": "pf9@platform9.com",
  "action_name": "create",
  "resource_type": "vm",
  "resource_id": "9b1deadb-1234-4cba-9876-abcdef012345",
  "resource_name": "critical_workload",
  "action_result": "success",
  "source_ip": "10.144.209.1",
  "roles_list": ["admin", "member"],
  "metadata": [
    {"image_name": "ubuntu-22.04-server"},
    {"image_id": "f3a8c2e1-9b4d-4f7a-b2c5-1e8d6a0f3c9b"}
  ]
}
```

Fields that cannot be populated will display as `unknown`, and UUID fields will be represented as `00000000-0000-0000-0000-000000000000`. The `roles_list` and `metadata` fields are omitted from the output when empty.

**Service Account Log Filtering**

By default, log entries generated by internal PCD service accounts (such as `nova`, `neutron`, and `cinder`) are excluded from the retrieval API to reduce noise from inter-service traffic. To include these entries in the response, pass the `includeServiceAccounts=true` query parameter on the export endpoint.

**Audit Capabilities**

Currently, auditing is enabled for compute, networking, storage, image, and identity services, with more detailed capabilities planned for future releases.

As of the 2026.4 release, for the compute, storage, and identity service, we have enhanced the information that audit logs capture. The following additional details are captured for these services:

* Resource IDs for resource creation actions
* Relevant request metadata for actions such as migrations and role assignments to capture secondary resources that the action refers to
* Resource names are now captured for improved log readability
* Roles at the time of the action are now captured in the audit logs

Note the following known issue:

* For the image and networking service `Resource ID`s are not populated during the creation of a resource. Subsequent actions will display the resource ID correctly.

**Deployment Options for Audit Logs** Note: The following information is targetted for PCD self-hosted customers. SaaS customers should communicate retention requirements with the support team to configure audit logging on their environment.

More information on configuring options for Self Hosted PCD can be found here:

{% content-ref url="/pages/wlgnj0vcxMsRAJH2jZ0Q#storage-class-customisation" %}
[Pre-requisites](/private-cloud-director/getting-started/self-hosted/self-hosted-pre-requisites.md#storage-class-customisation)
{% endcontent-ref %}

Several parameters can be set through deployment options to configure audit logging:

* `audit_pvc_size`: Size of the PVC associated with the audit database (default: `5Gi`)
* `audit_pvc_sc`: Storage class associated with the audit PVC (default: `""` (default storage class))
* `audit_retention_days`: Number of days logs are retained (default: `7`)

Example configuration:

```json
{
    "audit_pvc_sc": "custom-sc",
    "audit_pvc_size": "6Gi",
    "audit_retention_days": "30"
}
```

### Audit Log Retrieval API:

Audit logs can also be accessed via API. This is an admin only endpoint.

## Export Audit Logs

> Streams audit logs matching the provided filters. \
> The response is in NDJSON (Newline Delimited JSON) format to support large datasets without memory buffering.\
> \
> If no start\_time is provided, defaults to the last 24 hours.<br>

```json
{"openapi":"3.0.0","info":{"title":"Audit Service API","version":"1.0.0"},"servers":[{"url":"your.du.url"}],"security":[{"AuthToken":[]}],"components":{"securitySchemes":{"AuthToken":{"type":"apiKey","in":"header","name":"x-auth-token","description":"Platform9 authentication token obtained from the identity service."}}},"paths":{"/resmgr/audit/export":{"get":{"summary":"Export Audit Logs","description":"Streams audit logs matching the provided filters. \nThe response is in NDJSON (Newline Delimited JSON) format to support large datasets without memory buffering.\n\nIf no start_time is provided, defaults to the last 24 hours.\n","operationId":"exportLogs","parameters":[{"name":"region","in":"query","description":"Filter by region name.","schema":{"type":"string"}},{"name":"project_id","in":"query","description":"Filter by tenant UUID.","schema":{"type":"string","format":"uuid"}},{"name":"user_id","in":"query","description":"Filter by User ID.","schema":{"type":"string","format":"uuid"}},{"name":"username","in":"query","description":"Filter by username.","schema":{"type":"string"}},{"name":"action","in":"query","description":"Filter by action name (e.g., 'authenticate', 'create').","schema":{"type":"string"}},{"name":"resource_type","in":"query","description":"Filter by resource type (e.g., 'service/compute/server').","schema":{"type":"string"}},{"name":"service","in":"query","description":"Filter by component/service name.","schema":{"type":"string"}},{"name":"start_time","in":"query","description":"Start of the time range (RFC3339). Defaults to T-24h.","schema":{"type":"string","format":"date-time"}},{"name":"end_time","in":"query","description":"End of the time range.","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of records to return.","schema":{"type":"integer"}}],"responses":{"200":{"description":"A stream of audit logs.","content":{"application/x-ndjson":{"schema":{"type":"string","description":"Stream of JSON objects (AuditLog) separated by newlines."}}}},"405":{"description":"Method Not Allowed"},"500":{"description":"Internal Server Error (Database query failed)"}}}}}}
```

## Get Filter Options

> Retrieves unique values for regions, projects, domains, and actions to populate UI filter dropdowns.

```json
{"openapi":"3.0.0","info":{"title":"Audit Service API","version":"1.0.0"},"servers":[{"url":"your.du.url"}],"security":[{"AuthToken":[]}],"components":{"securitySchemes":{"AuthToken":{"type":"apiKey","in":"header","name":"x-auth-token","description":"Platform9 authentication token obtained from the identity service."}},"schemas":{"FilterOptions":{"type":"object","properties":{"services":{"type":"object","description":"Map of Service Names (Component) to a list of their Resource Types.","additionalProperties":{"type":"array","items":{"type":"string"}}},"outcomes":{"type":"array","items":{"type":"string"}},"regions":{"type":"array","items":{"type":"string"}},"project_ids":{"type":"array","items":{"type":"string","format":"uuid"}},"domains":{"type":"array","items":{"type":"string"}},"action_names":{"type":"array","items":{"type":"string"}},"action_results":{"type":"array","items":{"type":"string"}}}}}},"paths":{"/resmgr/audit/filters":{"get":{"summary":"Get Filter Options","description":"Retrieves unique values for regions, projects, domains, and actions to populate UI filter dropdowns.","operationId":"getFilters","responses":{"200":{"description":"Available filter options.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilterOptions"}}}},"405":{"description":"Method Not Allowed"},"500":{"description":"Internal Server Error"}}}}}}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/monitoring-and-observability/audit-logging.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.