CockroachDB Cloud captures audit logs when many types of events occur, such as when a cluster is created or when a user is added to or removed from an organization.
View audit logs
- Navigate to the CockroachDB Cloud Console and log in as an account with the Organization Admin role.
- In the top navigation bar, select Organization, then choose Audit Logs from the dropdown menu. This will bring you to the Audit Logs page, which shows a (possibly empty) list of audit logs.
Filter audit logs
Filter the audit logs by the following fields:
- Time Range (UTC):
- Default: Last 48 hours.
- To set the time range, select Start date or End date. Select your desired time range in the calendar dropdown or type in your desired dates and times.
- User email: Select one or more email addresses from the list of organization members (optional).
- Action name: Select one or more predefined auditable actions (optional).
- Cluster name: Select one or more cluster names (optional).
Audit logs table
If audit logs are found for the filter selections, a table will be displayed with the following columns:
- Time (UTC)
- Users: Displays either a member's email or a service account name. (Note: You cannot filter by service account name.)
- Action name
- Cluster name
- Source: Displays the following:
UIfor actions executed in the Cloud Console.APIfor actions executed via the Cloud API.CRLfor actions executed by Cockroach Labs.
Audit log details
Click on a log row in the audit logs table to open an Action details right sidebar displaying event information, including the full payload in the Details section.
URL Query Parameters
All selected filters are reflected in the URL query parameters, making it easy to share specific views. For example:
startingFromandendingAt: Define the selected time range.logId: Specifies the Action ID of an expanded log entry in the sidebar.
https://cockroachlabs.cloud/audit-logs?startingFrom=2025-03-04T19%3A51%3A36.590Z&endingAt=2025-03-07T19%3A51%3A36.000-05%3A00&logId=78d55b3c-424e-45fa-bbce-03f2ed738897
Examples
For organization administrators, security teams, and compliance officers, audit logs provide critical insights into system activities. These logs are essential for:
- Tracking user role changes
- Example: To identify when and by whom an Admin role was assigned, filter by the action
ADD_USER_TO_ROLE.
- Example: To identify when and by whom an Admin role was assigned, filter by the action
- Investigating cluster costs
- Example: To determine who created a cluster and when, filter by the action
CREATE_CLUSTER.
- Example: To determine who created a cluster and when, filter by the action
- Understanding IP allowlisting changes
- Example: To identify why and by whom an IP address was added, filter by the action
ADD_IP_ALLOWLIST.
- Example: To identify why and by whom an IP address was added, filter by the action
- Verifying cluster deletions
- Example: To ensure cluster deletions were intentional, filter by the action
DELETE_CLUSTER.
- Example: To ensure cluster deletions were intentional, filter by the action
- Diagnosing performance issues
- Example: To track configuration changes affecting performance, filter by the action
UPDATE_CLUSTER
- Example: To track configuration changes affecting performance, filter by the action
- Analyzing security threats
- Example: To investigate failed login attempts and suspicious login activity, filter by the action
USER_LOGIN.
- Example: To investigate failed login attempts and suspicious login activity, filter by the action
- Reviewing maintenance schedule changes
- Example: To track modifications to maintenance windows, filter by the actions
SET_CLUSTER_MAINTENANCE_WINDOWandDELETE_CLUSTER_MAINTENANCE_WINDOW.
- Example: To track modifications to maintenance windows, filter by the actions
See also
Was this helpful?
