> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# List audit logs

> Can be used by the following roles assigned at the organization scope:
- ORG_ADMIN




## OpenAPI

````yaml /openapi/cloud/latest.json get /api/v1/auditlogevents
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2024-09-16'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: Cluster Disruption
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Blackout Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Plan Migrations
  - name: Backup/Restore
  - name: Egress Private Endpoints
  - name: Multifactor Authentication
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api.html
paths:
  /api/v1/auditlogevents:
    get:
      tags:
        - Audit Logs
      summary: List audit logs
      description: |
        Can be used by the following roles assigned at the organization scope:
        - ORG_ADMIN
      operationId: CockroachCloud_ListAuditLogs
      parameters:
        - name: starting_from
          in: query
          description: >-
            starting_from is the (exclusive) timestamp from which log entries
            will be

            returned in the response based on their created_at time, respecting
            the

            sort order specified in pagination. If unset, the default will be
            the

            current time if results are returned in descending order and the

            beginning of time if results are in ascending order.
          schema:
            type: string
            format: date-time
        - name: sort_order
          in: query
          description: |-
            sort_order is the direction of pagination, with starting_from as the
            start point. If unset, the default is ascending order.

             - ASC: Sort in ascending order. This is the default unless otherwise specified.
             - DESC: Sort in descending order.
          schema:
            type: string
            enum:
              - ASC
              - DESC
        - name: limit
          in: query
          description: >-
            limit is the number of entries requested in the response. Note that
            the

            response may still contain slightly more results, since the response
            will

            always contain every entry at a particular timestamp.
          schema:
            format: int32
            type: integer
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListAuditLogsResponse'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: Shell + Curl
          source: |-
            curl --request GET \
              --url 'https://cockroachlabs.cloud/api/v1/auditlogevents?starting_from=SOME_STRING_VALUE&sort_order=SOME_STRING_VALUE&limit=SOME_INTEGER_VALUE' \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
components:
  schemas:
    ListAuditLogsResponse:
      type: object
      properties:
        entries:
          description: |-
            entries is the contiguous list of audit log entries matching the
            pagination request, sorted in the order requested.
          type: array
          items:
            $ref: '#/components/schemas/AuditLogEntry'
        next_starting_from:
          description: >-
            next_starting_from is the timestamp the caller should use to
            continue

            paginating in the same direction. If the timestamp is unset, it
            means

            that there are no more entries in the direction of the request, and

            there never will be.
          type: string
          format: date-time
    Status:
      type: object
      properties:
        code:
          format: int32
          type: integer
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    AuditLogEntry:
      description: >-
        AuditLogEntry represents an entry in the cloud event log.

        Note that this message definition should always match exactly with the

        corresponding `AuditLogEntry` message in
        `console/consolepb/console.proto`.
      type: object
      properties:
        action:
          $ref: '#/components/schemas/AuditLogAction'
        cluster_id:
          description: >-
            ClusterId is the ID of the cluster to which this log entry applies,
            if it

            applies to a single cluster.
          type: string
        cluster_name:
          description: >-
            ClusterName is the name of the cluster to which this log entry
            applies, if

            it applies to a single cluster.
          type: string
        created_at:
          description: CreatedAt is the time that this log entry was recorded.
          type: string
          format: date-time
        error:
          description: >-
            Error is the error that applies to this entry if it represents a
            failure.
          type: string
        id:
          description: Id uniquely identifies this entry.
          type: string
        metadata:
          $ref: '#/components/schemas/AuditLogMetadata'
        payload:
          description: >-
            Payload is a representation of the essential details relating to
            this

            log entry.
          type: string
        service_account_name:
          description: >-
            ServiceAccountName is the name of the service account that triggered
            this

            log entry. If it was not a service account, it will be empty.
          type: string
        session_id:
          description: >-
            SessionId is an ID that can be used to correlate this log entry with

            others that are emitted as part of the same user session, typically
            for

            users interacting through the UI. It should be treated as an opaque
            string

            with no guaranteed structure.
          type: string
        source:
          $ref: '#/components/schemas/AuditLogSource'
        system_actor_name:
          $ref: '#/components/schemas/SystemActorName'
        trace_id:
          description: >-
            TraceId is an ID that can be used to correlate this log entry with
            others

            that are emitted as part of the same process. It should be treated
            as an

            opaque string with no guaranteed structure.
          type: string
        user_email:
          description: >-
            UserEmail is the email address of the user that triggered this log
            entry.

            If it was not a human user, it will be empty.
          type: string
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        In its binary encoding, an `Any` is an ordinary message; but in other
        wire

        forms like JSON, it has a special encoding. The format of the type URL
        is

        described on the `type_url` field.


        Protobuf APIs provide utilities to interact with `Any` values:


        - A 'pack' operation accepts a message and constructs a generic `Any`
        wrapper
          around it.
        - An 'unpack' operation reads the content of an `Any` message, either
        into an
          existing message or a new one. Unpack operations must check the type of the
          value they unpack against the declared `type_url`.
        - An 'is' operation decides whether an `Any` contains a message of the
        given
          type, i.e. whether it can 'unpack' that type.

        The JSON format representation of an `Any` follows one of these cases:


        - For types without special-cased JSON encodings, the JSON format
          representation of the `Any` is the same as that of the message, with an
          additional `@type` field which contains the type URL.
        - For types with special-cased JSON encodings (typically called
        'well-known'
          types, listed in https://protobuf.dev/programming-guides/json/#any), the
          JSON format representation has a key `@type` which contains the type URL
          and a key `value` which contains the JSON-serialized value.

        The text format representation of an `Any` is like a message with one
        field

        whose name is the type URL in brackets. For example, an `Any` containing
        a

        `foo.Bar` message may be written `[type.googleapis.com/foo.Bar] { a: 2
        }`.
      type: object
      properties:
        '@type':
          description: >-
            Identifies the type of the serialized Protobuf message with a URI
            reference

            consisting of a prefix ending in a slash and the fully-qualified
            type name.


            Example: type.googleapis.com/google.protobuf.StringValue


            This string must contain at least one `/` character, and the content
            after

            the last `/` must be the fully-qualified name of the type in
            canonical

            form, without a leading dot. Do not write a scheme on these URI
            references

            so that clients do not attempt to contact them.


            The prefix is arbitrary and Protobuf implementations are expected to

            simply strip off everything up to and including the last `/` to
            identify

            the type. `type.googleapis.com/` is a common default prefix that
            some

            legacy implementations require. This prefix does not indicate the
            origin of

            the type, and URIs containing it are not expected to respond to any

            requests.


            All type URL strings must be legal URI references with the
            additional

            restriction (for the text format) that the content of the reference

            must consist only of alphanumeric characters, percent-encoded
            escapes, and

            characters in the following set (not including the outer backticks):

            `/-.~_!$&()*+,;=`. Despite our allowing percent encodings,
            implementations

            should not unescape them to prevent confusion with existing parsers.
            For

            example, `type.googleapis.com%2FFoo` should be rejected.


            In the original design of `Any`, the possibility of launching a type

            resolution service at these type URLs was considered but Protobuf
            never

            implemented one and considers contacting these URLs to be
            problematic and

            a potential security issue. Do not attempt to contact type URLs.
          type: string
      additionalProperties: {}
    AuditLogAction:
      type: string
      enum:
        - AUDIT_LOG_ACTION_CREATE_CLUSTER
        - AUDIT_LOG_ACTION_DELETE_CLUSTER
        - AUDIT_LOG_ACTION_INVITE_USER_TO_ORGANIZATION
        - AUDIT_LOG_ACTION_EDIT_USER_INVITE
        - AUDIT_LOG_ACTION_REVOKE_USER_INVITE
        - AUDIT_LOG_ACTION_ACCEPT_USER_INVITE
        - AUDIT_LOG_ACTION_ASSIGN_USER_ROLE
        - AUDIT_LOG_ACTION_DELETE_USER_FROM_ORGANIZATION
        - AUDIT_LOG_ACTION_CREATE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_UPDATE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_DELETE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_CREATE_API_KEY
        - AUDIT_LOG_ACTION_UPDATE_API_KEY
        - AUDIT_LOG_ACTION_DELETE_API_KEY
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER
        - AUDIT_LOG_ACTION_CREATE_SQL_USER
        - AUDIT_LOG_ACTION_CHANGE_SQL_USER_PASSWORD
        - AUDIT_LOG_ACTION_DELETE_SQL_USER
        - AUDIT_LOG_ACTION_ADD_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_EDIT_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_DELETE_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_CREATE_VPC_PEERING
        - AUDIT_LOG_ACTION_DELETE_VPC_PEERING
        - AUDIT_LOG_ACTION_CREATE_PRIVATE_LINK
        - AUDIT_LOG_ACTION_ACCEPT_PRIVATE_LINK
        - AUDIT_LOG_ACTION_REJECT_PRIVATE_LINK
        - AUDIT_LOG_ACTION_USER_LOGIN
        - AUDIT_LOG_ACTION_ADD_USER_TO_ROLE
        - AUDIT_LOG_ACTION_REMOVE_USER_FROM_ROLE
        - AUDIT_LOG_ACTION_CREATE_USER
        - AUDIT_LOG_ACTION_DELETE_USER
        - AUDIT_LOG_ACTION_UPDATE_USER
        - AUDIT_LOG_ACTION_CREATE_GROUP
        - AUDIT_LOG_ACTION_DELETE_GROUP
        - AUDIT_LOG_ACTION_UPDATE_GROUP
        - AUDIT_LOG_ACTION_SET_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_UPDATE_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_DELETE_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_CREATE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_DELETE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_UPDATE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_CREATE_FOLDER
        - AUDIT_LOG_ACTION_DELETE_FOLDER
        - AUDIT_LOG_ACTION_UPDATE_FOLDER
        - AUDIT_LOG_ACTION_ADD_PRIVATE_ENDPOINT_TRUSTED_OWNER
        - AUDIT_LOG_ACTION_REMOVE_PRIVATE_ENDPOINT_TRUSTED_OWNER
        - AUDIT_LOG_ACTION_ADD_ALERT_RECIPIENT
        - AUDIT_LOG_ACTION_REMOVE_ALERT_RECIPIENT
        - AUDIT_LOG_ACTION_TOGGLE_ALERTS
        - AUDIT_LOG_ACTION_TEST_ALERT_EMAIL
        - AUDIT_LOG_ACTION_UPDATE_CMEK
        - AUDIT_LOG_ACTION_REVOKE_CMEK
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_LOG_EXPORT
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_LOG_EXPORT
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_METRIC_EXPORT
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_METRIC_EXPORT
        - AUDIT_LOG_ACTION_RESTORE_CLUSTER
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_MAJOR_VERSION
        - AUDIT_LOG_ACTION_ROLLBACK_CLUSTER_MAJOR_VERSION_UPDATE
        - AUDIT_LOG_ACTION_FINALIZE_CLUSTER_MAJOR_VERSION_UPDATE
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_VERSION_UPGRADE_DEFERRAL
        - AUDIT_LOG_ACTION_SET_CLUSTER_MAINTENANCE_WINDOW
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_MAINTENANCE_WINDOW
        - AUDIT_LOG_ACTION_SET_EGRESS_TRAFFIC_POLICY
        - AUDIT_LOG_ACTION_ADD_EGRESS_RULE
        - AUDIT_LOG_ACTION_EDIT_EGRESS_RULE
        - AUDIT_LOG_ACTION_DELETE_EGRESS_RULE
        - AUDIT_LOG_ACTION_ENABLE_CLOUD_ORG_SSO
        - AUDIT_LOG_ACTION_ADD_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_UPDATE_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_DELETE_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_SET_DELETE_PROTECTION
        - AUDIT_LOG_ACTION_MARKETPLACE_CREATE_SUBSCRIPTION
        - AUDIT_LOG_ACTION_MARKETPLACE_CANCEL_SUBSCRIPTION
        - AUDIT_LOG_ACTION_ADD_JWT_ISSUER
        - AUDIT_LOG_ACTION_DELETE_JWT_ISSUER
        - AUDIT_LOG_ACTION_UPDATE_JWT_ISSUER
        - AUDIT_LOG_ACTION_CREATE_LICENSE
        - AUDIT_LOG_ACTION_UPDATE_ORGANIZATION_NAME
        - AUDIT_LOG_ACTION_CREATE_LICENSES
        - AUDIT_LOG_ACTION_CREATE_PLAN_MIGRATION
        - AUDIT_LOG_ACTION_CANCEL_PLAN_MIGRATION
        - AUDIT_LOG_ACTION_CUTOVER_PLAN_MIGRATION
        - AUDIT_LOG_ACTION_CREATE_EGRESS_PRIVATE_ENDPOINT
        - AUDIT_LOG_ACTION_DELETE_EGRESS_PRIVATE_ENDPOINT
        - AUDIT_LOG_ACTION_UPDATE_EGRESS_PRIVATE_ENDPOINT
        - AUDIT_LOG_ACTION_CREATE_PHYSICAL_REPLICATION_STREAM
        - AUDIT_LOG_ACTION_FAILOVER_PHYSICAL_REPLICATION_STREAM
        - AUDIT_LOG_ACTION_CANCEL_PHYSICAL_REPLICATION_STREAM
        - AUDIT_LOG_ACTION_CREATE_CLUSTER_BLACKOUT_WINDOW
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_BLACKOUT_WINDOW
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_BLACKOUT_WINDOW
        - AUDIT_LOG_ACTION_START_FAULT_TOLERANCE_DEMO
        - AUDIT_LOG_ACTION_END_FAULT_TOLERANCE_DEMO
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_DISRUPTION
        - AUDIT_LOG_ACTION_SET_CLUSTER_SETTING
        - AUDIT_LOG_ACTION_EVICT_BYOC_CLUSTER
        - AUDIT_LOG_ACTION_MCP_OAUTH_CONSENT
        - AUDIT_LOG_ACTION_ENABLE_MFA_ENFORCEMENT
        - AUDIT_LOG_ACTION_DISABLE_MFA_ENFORCEMENT
        - AUDIT_LOG_ACTION_RESET_USER_MFA
        - AUDIT_LOG_ACTION_ENROLL_USER_MFA
        - AUDIT_LOG_ACTION_REGENERATE_RECOVERY_CODES
        - AUDIT_LOG_ACTION_CREATE_MIGRATION_ASSISTANT
        - AUDIT_LOG_ACTION_DELETE_MIGRATION_ASSISTANT
    AuditLogMetadata:
      type: object
      properties:
        ip_address:
          type: string
    AuditLogSource:
      type: string
      enum:
        - AUDIT_LOG_SOURCE_CC_API
        - AUDIT_LOG_SOURCE_CLI
        - AUDIT_LOG_SOURCE_UI
        - AUDIT_LOG_SOURCE_INTERNAL
        - AUDIT_LOG_SOURCE_MCP
        - AUDIT_LOG_SOURCE_SSH_GATEWAY
    SystemActorName:
      description: >-
        SystemActorName identifies a system process that triggered an audit log

        entry when the action was not initiated by a human user or service
        account.
      type: string
      enum:
        - SYSTEM_ACTOR_NAME_SYSTEM
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````