> ## Documentation Index
> Fetch the complete documentation index at: https://www.cockroachlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List audit logs

> Can be used by the following roles assigned at the organization scope:
- ORG_ADMIN




## OpenAPI

````yaml /openapi/cloud/2023-04-10.json get /api/v1/auditlogevents
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2023-04-10'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Backup/Restore
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api
paths:
  /api/v1/auditlogevents:
    get:
      tags:
        - Audit Logs
      summary: List audit logs
      description: |
        Can be used by the following roles assigned at the organization scope:
        - ORG_ADMIN
      operationId: CockroachCloud_ListAuditLogs
      parameters:
        - name: starting_from
          in: query
          description: >-
            starting_from is the (exclusive) timestamp from which log entries
            will be

            returned in the response based on their created_at time, respecting
            the

            sort order specified in pagination. If unset, the default will be
            the

            current time if results are returned in descending order and the

            beginning of time if results are in ascending order.
          schema:
            type: string
            format: date-time
        - name: sort_order
          in: query
          description: |-
            sort_order is the direction of pagination, with starting_from as the
            start point. If unset, the default is ascending order.

             - ASC: Sort in ascending order. This is the default unless otherwise specified.
             - DESC: Sort in descending order.
          schema:
            type: string
            enum:
              - ASC
              - DESC
        - name: limit
          in: query
          description: >-
            limit is the number of entries requested in the response. Note that
            the

            response may still contain slightly more results, since the response
            will

            always contain every entry at a particular timestamp.
          schema:
            type: integer
            format: int32
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListAuditLogsResponse'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: curl
          source: |-
            curl --request GET \
              --url 'https://cockroachlabs.cloud/api/v1/auditlogevents?starting_from=SOME_STRING_VALUE&sort_order=SOME_STRING_VALUE&limit=SOME_INTEGER_VALUE' \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
components:
  schemas:
    ListAuditLogsResponse:
      type: object
      properties:
        entries:
          description: |-
            entries is the contiguous list of audit log entries matching the
            pagination request, sorted in the order requested.
          type: array
          items:
            $ref: '#/components/schemas/AuditLogEntry'
        next_starting_from:
          description: >-
            next_starting_from is the timestamp the caller should use to
            continue

            paginating in the same direction. If the timestamp is unset, it
            means

            that there are no more entries in the direction of the request, and

            there never will be.
          type: string
          format: date-time
    Status:
      type: object
      properties:
        code:
          type: integer
          format: int32
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    AuditLogEntry:
      description: >-
        AuditLogEntry represents an entry in the cloud event log.

        Note that this message definition should always match exactly with the

        corresponding `AuditLogEntry` message in
        `console/consolepb/console.proto`.
      type: object
      properties:
        action:
          $ref: '#/components/schemas/AuditLogAction'
        cluster_id:
          description: >-
            ClusterId is the ID of the cluster to which this log entry applies,
            if it

            applies to a single cluster.
          type: string
        cluster_name:
          description: >-
            ClusterName is the name of the cluster to which this log entry
            applies, if

            it applies to a single cluster.
          type: string
        created_at:
          description: CreatedAt is the time that this log entry was recorded.
          type: string
          format: date-time
        error:
          description: >-
            Error is the error that applies to this entry if it represents a
            failure.
          type: string
        id:
          description: Id uniquely identifies this entry.
          type: string
        metadata:
          $ref: '#/components/schemas/AuditLogMetadata'
        payload:
          description: >-
            Payload is a representation of the essential details relating to
            this

            log entry.
          type: object
        service_account_name:
          description: >-
            ServiceAccountName is the name of the service account that triggered
            this

            log entry. If it was not a service account, it will be empty.
          type: string
        session_id:
          description: >-
            SessionId is an ID that can be used to correlate this log entry with

            others that are emitted as part of the same user session, typically
            for

            users interacting through the UI. It should be treated as an opaque
            string

            with no guaranteed structure.
          type: string
        source:
          $ref: '#/components/schemas/AuditLogSource'
        trace_id:
          description: >-
            TraceId is an ID that can be used to correlate this log entry with
            others

            that are emitted as part of the same process. It should be treated
            as an

            opaque string with no guaranteed structure.
          type: string
        user_email:
          description: >-
            UserEmail is the email address of the user that triggered this log
            entry.

            If it was not a human user, it will be empty.
          type: string
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        Protobuf library provides support to pack/unpack Any values in the form

        of utility functions or additional generated methods of the Any type.


        Example 1: Pack and unpack a message in C++.

            Foo foo = ...;
            Any any;
            any.PackFrom(foo);
            ...
            if (any.UnpackTo(&foo)) {
              ...
            }

        Example 2: Pack and unpack a message in Java.

            Foo foo = ...;
            Any any = Any.pack(foo);
            ...
            if (any.is(Foo.class)) {
              foo = any.unpack(Foo.class);
            }
            // or ...
            if (any.isSameTypeAs(Foo.getDefaultInstance())) {
              foo = any.unpack(Foo.getDefaultInstance());
            }

         Example 3: Pack and unpack a message in Python.

            foo = Foo(...)
            any = Any()
            any.Pack(foo)
            ...
            if any.Is(Foo.DESCRIPTOR):
              any.Unpack(foo)
              ...

         Example 4: Pack and unpack a message in Go

             foo := &pb.Foo{...}
             any, err := anypb.New(foo)
             if err != nil {
               ...
             }
             ...
             foo := &pb.Foo{}
             if err := any.UnmarshalTo(foo); err != nil {
               ...
             }

        The pack methods provided by protobuf library will by default use

        'type.googleapis.com/full.type.name' as the type URL and the unpack

        methods only use the fully qualified type name after the last '/'

        in the type URL, for example "foo.bar.com/x/y.z" will yield type

        name "y.z".


        JSON

        ====

        The JSON representation of an `Any` value uses the regular

        representation of the deserialized, embedded message, with an

        additional field `@type` which contains the type URL. Example:

            package google.profile;
            message Person {
              string first_name = 1;
              string last_name = 2;
            }

            {
              "@type": "type.googleapis.com/google.profile.Person",
              "firstName": <string>,
              "lastName": <string>
            }

        If the embedded message type is well-known and has a custom JSON

        representation, that representation will be embedded adding a field

        `value` which holds the custom JSON in addition to the `@type`

        field. Example (for message [google.protobuf.Duration][]):

            {
              "@type": "type.googleapis.com/google.protobuf.Duration",
              "value": "1.212s"
            }
      type: object
      properties:
        '@type':
          description: >-
            A URL/resource name that uniquely identifies the type of the
            serialized

            protocol buffer message. This string must contain at least

            one "/" character. The last segment of the URL's path must represent

            the fully qualified name of the type (as in

            `path/google.protobuf.Duration`). The name should be in a canonical
            form

            (e.g., leading "." is not accepted).


            In practice, teams usually precompile into the binary all types that
            they

            expect it to use in the context of Any. However, for URLs which use
            the

            scheme `http`, `https`, or no scheme, one can optionally set up a
            type

            server that maps type URLs to message definitions as follows:


            * If no scheme is provided, `https` is assumed.

            * An HTTP GET on the URL must yield a [google.protobuf.Type][]
              value in binary format, or produce an error.
            * Applications are allowed to cache lookup results based on the
              URL, or have them precompiled into a binary to avoid any
              lookup. Therefore, binary compatibility needs to be preserved
              on changes to types. (Use versioned type names to manage
              breaking changes.)

            Note: this functionality is not currently available in the official

            protobuf release, and it is not used for type URLs beginning with

            type.googleapis.com. As of May 2023, there are no widely used type
            server

            implementations and no plans to implement one.


            Schemes other than `http`, `https` (or the empty scheme) might be

            used with implementation specific semantics.
          type: string
      additionalProperties: {}
    AuditLogAction:
      type: string
      enum:
        - AUDIT_LOG_ACTION_CREATE_CLUSTER
        - AUDIT_LOG_ACTION_DELETE_CLUSTER
        - AUDIT_LOG_ACTION_INVITE_USER_TO_ORGANIZATION
        - AUDIT_LOG_ACTION_EDIT_USER_INVITE
        - AUDIT_LOG_ACTION_REVOKE_USER_INVITE
        - AUDIT_LOG_ACTION_ACCEPT_USER_INVITE
        - AUDIT_LOG_ACTION_ASSIGN_USER_ROLE
        - AUDIT_LOG_ACTION_DELETE_USER_FROM_ORGANIZATION
        - AUDIT_LOG_ACTION_CREATE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_UPDATE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_DELETE_SERVICE_ACCOUNT
        - AUDIT_LOG_ACTION_CREATE_API_KEY
        - AUDIT_LOG_ACTION_UPDATE_API_KEY
        - AUDIT_LOG_ACTION_DELETE_API_KEY
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER
        - AUDIT_LOG_ACTION_CREATE_SQL_USER
        - AUDIT_LOG_ACTION_CHANGE_SQL_USER_PASSWORD
        - AUDIT_LOG_ACTION_DELETE_SQL_USER
        - AUDIT_LOG_ACTION_ADD_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_EDIT_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_DELETE_IP_ALLOWLIST
        - AUDIT_LOG_ACTION_CREATE_VPC_PEERING
        - AUDIT_LOG_ACTION_DELETE_VPC_PEERING
        - AUDIT_LOG_ACTION_CREATE_PRIVATE_LINK
        - AUDIT_LOG_ACTION_ACCEPT_PRIVATE_LINK
        - AUDIT_LOG_ACTION_REJECT_PRIVATE_LINK
        - AUDIT_LOG_ACTION_USER_LOGIN
        - AUDIT_LOG_ACTION_ADD_USER_TO_ROLE
        - AUDIT_LOG_ACTION_REMOVE_USER_FROM_ROLE
        - AUDIT_LOG_ACTION_CREATE_USER
        - AUDIT_LOG_ACTION_DELETE_USER
        - AUDIT_LOG_ACTION_UPDATE_USER
        - AUDIT_LOG_ACTION_CREATE_GROUP
        - AUDIT_LOG_ACTION_DELETE_GROUP
        - AUDIT_LOG_ACTION_UPDATE_GROUP
        - AUDIT_LOG_ACTION_SET_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_UPDATE_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_DELETE_CLIENT_CA_CERT
        - AUDIT_LOG_ACTION_CREATE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_DELETE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_UPDATE_API_OIDC_CONFIG
        - AUDIT_LOG_ACTION_CREATE_FOLDER
        - AUDIT_LOG_ACTION_DELETE_FOLDER
        - AUDIT_LOG_ACTION_UPDATE_FOLDER
        - AUDIT_LOG_ACTION_ADD_PRIVATE_ENDPOINT_TRUSTED_OWNER
        - AUDIT_LOG_ACTION_REMOVE_PRIVATE_ENDPOINT_TRUSTED_OWNER
        - AUDIT_LOG_ACTION_ADD_ALERT_RECIPIENT
        - AUDIT_LOG_ACTION_REMOVE_ALERT_RECIPIENT
        - AUDIT_LOG_ACTION_TOGGLE_ALERTS
        - AUDIT_LOG_ACTION_TEST_ALERT_EMAIL
        - AUDIT_LOG_ACTION_UPDATE_CMEK
        - AUDIT_LOG_ACTION_REVOKE_CMEK
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_LOG_EXPORT
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_LOG_EXPORT
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_METRIC_EXPORT
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_METRIC_EXPORT
        - AUDIT_LOG_ACTION_RESTORE_CLUSTER
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_MAJOR_VERSION
        - AUDIT_LOG_ACTION_ROLLBACK_CLUSTER_MAJOR_VERSION_UPDATE
        - AUDIT_LOG_ACTION_FINALIZE_CLUSTER_MAJOR_VERSION_UPDATE
        - AUDIT_LOG_ACTION_UPDATE_CLUSTER_VERSION_UPGRADE_DEFERRAL
        - AUDIT_LOG_ACTION_SET_CLUSTER_MAINTENANCE_WINDOW
        - AUDIT_LOG_ACTION_DELETE_CLUSTER_MAINTENANCE_WINDOW
        - AUDIT_LOG_ACTION_SET_EGRESS_TRAFFIC_POLICY
        - AUDIT_LOG_ACTION_ADD_EGRESS_RULE
        - AUDIT_LOG_ACTION_EDIT_EGRESS_RULE
        - AUDIT_LOG_ACTION_DELETE_EGRESS_RULE
        - AUDIT_LOG_ACTION_ENABLE_CLOUD_ORG_SSO
        - AUDIT_LOG_ACTION_ADD_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_UPDATE_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_DELETE_AUTHENTICATION_METHOD
        - AUDIT_LOG_ACTION_SET_DELETE_PROTECTION
        - AUDIT_LOG_ACTION_MARKETPLACE_CREATE_SUBSCRIPTION
        - AUDIT_LOG_ACTION_MARKETPLACE_CANCEL_SUBSCRIPTION
        - AUDIT_LOG_ACTION_ADD_JWT_ISSUER
        - AUDIT_LOG_ACTION_DELETE_JWT_ISSUER
        - AUDIT_LOG_ACTION_UPDATE_JWT_ISSUER
    AuditLogMetadata:
      type: object
      properties:
        ip_address:
          type: string
    AuditLogSource:
      type: string
      enum:
        - AUDIT_LOG_SOURCE_CC_API
        - AUDIT_LOG_SOURCE_CLI
        - AUDIT_LOG_SOURCE_UI
        - AUDIT_LOG_SOURCE_INTERNAL
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````