ContextQMD
Back to Gitlabhq

Audit events administration

doc/administration/compliance/audit_event_reports.md

18.11.24.2 KB
Original Source

In addition to audit events, as an administrator, you can access additional features.

Instance audit events

{{< details >}}

  • Tier: Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

You can view audit events from user actions across an entire GitLab instance. To view instance audit events:

  1. In the upper-right corner, select Admin.
  2. Select Monitoring > Audit events.
  3. Filter by the following:
    • Member of the project (user) who performed the action
    • Group
    • Project
    • Date Range

Instance audit events can also be accessed using the instance audit events API.

Exporting audit events

{{< details >}}

  • Tier: Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

{{< history >}}

  • Entity type Gitlab::Audit::InstanceScope for instance audit events introduced in GitLab 16.2.

{{< /history >}}

You can export the current view (including filters) of your instance audit events as a CSV(comma-separated values) file. To export the instance audit events to CSV:

  1. In the upper-right corner, select Admin.
  2. Select Monitoring > Audit events.
  3. Select the available search filters.
  4. Select Export as CSV.

A download confirmation dialog then appears for you to download the CSV file. The exported CSV is limited to a maximum of 100000 events. The remaining records are truncated when this limit is reached.

Audit event CSV encoding

The exported CSV file is encoded as follows:

  • , is used as the column delimiter
  • " is used to quote fields if necessary.
  • \n is used to separate rows.

The first row contains the headers, which are listed in the following table along with a description of the values:

ColumnDescription
IDAudit event id.
Author IDID of the author.
Author NameFull name of the author.
Entity IDID of the scope.
Entity TypeType of the scope (Project, Group, User, or Gitlab::Audit::InstanceScope).
Entity PathPath of the scope.
Target IDID of the target.
Target TypeType of the target.
Target DetailsDetails of the target.
ActionDescription of the action.
IP AddressIP address of the author who performed the action.
Created At (UTC)Formatted as YYYY-MM-DD HH:MM:SS.

All items are sorted by created_at in ascending order.

User impersonation

{{< details >}}

  • Tier: Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

When a user is impersonated, their actions are logged as audit events with the following additional details:

  • Audit events include information about the impersonating administrator.
  • Extra audit events are recorded for the start and end of the administrator's impersonation session.

Time zones

For information on timezones and audit events, see Time zones.

Contribute to audit events

For information on contributing to audit events, see Contribute to audit events.