CockroachDB Cloud captures audit logs when many types of events occur, such as when a cluster is created or when a user is added to or removed from an organization.
View audit logs
To access the Audit Logs page:
- Navigate to the CockroachDB Cloud Console and log in as a user with the Organization Admin role.
- In the top navigation bar, open the Organization menu and select Audit Logs.
Filter audit logs
Filter the audit logs by the following fields:
- Time Range (UTC):
- Default: Last 48 hours.
- To set the time range, click the Time Range (UTC) field. You can select a Start date and End date from the displayed calendar or manually enter dates and times for the range.
- User email: Select one or more email addresses from the list of organization members (optional).
- Action name: Select one or more predefined auditable actions (optional).
- Cluster name: Select one or more cluster names (optional).
Audit Logs table
If audit logs are found for the filter selections, a table is displayed with the following columns:
- Time (UTC)
User: Displays the following:
- User's email if Source is
UI. - Service account name if Source is
API. (Note: You cannot filter by service account name.) CRL Userif Source isCRL. (Note: You cannot filter byCRL User.)
- User's email if Source is
Action name
Cluster name
Source: Displays the following:
UIfor actions executed in the Cloud Console.APIfor actions executed via the Cloud API.CRLfor actions executed by Cockroach Labs.
Audit log details
Click a row in the Audit Logs table to open the Action details panel, which displays event information, including the full payload in the Details section.
URL query parameters
All selected filters are reflected in the URL query parameters, making it easy to share specific views. For example:
startingFromandendingAt: Define the selected time range.logId: Specifies the Action ID of an expanded log entry in the sidebar.
https://cockroachlabs.cloud/audit-logs?startingFrom=2025-03-04T19%3A51%3A36.590Z&endingAt=2025-03-07T19%3A51%3A36.000-05%3A00&logId=78d55b3c-424e-45fa-bbce-03f2ed738897
Example use cases
For organization administrators, security teams, and compliance officers, audit logs provide critical insights into system activities. These logs are essential for:
- Tracking user role changes
- Example: To identify when and by whom an Admin role was assigned, filter by the action
ADD_USER_TO_ROLE.
- Example: To identify when and by whom an Admin role was assigned, filter by the action
- Investigating cluster costs
- Example: To determine who created a cluster and when, filter by the action
CREATE_CLUSTER.
- Example: To determine who created a cluster and when, filter by the action
- Understanding IP allowlisting changes
- Example: To identify why and by whom an IP address was added, filter by the action
ADD_IP_ALLOWLIST.
- Example: To identify why and by whom an IP address was added, filter by the action
- Verifying cluster deletions
- Example: To ensure cluster deletions were intentional, filter by the action
DELETE_CLUSTER.
- Example: To ensure cluster deletions were intentional, filter by the action
- Diagnosing performance issues
- Example: To track configuration changes affecting performance, filter by the action
UPDATE_CLUSTER.
- Example: To track configuration changes affecting performance, filter by the action
- Analyzing security threats
- Example: To investigate failed login attempts and suspicious login activity, filter by the action
USER_LOGIN.
- Example: To investigate failed login attempts and suspicious login activity, filter by the action
- Reviewing maintenance schedule changes
- Example: To track modifications to maintenance windows, filter by the actions
SET_CLUSTER_MAINTENANCE_WINDOWandDELETE_CLUSTER_MAINTENANCE_WINDOW.
- Example: To track modifications to maintenance windows, filter by the actions
See also
Was this helpful?
