Skip to main content

Track user activity with audit logs

Use W&B audit logs to track user activity within your organization, and to conform to your enterprise governance requirements. Audit logs are available in JSON format. How to access audit logs depends on your W&B platform deployment type:

W&B Platform Deployment typeAudit logs access mechanism
Self-managedSynced to instance-level bucket every 10 minutes. Also available using the API.
Dedicated Cloud with secure storage connector (BYOB)Synced to instance-level bucket (BYOB) every 10 minutes. Also available using the API.
Dedicated Cloud with W&B managed storage (without BYOB)Only available using the API.
info

Audit logs are not available for SaaS Cloud.

Once you've access to your audit logs, analyze those using your preferred tools, such as Pandas, Amazon Redshift, Google BigQuery, Microsoft Fabric, and more. You may need to transform the JSON-formatted audit logs into a format relevant to the tool before analysis. Information on how to transform your audit logs for specific tools is outside the scope of W&B documentation.

tip

Audit Log Retention: If a compliance, security or risk team in your organization requires audit logs to be retained for a specific period of time, W&B recommends to periodically transfer the logs from your instance-level bucket to a long-term retention storage. If you're instead using the API to access the audit logs, you can implement a simple script that runs periodically (like daily or every few days) to fetch any logs that may have been generated since the time of the last script run, and store those in a short-term storage for analysis or directly transfer to a long-term retention storage.

HIPAA compliance requires that you retain audit logs for a minimum of 6 years. For HIPAA-compliant Dedicated Cloud instances with BYOB, you must configure guardrails for your managed storage including any long-term retention storage, to ensure that no internal or external user can delete audit logs before the end of the mandatory retention period.

Audit log schemaโ€‹

The following table lists all the different keys that might be present in your audit logs. Each log contains only the assets relevant to the corresponding action, and others are omitted from the log.

KeyDefinition
timestampTime stamp in RFC3339 format. For example: 2023-01-23T12:34:56Z, represents 12:34:56 UTC time on Jan 23, 2023.
actionWhat action did the user take.
actor_user_idIf present, ID of the logged-in user who performed the action.
response_codeHttp response code for the action.
artifact_assetIf present, action was taken on this artifact id
artifact_sequence_assetIf present, action was taken on this artifact sequence id
entity_assetIf present, action was taken on this entity or team id.
project_assetIf present, action was taken on this project id.
report_assetIf present, action was taken on this report id.
user_assetIf present, action was taken on this user asset.
cli_versionIf the action is taken via python SDK, this will contain the version
actor_ipIP address of the logged-in user.
actor_emailif present, action was taken on this actor email.
artifact_digestif present, action was taken on this artifact digest.
artifact_qualified_nameif present, action was taken on this artifact.
entity_nameif present, action was taken on this entity or team name.
project_nameif present, action was taken on this project name.
report_nameif present, action was taken on this report name.
user_emailif present, action was taken on this user email.

Personally identifiable information (PII) like email ids, project, team and report names are available only using the API endpoint option, and can be turned off as described below.

Fetch audit logs using APIโ€‹

An instance admin can fetch the audit logs for your W&B instance using the following API:

  1. Construct the full API endpoint using a combination of the base endpoint <wandb-platform-url>/admin/audit_logs and the following URL parameters:
    • numDays : logs will be fetched starting from today - numdays to most recent; defaults to 0 i.e. logs will be returned only for today
    • anonymize : if set to true, remove any PII; defaults to false
  2. Execute HTTP GET request on the constructed full API endpoint, either by directly running it within a modern browser, or by using a tool like Postman, HTTPie, cURL command or more.

If your W&B instance URL is https://mycompany.wandb.io and you would like to get audit logs without PII for user activity within the last week, you must use the API endpoint https://mycompany.wandb.io?numDays=7&anonymize=true.

note

Only W&B instance admins can fetch audit logs using the API. If you are not an instance admin or not logged into your organization, you get a HTTP 403 Forbidden error.

The API response contains new-line separated JSON objects. Objects will include the fields described in the schema. It's the same format which is used when syncing audit log files to an instance-level bucket (wherever applicable as mentioned earlier). In those cases, the audit logs are located at the /wandb-audit-logs directory in your bucket.

Actionsโ€‹

The following table describes possible actions that can be recorded by W&B:

ActionDefinition
artifact:createArtifact is created.
artifact:deleteArtifact is deleted.
artifact:readArtifact is read.
project:deleteProject is deleted.
project:readProject is read.
report:readReport is read.
run:deleteRun is deleted.
run:delete_manyRuns are deleted in batch.
run:update_manyRuns are updated in batch.
run:stopRun is stopped.
run:undelete_manyRuns are brought back from trash in batch.
run:updateRun is updated.
sweep:create_agentSweep agent is created.
team:invite_userUser is invited to team.
team:create_service_accountService account is created for the team.
team:createTeam is created.
team:uninviteUser or service account is uninvited from team.
team:deleteTeam is deleted.
user:createUser is created.
user:delete_api_keyAPI key for the user is deleted.
user:deactivateUser is deactivated.
user:create_api_keyAPI key for the user is created.
user:permanently_deleteUser is permanently deleted.
user:reactivateUser is reactivated.
user:updateUser is updated.
user:readUser profile is read.
user:loginUser logs in.
user:initiate_loginUser initiates log in.
user:logoutUser logs out.
Was this page helpful?๐Ÿ‘๐Ÿ‘Ž