> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wandb.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Track user activity with audit logs
> Access, fetch, and analyze W&B audit logs across deployment types, including the log schema and tracked actions.
Use W\&B audit logs to track user activity within your organization and to conform to your enterprise governance requirements. Audit logs are available in JSON format. Refer to [Audit log schema](#audit-log-schema).
How to access audit logs depends on your W\&B platform deployment type:
| W\&B Platform Deployment type | Audit logs access mechanism |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud) | - [Instance-level BYOB](/platform/hosting/data-security/secure-storage-connector): Synced to instance-level bucket (BYOB) every 10 minutes. Also available using [the API](#fetch-audit-logs-using-api).
- Default instance-level storage: Available only by using [the API](#fetch-audit-logs-using-api).
|
| [Multi-tenant Cloud](/platform/hosting/hosting-options/multi_tenant_cloud) | Available for Enterprise plans only. Available only by using [the API](#fetch-audit-logs-using-api). |
| [Self-Managed](/platform/hosting/hosting-options/self-managed) | Synced to instance-level bucket every 10 minutes. Also available using [the API](#fetch-audit-logs-using-api). |
After fetching audit logs, you can analyze them using tools like [Pandas](https://pandas.pydata.org/docs/index.html), [Amazon Redshift](https://aws.amazon.com/redshift/), [Google BigQuery](https://cloud.google.com/bigquery), or [Microsoft Fabric](https://www.microsoft.com/microsoft-fabric). Some audit log analysis tools do not support JSON; refer to the documentation for your analysis tool for guidelines and requirements for transforming the JSON-formatted audit logs before analysis.
For more details about the format of the logs, see [Audit log schema](#audit-log-schema) and [Actions](#actions).
## Audit log retention
* If you require audit logs to be retained for a specific period of time, W\&B recommends periodically transferring logs to long-term storage, either using storage buckets or the Audit Logging API.
* If you are subject to the [Health Insurance Portability and Accountability Act of 1996 (HIPAA)](https://hhs.gov/hipaa/for-professionals/index.html), audit logs must be retained for a minimum of 6 years in an environment where they cannot be deleted or modified by any internal or external actor before the end of the mandatory retention period. For HIPAA-compliant [Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud) instances with [BYOB](/platform/hosting/data-security/secure-storage-connector), you must configure guardrails for your managed storage, including any long-term retention storage.
## Audit log schema
This table shows all keys which may appear in an audit log entry, ordered alphabetically. Depending on the action and the circumstances, a specific log entry may include only a subset of the possible fields.
| Key | Definition |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `action` | The [action](#actions) of the event. |
| `actor_email` | The email address of the user that initiated the action, if applicable. |
| `actor_ip` | The IP address of the user that initiated the action. |
| `actor_user_id` | The ID of the logged-in user who performed the action, if applicable. |
| `artifact_asset` | The artifact ID associated with the action, if applicable. |
| `artifact_digest` | The artifact digest associated with the action, if applicable. |
| `artifact_qualified_name` | The full name of the artifact associated with the action, if applicable. |
| `artifact_sequence_asset` | The artifact sequence ID associated with the action, if applicable. |
| `cli_version` | The version of the Python SDK that initiated the action, if applicable. |
| `entity_asset` | The entity or team ID associated with the action, if applicable. |
| `entity_name` | The entity or team name associated with the action, if applicable. |
| `project_asset` | The project associated with the action, if applicable. |
| `project_name` | The name of the project associated with the action, if applicable. |
| `report_asset` | The report ID associated with the action, if applicable. |
| `report_name` | The name of the report associated with the action, if applicable. |
| `response_code` | The HTTP response code for the action, if applicable. |
| `timestamp` | The time of the event in [RFC3339 format](https://www.rfc-editor.org/rfc/rfc3339). For example, `2023-01-23T12:34:56Z` represents January 23, 2023 at 12:34:56 UTC. |
| `user_asset` | The user asset the action impacts (rather than the user performing the action), if applicable. |
| `user_email` | The email address of the user the action impacts (rather than the email address of the user performing the action), if applicable. |
### Personally identifiable information (PII)
Personally identifiable information (PII), such as email addresses and the names of projects, teams, and reports, is available only using the API endpoint option.
* For [Self-Managed](/platform/hosting/hosting-options/self-managed) and
[Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud), an organization admin can [exclude PII](#exclude-pii) when fetching audit logs.
* For [Multi-tenant Cloud](/platform/hosting/hosting-options/multi_tenant_cloud), the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.
## Before you begin
1. Organization level admins can fetch audit logs. If you receive a `403` error, ensure that you or your service account has adequate permission.
2. **Multi-tenant Cloud**: If you are a member of multiple Multi-tenant Cloud organizations, you *must* configure the **Default API organization**, which determines where audit logging API calls are routed. Otherwise, you will receive the following error:
```text theme={null}
user is associated with multiple organizations but no valid org ID found in user info
```
To specify your default API organization:
1. Click your profile image, then click **User Settings**.
2. For **Default API organization**, select an organization.
This is not applicable to a service account, which can be a member of only one Multi-tenant Cloud organization.
## Fetch audit logs
To fetch audit logs:
1. Determine the correct API endpoint for your instance:
* [Self-Managed](/platform/hosting/hosting-options/self-managed): `/admin/audit_logs`
* [Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud): `.wandb.io/admin/audit_logs`
* [Multi-tenant Cloud (Enterprise required)](/platform/hosting/hosting-options/multi_tenant_cloud): `https://api.wandb.ai/audit_logs`
In the following steps, replace `` with your API endpoint.
2. (Optional) Construct query parameters to append to the endpoint. In the following steps, replace `` with the resulting string.
* `anonymize`: if the URL includes the parameter `anonymize=true`, remove any PII. Otherwise, PII is included. Refer to [Exclude PII when fetching audit logs](#exclude-pii-when-fetching-audit-logs). Not supported for Multi-tenant Cloud, where all fields are included, including PII.
* Configure the date window of logs to fetch using a combination of `numdays` and `startDate`. Each parameter is optional, and they interact.
* If neither parameter is included, only today's logs are fetched.
* `numDays`: An integer indicating the number of days backward from `startDate` to fetch logs. If it is omitted or set to `0`, logs are fetched for `startDate` only. On **Multi-tenant Cloud**, you can fetch a maximum of 7 days of audit logs, even if you set `numDays` to a larger value.
* `startDate`: Optional. Use `startDate=YYYY-MM-DD` to set the newest calendar day in the range. If you omit it or set it to today, the range ends today and `numDays` counts backward from that day.
* Supported in **Multi-tenant Cloud** only with an Enterprise license.
* Supported in **Dedicated Cloud** and **Self-Managed** v0.80.0 and above.
3. Construct the fully qualified endpoint URL in the format `?`.
4. Execute an HTTP `GET` request on the fully qualified API endpoint using a web browser or a tool like [Postman](https://www.postman.com/downloads/), [HTTPie](https://httpie.io/), or cURL.
The API response contains new-line separated JSON objects. Objects will include the fields described in the [schema](#audit-log-schema), just like when audit logs are synced to an instance-level bucket. In those cases, the audit logs are located in the `/wandb-audit-logs` directory in your bucket.
### Use basic authentication
To use basic authentication with your API key to access the audit logs API, set the HTTP request's `Authorization` header to the string `Basic` followed by a space, then the base-64 encoded string in the format `username:API-KEY`. In other words, replace the username and API key with your values separated with a `:` character, then base-64-encode the result. For example, to authorize as `demo:p@55w0rd`, the header should be `Authorization: Basic ZGVtbzpwQDU1dzByZA==`.
### Exclude PII when fetching audit logs
For [Self-Managed](/platform/hosting/hosting-options/self-managed) and [Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud), a W\&B organization or instance admin can exclude PII when fetching audit logs. For [Multi-tenant Cloud](/platform/hosting/hosting-options/multi_tenant_cloud), the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.
To exclude PII, pass the `anonymize=true` URL parameter. For example, if your W\&B instance URL is `https://mycompany.wandb.io` and you would like to get audit logs for user activity within the last week and exclude PII, use an API endpoint like:
```text theme={null}
https://mycompany.wandb.io/admin/audit_logs?anonymize=true&.
```
## Actions
This table describes possible actions that can be recorded by W\&B, sorted alphabetically.
| Action | Definition |
| ----------------------------- | --------------------------------------------------------------------------------- |
| `artifact:create` | Artifact is created. |
| `artifact:delete ` | Artifact is deleted. |
| `artifact:read` | Artifact is read. |
| `project:delete` | Project is deleted. |
| `project:read` | Project is read. |
| `report:read` | Report is read. 1 |
| `run:delete_many` | Batch of runs is deleted. |
| `run:delete` | Run is deleted. |
| `run:stop` | Run is stopped. |
| `run:undelete_many` | Batch of runs is restored from trash. |
| `run:update_many` | Batch of runs is updated. |
| `run:update` | Run is updated. |
| `sweep:create_agent` | Sweep agent is created. |
| `team:create_service_account` | Service account is created for the team. |
| `team:create` | Team is created. |
| `team:delete` | Team is deleted. |
| `team:invite_user` | User is invited to team. |
| `team:uninvite` | User or service account is uninvited from team. |
| `user:create_api_key` | API key for the user or service account is created. 1 |
| `user:create` | User is created. 1 |
| `user:deactivate` | User is deactivated. 1 |
| `user:delete_api_key` | API key for the user or service account is deleted. 1 |
| `user:initiate_login` | User initiates log in. 1 |
| `user:login` | User logs in. 1 |
| `user:logout` | User logs out. 1 |
| `user:permanently_delete` | User is permanently deleted. 1 |
| `user:reactivate` | User is reactivated. 1 |
| `user:read` | User profile is read. 1 |
| `user:update` | User is updated. 1 |
1: On [Multi-tenant Cloud](/platform/hosting/hosting-options/multi_tenant_cloud), audit logs are not collected for:
* Open or Public projects.
* The `report:read` action.
* `User` actions which are not tied to a specific organization.