Start Building for Free

Audit logs

1 month ago2 min read
On This Page
  • Overview
  • Audit log events
  • Audit log fields


CircleCI logs important events in the system for audit and forensic analysis purposes. Audit logs are separate from system logs that track performance and network metrics.

CircleCI server customers can access the audit log feature from the UI in the web app. Complete audit logs may be downloaded from the Audit Log page within the Admin section of the application as a CSV file. Audit log fields with nested data contain JSON blobs.

Cloud customers can contact CircleCI support to request an audit log. Only organization admin users can make an audit log request.

Per our data retention policy, audit logs can be retrieved for up to 12 months.

Audit log events

The following are the system events that are logged. See action in the Field section below for the definition and format.

  • context.create

  • context.delete

  • context.env_var.delete


  • project.env_var.create

  • project.env_var.delete

  • project.settings.update

  • project.ssh_key.create

  • project.ssh_key.delete

  • project.api_token.create

  • schedule.create

  • schedule.update

  • schedule.delete

  • user.create

  • user.logged_in

  • user.logged_out

  • workflow.job.approve

  • workflow.job.finish

  • workflow.job.scheduled

  • workflow.job.start

Audit log fields

  • action: The action taken that created the event. The format is ASCII lowercase words, separated by dots, with the entity acted upon first and the action taken last. In some cases entities are nested, for example, workflow.job.start.

  • actor: The actor who performed this event. In most cases this will be a CircleCI user. This data is a JSON blob that will always contain id and and type and will likely contain name.

  • target: The entity instance acted upon for this event, for example, a project, an org, an account, or a build. This data is a JSON blob that will always contain id and and type and will likely contain name.

  • payload: A JSON blob of action-specific information. The schema of the payload is expected to be consistent for all events with the same action and version.

  • occurred_at: When the event occurred in UTC expressed in ISO-8601 format with up to nine digits of fractional precision, for example '2017-12-21T13:50:54.474Z'.

  • metadata: A set of key/value pairs that can be attached to any event. All keys and values are strings. This can be used to add additional information to certain types of events.

  • id: A UUID that uniquely identifies this event. This is intended to allow consumers of events to identify duplicate deliveries.

  • version: Version of the event schema. Currently the value will always be 1. Later versions may have different values to accommodate schema changes.

  • scope: If the target is owned by an Account in the CircleCI domain model, the account field should be filled in with the Account name and ID. This data is a JSON blob that will always contain id and type and will likely contain name.

  • success: A flag to indicate if the action was successful.

  • request: If this event was triggered by an external request this data will be populated and may be used to connect events that originate from the same external request. The format is a JSON blob containing id (the unique ID assigned to this request by CircleCI).

Help make this document better

This guide, as well as the rest of our docs, are open source and available on GitHub. We welcome your contributions.

Need support?

Our support engineers are available to help with service issues, billing, or account related questions, and can help troubleshoot build configurations. Contact our support engineers by opening a ticket.

You can also visit our support site to find support articles, community forums, and training resources.