Available on: Enterprise Edition

How to use Audit Logs to govern activities in your Kestra instance.

What are Audit Logs

Audit Logs record all activities performed in your Kestra instance by users and service accounts. By reviewing Audit Logs, system administrators can track user activity, and security teams can investigate incidents and ensure compliance with regulatory requirements.

Why are Audit Logs important

The audit log table in Kestra serves as a historical record that developers and system administrators can use to track changes, monitor system usage, and verify system activity. It's a transparency tool that helps in understanding the sequence of activities, ensuring accountability for actions taken, and providing data for troubleshooting and analysis. Given that Audit Logs are immutable, they can also be used to detect and investigate security incidents. If you leverage Kestra edition with Elasticsearch backend, you can also use Kibana to search and visualize your logs.

How to access Audit Logs

You can access Audit Logs from the Administration section in the UI. That UI page provides a detailed table of recorded events, capturing the actions taken within the system:

audit_logs

Each row in the table represents a distinct event with several columns providing specific details:

  • Resource Type column categorizes the resource that the event is associated with, such as editing a flow (FLOW) or executing it (EXECUTION).
  • Changes indicates whether a given resource has been created, updated, or deleted.
  • Actor identifies who performed the action. The user can be a human, system or a service account.
  • Details section offers an in-depth description of the event, including identifiers such as the id, namespace, flowId, executionId, revision, etc. โ€” those fields depend on the type of resource the event is associated with.
  • Date represents the timestamp of when the event occurred.

How to see a full diff of a specific event

To see a full diff of a specific event, click on the icon at the end of each row to expand the details. The expanded view will show the full diff of the event side-by-side, including the before and after states of a given resource:

audit_logs

Below is an example where we manually change the Execution state from FAILED to SUCCESS and the diff shows the exact change made to the Execution:

audit_logs_diff

How to use the Details filter to search for specific Audit Log events

The Details filter allows you to flexibly search for any Audit Log event using the key:value format. It's a tag-based system which works the same way as Execution Labels.

For example, you can filter for all events related to a specific namespace by typing namespace:your_namespace:

audit_logs

To further filter for a specific event, you can simply click on the relevant tag in the Details column:

audit_logs

How to filter for tenant-specific events

Let's say you want to find out when a specific tenant was created. Simply type "Tenant" in the search bar to filter for events related to when the tenant was created, updated, or deleted.

audit_logs

Alternatively, you can explicitly type in the Details filter id:your_tenant_id to filter for events related to that tenant:

audit_logs


How to Purge Audit Logs

The Enterprise Edition of Kestra generates an audit log for every action taken on the platform. While these logs are essential for tracking changes and ensuring compliance, they can accumulate over time and take up significant amount of space in the database.

The PurgeAuditLogs task, available in Kestra v0.19.0 and higher, will remove old audit logs that are no longer needed. You can set a date range for the logs you want to delete, choose a specific namespace, and even filter by permissions or actions (CREATE, READ, UPDATE, DELETE).

Here is the recommended way to implement the Audit Logs retention policy that will purge audit logs older than one month:

yaml
id: audit_log_cleanup
namespace: system
tasks:
  - id: purge_audit_logs
    type: io.kestra.plugin.ee.core.log.PurgeAuditLogs
    description: Purge audit logs older than 1 month
    endDate: "{{ now() | dateAdd(-1, 'MONTHS') }}"

Note how the above flow is added to the system namespace, which is the default namespace for System Flows. This ensures that this maintenance flow and its executions are hidden from the main UI, making them only visible within the system namespace that can be managed by platform administrators.

Combining the System Flows functionality with the PurgeAuditLogs task provides a simple way to manage your audit logs as code and from the UI, ensuring you keep them as long as you need to stay compliant while keeping your database clean and performant.

Was this page helpful?