Audit event streaming GraphQL API

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
History

Audit event streaming destinations can be maintained using a GraphQL API.

Top-level group streaming destinations

Manage streaming destinations for top-level groups.

HTTP destinations

Manage HTTP streaming destinations for top-level groups.

Add a new streaming destination

Add a new streaming destination to top-level groups.

caution
Streaming destinations receive all audit event data, which could include sensitive information. Make sure you trust the streaming destination.

Prerequisites:

  • Owner role for a top-level group.

To enable streaming and add a destination to a top-level group, use the externalAuditEventDestinationCreate mutation. 

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", groupPath: "my-group" } ) {
    errors
    externalAuditEventDestination {
      id
      name
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

You can optionally specify your own verification token (instead of the default GitLab-generated one) using the GraphQL externalAuditEventDestinationCreate mutation. Verification token length must be within 16 to 24 characters and trailing whitespace are not trimmed. You should set a cryptographically random and unique value. For example: 

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", groupPath: "my-group", verificationToken: "unique-random-verification-token-here" } ) {
    errors
    externalAuditEventDestination {
      id
      name
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

You can optionally specify your own destination name (instead of the default GitLab-generated one) using the GraphQL externalAuditEventDestinationCreate mutation. Name length must not exceed 72 characters and trailing whitespace are not trimmed. This value should be unique scoped to a group. For example: 

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", name: "destination-name-here", groupPath: "my-group" }) {
    errors
    externalAuditEventDestination {
      id
      name
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

You can add an HTTP header using the GraphQL auditEventsStreamingHeadersCreate mutation. You can retrieve the destination ID by listing all the streaming destinations for the group or from the mutation above. 

mutation {
  auditEventsStreamingHeadersCreate(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
     key: "foo",
     value: "bar",
     active: false
  }) {
    errors
    header {
      id
      key
      value
      active
    }
  }
}

The header is created if the returned errors object is empty.

List streaming destinations

List streaming destinations for a top-level groups.

Prerequisites:

  • Owner role for a top-level group.

You can view a list of streaming destinations for a top-level group using the externalAuditEventDestinations query type. 

query {
  group(fullPath: "my-group") {
    id
    externalAuditEventDestinations {
      nodes {
        destinationUrl
        verificationToken
        id
        name
        headers {
          nodes {
            key
            value
            id
            active
          }
        }
        eventTypeFilters
        namespaceFilter {
          id
          namespace {
            id
            name
            fullName
          }
        }
      }
    }
  }
}

If the resulting list is empty, then audit streaming is not enabled for that group.

Update streaming destinations

Update streaming destinations for a top-level group.

Prerequisites:

  • Owner role for a top-level group.

To update streaming destinations for a group, use the externalAuditEventDestinationUpdate mutation type. You can retrieve the destinations ID by listing all the streaming destinations for the group. 

mutation {
  externalAuditEventDestinationUpdate(input: {
    id:"gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
    destinationUrl: "https://www.new-domain.com/webhook",
    name: "destination-name"} ) {
    errors
    externalAuditEventDestination {
      id
      name
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

Streaming destination is updated if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Users with the Owner role for a group can update streaming destinations’ custom HTTP headers using the auditEventsStreamingHeadersUpdate mutation type. You can retrieve the custom HTTP headers ID by listing all the custom HTTP headers for the group. 

mutation {
  auditEventsStreamingHeadersUpdate(input: { headerId: "gid://gitlab/AuditEvents::Streaming::Header/2", key: "new-key", value: "new-value", active: false }) {
    errors
    header {
      id
      key
      value
      active
    }
  }
}

Group owners can remove an HTTP header using the GraphQL auditEventsStreamingHeadersDestroy mutation. You can retrieve the header ID by listing all the custom HTTP headers for the group. 

mutation {
  auditEventsStreamingHeadersDestroy(input: { headerId: "gid://gitlab/AuditEvents::Streaming::Header/1" }) {
    errors
  }
}

The header is deleted if the returned errors object is empty.

Delete streaming destinations

Delete streaming destinations for a top-level group.

When the last destination is successfully deleted, streaming is disabled for the group.

Prerequisites:

  • Owner role for a top-level group.

Users with the Owner role for a group can delete streaming destinations using the externalAuditEventDestinationDestroy mutation type. You can retrieve the destinations ID by listing all the streaming destinations for the group. 

mutation {
  externalAuditEventDestinationDestroy(input: { id: destination }) {
    errors
  }
}

Streaming destination is deleted if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Group owners can remove an HTTP header using the GraphQL auditEventsStreamingHeadersDestroy mutation. You can retrieve the header ID by listing all the custom HTTP headers for the group. 

mutation {
  auditEventsStreamingHeadersDestroy(input: { headerId: "gid://gitlab/AuditEvents::Streaming::Header/1" }) {
    errors
  }
}

The header is deleted if the returned errors object is empty.

Event type filters

History
  • Event type filters API introduced in GitLab 15.7.

When this feature is enabled for a group, you can use an API to permit users to filter streamed audit events per destination. If the feature is enabled with no filters, the destination receives all audit events.

A streaming destination that has an event type filter set has a filtered () label.

Use the API to add an event type filter

Prerequisites:

  • You must have the Owner role for the group.

You can add a list of event type filters using the auditEventsStreamingDestinationEventsAdd query type: 

mutation {
    auditEventsStreamingDestinationEventsAdd(input: {
        destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
        eventTypeFilters: ["list of event type filters"]}){
        errors
        eventTypeFilters
    }
}

Event type filters are added if:

  • The returned errors object is empty.
  • The API responds with 200 OK.
Use the API to remove an event type filter

Prerequisites:

  • You must have the Owner role for the group.

You can remove a list of event type filters using the auditEventsStreamingDestinationEventsRemove mutation type: 

mutation {
    auditEventsStreamingDestinationEventsRemove(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
    eventTypeFilters: ["list of event type filters"]
  }){
    errors
  }
}

Event type filters are removed if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Namespace filters

History
  • Namespace filters API introduced in GitLab 16.7.

When you apply a namespace filter to a group, users can filter streamed audit events per destination for a specific subgroup or project of the group. Otherwise, the destination receives all audit events.

A streaming destination that has a namespace filter set has a filtered () label.

Use the API to add a namespace filter

Prerequisites:

  • You must have the Owner role for the group.

You can add a namespace filter by using the auditEventsStreamingHttpNamespaceFiltersAdd mutation type for both subgroups and projects.

The namespace filter is added if:

  • The API returns an empty errors object.
  • The API responds with 200 OK.
Mutation for subgroup 
mutation auditEventsStreamingHttpNamespaceFiltersAdd {
  auditEventsStreamingHttpNamespaceFiltersAdd(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
    groupPath: "path/to/subgroup"
  }) {
    errors
    namespaceFilter {
      id
      namespace {
        id
        name
        fullName
      }
    }
  }
}
Mutation for project 
mutation auditEventsStreamingHttpNamespaceFiltersAdd {
  auditEventsStreamingHttpNamespaceFiltersAdd(input: {
    destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/1",
    projectPath: "path/to/project"
  }) {
    errors
    namespaceFilter {
      id
      namespace {
        id
        name
        fullName
      }
    }
  }
}
Use the API to remove a namespace filter

Prerequisites:

  • You must have the Owner role for the group.

You can remove a namespace filter by using the auditEventsStreamingHttpNamespaceFiltersDelete mutation type: 

mutation auditEventsStreamingHttpNamespaceFiltersDelete {
  auditEventsStreamingHttpNamespaceFiltersDelete(input: {
    namespaceFilterId: "gid://gitlab/AuditEvents::Streaming::HTTP::NamespaceFilter/5"
  }) {
    errors
  }
}

Namespace filter is removed if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Google Cloud Logging destinations

History

Manage Google Cloud Logging destinations for top-level groups.

Before setting up Google Cloud Logging streaming audit events, you must satisfy the prerequisites.

Add a new Google Cloud Logging destination

Add a new Google Cloud Logging configuration destination to a top-level group.

Prerequisites:

  • Owner role for a top-level group.
  • A Google Cloud project with the necessary permissions to create service accounts and enable Google Cloud Logging.

To enable streaming and add a configuration, use the googleCloudLoggingConfigurationCreate mutation in the GraphQL API. 

mutation {
  googleCloudLoggingConfigurationCreate(input: { groupPath: "my-group", googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "destination-name" } ) {
    errors
    googleCloudLoggingConfiguration {
      id
      googleProjectIdName
      logIdName
      clientEmail
      name
    }
    errors
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

List Google Cloud Logging configurations

List all Google Cloud Logging configuration destinations for a top-level group.

Prerequisites:

  • Owner role for a top-level group.

You can view a list of streaming configurations for a top-level group using the googleCloudLoggingConfigurations query type. 

query {
  group(fullPath: "my-group") {
    id
    googleCloudLoggingConfigurations {
      nodes {
        id
        logIdName
        googleProjectIdName
        clientEmail
        name
      }
    }
  }
}

If the resulting list is empty, then audit streaming is not enabled for the group.

You need the ID values returned by this query for the update and delete mutations.

Update Google Cloud Logging configurations

Update a Google Cloud Logging configuration destinations for a top-level group.

Prerequisites:

  • Owner role for a top-level group.

To update streaming configuration for a top-level group, use the googleCloudLoggingConfigurationUpdate mutation type. You can retrieve the configuration ID by listing all the external destinations. 

mutation {
  googleCloudLoggingConfigurationUpdate(
    input: {id: "gid://gitlab/AuditEvents::GoogleCloudLoggingConfiguration/1", googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "updated-destination-name" }
  ) {
    errors
    googleCloudLoggingConfiguration {
      id
      logIdName
      googleProjectIdName
      clientEmail
      name
    }
  }
}

Streaming configuration is updated if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Delete Google Cloud Logging configurations

Delete streaming destinations for a top-level group.

When the last destination is successfully deleted, streaming is disabled for the group.

Prerequisites:

  • Owner role for a top-level group.

Users with the Owner role for a group can delete streaming configurations using the googleCloudLoggingConfigurationDestroy mutation type. You can retrieve the configurations ID by listing all the streaming destinations for the group. 

mutation {
  googleCloudLoggingConfigurationDestroy(input: { id: "gid://gitlab/AuditEvents::GoogleCloudLoggingConfiguration/1" }) {
    errors
  }
}

Streaming configuration is deleted if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Instance streaming destinations

Tier: Ultimate Offering: Self-managed
History

Manage streaming destinations for an entire instance.

HTTP destinations

Manage HTTP streaming destinations for an entire instance.

Add a new HTTP destination

Add a new HTTP streaming destination to an instance.

Prerequisites:

  • Administrator access on the instance.

To enable streaming and add a destination, use the instanceExternalAuditEventDestinationCreate mutation in the GraphQL API. 

mutation {
  instanceExternalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest"}) {
    errors
    instanceExternalAuditEventDestination {
      destinationUrl
      id
      name
      verificationToken
    }
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

You can optionally specify your own destination name (instead of the default GitLab-generated one) using the GraphQL instanceExternalAuditEventDestinationCreate mutation. Name length must not exceed 72 characters and trailing whitespace are not trimmed. This value should be unique. For example: 

mutation {
  instanceExternalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", name: "destination-name-here"}) {
    errors
    instanceExternalAuditEventDestination {
      destinationUrl
      id
      name
      verificationToken
    }
  }
}

Instance administrators can add an HTTP header using the GraphQL auditEventsStreamingInstanceHeadersCreate mutation. You can retrieve the destination ID by listing all the streaming destinations for the instance or from the mutation above. 

mutation {
  auditEventsStreamingInstanceHeadersCreate(input:
    {
      destinationId: "gid://gitlab/AuditEvents::InstanceExternalAuditEventDestination/42",
      key: "foo",
      value: "bar",
      active: true
    }) {
    errors
    header {
      id
      key
      value
      active
    }
  }
}

The header is created if the returned errors object is empty.

List streaming destinations

List all HTTP streaming destinations for an instance.

Prerequisites:

  • Administrator access on the instance.

To view a list of streaming destinations for an instance, use the instanceExternalAuditEventDestinations query type. 

query {
  instanceExternalAuditEventDestinations {
    nodes {
      id
      name
      destinationUrl
      verificationToken
      headers {
        nodes {
          id
          key
          value
          active
        }
      }
      eventTypeFilters
    }
  }
}

If the resulting list is empty, then audit streaming is not enabled for the instance.

You need the ID values returned by this query for the update and delete mutations.

Update streaming destinations

Update a HTTP streaming destination for an instance.

Prerequisites:

  • Administrator access on the instance.

To update streaming destinations for an instance, use the instanceExternalAuditEventDestinationUpdate mutation type. You can retrieve the destination ID by listing all the external destinations for the instance. 

mutation {
  instanceExternalAuditEventDestinationUpdate(input: {
    id: "gid://gitlab/AuditEvents::InstanceExternalAuditEventDestination/1",
    destinationUrl: "https://www.new-domain.com/webhook",
    name: "destination-name"}) {
    errors
    instanceExternalAuditEventDestination {
      destinationUrl
      id
      name
      verificationToken
    }
  }
}

Streaming destination is updated if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Instance administrators can update streaming destinations custom HTTP headers using the auditEventsStreamingInstanceHeadersUpdate mutation type. You can retrieve the custom HTTP headers ID by listing all the custom HTTP headers for the instance. 

mutation {
  auditEventsStreamingInstanceHeadersUpdate(input: { headerId: "gid://gitlab/AuditEvents::Streaming::InstanceHeader/2", key: "new-key", value: "new-value", active: false }) {
    errors
    header {
      id
      key
      value
      active
    }
  }
}

The header is updated if the returned errors object is empty.

Delete streaming destinations

Delete streaming destinations for an entire instance.

When the last destination is successfully deleted, streaming is disabled for the instance.

Prerequisites:

  • Administrator access on the instance.

To delete streaming destinations, use the instanceExternalAuditEventDestinationDestroy mutation type. You can retrieve the destinations ID by listing all the streaming destinations for the instance. 

mutation {
  instanceExternalAuditEventDestinationDestroy(input: { id: "gid://gitlab/AuditEvents::InstanceExternalAuditEventDestination/1" }) {
    errors
  }
}

Streaming destination is deleted if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

To remove an HTTP header, use the GraphQL auditEventsStreamingInstanceHeadersDestroy mutation. To retrieve the header ID, list all the custom HTTP headers for the instance. 

mutation {
  auditEventsStreamingInstanceHeadersDestroy(input: { headerId: "gid://gitlab/AuditEvents::Streaming::InstanceHeader/<id>" }) {
    errors
  }
}

The header is deleted if the returned errors object is empty.

Event type filters

History
  • Event type filters API introduced in GitLab 16.2.

When this feature is enabled for an instance, you can use an API to permit users to filter streamed audit events per destination. If the feature is enabled with no filters, the destination receives all audit events.

A streaming destination that has an event type filter set has a filtered () label.

Use the API to add an event type filter

Prerequisites:

  • You must have the Administrator access for the instance.

You can add a list of event type filters using the auditEventsStreamingDestinationInstanceEventsAdd mutation: 

mutation {
    auditEventsStreamingDestinationInstanceEventsAdd(input: {
        destinationId: "gid://gitlab/AuditEvents::InstanceExternalAuditEventDestination/1",
        eventTypeFilters: ["list of event type filters"]}){
        errors
        eventTypeFilters
    }
}

Event type filters are added if:

  • The returned errors object is empty.
  • The API responds with 200 OK.
Use the API to remove an event type filter

Prerequisites:

  • You must have the Administrator access for the instance.

You can remove a list of event type filters using the auditEventsStreamingDestinationInstanceEventsRemove mutation: 

mutation {
    auditEventsStreamingDestinationInstanceEventsRemove(input: {
    destinationId: "gid://gitlab/AuditEvents::InstanceExternalAuditEventDestination/1",
    eventTypeFilters: ["list of event type filters"]
  }){
    errors
  }
}

Event type filters are removed if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Google Cloud Logging destinations

History

Manage Google Cloud Logging destinations for an entire instance.

Before setting up Google Cloud Logging streaming audit events, you must satisfy the prerequisites.

Add a new Google Cloud Logging destination

Add a new Google Cloud Logging configuration destination to an instance.

Prerequisites:

  • You have administrator access to the instance.
  • You have a Google Cloud project with the necessary permissions to create service accounts and enable Google Cloud Logging.

To enable streaming and add a configuration, use the instanceGoogleCloudLoggingConfigurationCreate mutation in the GraphQL API. 

mutation {
  instanceGoogleCloudLoggingConfigurationCreate(input: { googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "destination-name" } ) {
    errors
    googleCloudLoggingConfiguration {
      id
      googleProjectIdName
      logIdName
      clientEmail
      name
    }
    errors
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

List Google Cloud Logging configurations

List all Google Cloud Logging configuration destinations for an instance.

Prerequisites:

  • You have administrator access to the instance.

You can view a list of streaming configurations for an instance using the instanceGoogleCloudLoggingConfigurations query type. 

query {
  instanceGoogleCloudLoggingConfigurations {
    nodes {
      id
      logIdName
      googleProjectIdName
      clientEmail
      name
    }
  }
}

If the resulting list is empty, audit streaming is not enabled for the instance.

You need the ID values returned by this query for the update and delete mutations.

Update Google Cloud Logging configurations

Update the Google Cloud Logging configuration destinations for an instance.

Prerequisites:

  • You have administrator access to the instance.

To update streaming configuration for an instance, use the instanceGoogleCloudLoggingConfigurationUpdate mutation type. You can retrieve the configuration ID by listing all the external destinations. 

mutation {
  instanceGoogleCloudLoggingConfigurationUpdate(
    input: {id: "gid://gitlab/AuditEvents::Instance::GoogleCloudLoggingConfiguration/1", googleProjectIdName: "updated-google-id", clientEmail: "updated@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "updated name"}
  ) {
    errors
    instanceGoogleCloudLoggingConfiguration {
      id
      logIdName
      googleProjectIdName
      clientEmail
      name
    }
  }
}

Streaming configuration is updated if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Delete Google Cloud Logging configurations

Delete streaming destinations for an instance.

When the last destination is successfully deleted, streaming is disabled for the instance.

Prerequisites:

  • You have administrator access to the instance.

To delete streaming configurations, use the instanceGoogleCloudLoggingConfigurationDestroy mutation type. You can retrieve the configurations ID by listing all the streaming destinations for the instance. 

mutation {
  instanceGoogleCloudLoggingConfigurationDestroy(input: { id: "gid://gitlab/AuditEvents::Instance::GoogleCloudLoggingConfiguration/1" }) {
    errors
  }
}

Streaming configuration is deleted if:

  • The returned errors object is empty.
  • The API responds with 200 OK.