- Instance audit events
- Exporting audit events
- User impersonation
- Time zones
- Contribute to audit events
Audit events administration
In addition to audit events, self-managed administrators can access additional features.
Instance audit events
You can view audit events from user actions across an entire GitLab instance. To view instance audit events:
- On the left sidebar, at the bottom, select Admin Area.
- Select Monitoring > Audit Events.
- Filter by the following:
- Member of the project (user) who performed the action
- Group
- Project
- Date Range
Instance audit events can also be accessed using the Instance Audit Events API. Instance audit event queries are limited to a maximum of 30 days.
Exporting audit events
- Entity type
Gitlab::Audit::InstanceScopefor instance audit events introduced in GitLab 16.2.
You can export the current view (including filters) of your instance audit events as a CSV(comma-separated values) file. To export the instance audit events to CSV:
- On the left sidebar, at the bottom, select Admin Area.
- Select Monitoring > Audit Events.
- Select the available search filters.
- Select Export as CSV.
A download confirmation dialog then appears for you to download the CSV file. The exported CSV is limited to a maximum of 100000 events. The remaining records are truncated when this limit is reached.
Audit event CSV encoding
The exported CSV file is encoded as follows:
-
,is used as the column delimiter -
"is used to quote fields if necessary. -
\nis used to separate rows.
The first row contains the headers, which are listed in the following table along with a description of the values:
| Column | Description |
|---|---|
| ID | Audit event id.
|
| Author ID | ID of the author. |
| Author Name | Full name of the author. |
| Entity ID | ID of the scope. |
| Entity Type | Type of the scope (Project, Group, User, or Gitlab::Audit::InstanceScope).
|
| Entity Path | Path of the scope. |
| Target ID | ID of the target. |
| Target Type | Type of the target. |
| Target Details | Details of the target. |
| Action | Description of the action. |
| IP Address | IP address of the author who performed the action. |
| Created At (UTC) | Formatted as YYYY-MM-DD HH:MM:SS.
|
All items are sorted by created_at in ascending order.
User impersonation
When a user is impersonated, their actions are logged as audit events with the following additional details:
- Audit events include information about the impersonating administrator.
- Extra audit events are recorded for the start and end of the administrator’s impersonation session.
Time zones
For information on timezones and audit events, see Time zones.
Contribute to audit events
For information on contributing to audit events, see Contribute to audit events.