Audit event streaming

Version history

Users can set a streaming destination for a top-level group to receive all audit events about the group, its subgroups, and projects as structured JSON.

Top-level group owners can manage their audit logs in third-party systems. Any service that can receive structured JSON data can be used as the streaming destination.

Each streaming destination can have up to 20 custom HTTP headers included with each streamed event.

note
GitLab can stream a single event more than once to the same destination. Use the id key in the payload to deduplicate incoming data.

Add a new streaming destination

caution
Streaming destinations receive all audit event data, which could include sensitive information. Make sure you trust the streaming destination.

Use the GitLab UI

Users with the Owner role for a group can add streaming destinations for it:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select Streams tab.
  4. Select Add streaming destination to show the section for adding destinations.
  5. Enter the destination URL to add.
  6. Optional. Locate the Custom HTTP headers table.
  7. Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see the relevant issue.
  8. Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
  9. After all headers have been filled out, select Add to add the new streaming destination.

Use the API

To enable streaming and add a destination, users with the Owner role for a group must use the externalAuditEventDestinationCreate mutation in the GraphQL API.

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", groupPath: "my-group" } ) {
    errors
    externalAuditEventDestination {
      id
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

Group owners can also optionally specify their own verification token (instead of the default GitLab-generated one) using the GraphQL auditEventsStreamingHeadersCreate mutation. Verification token length must be within 16 to 24 characters and trailing whitespace are not trimmed. GitLab recommends setting a cryptographically random and unique value. For example:

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", groupPath: "my-group", verificationToken: "unique-random-verification-token-here" } ) {
    errors
    externalAuditEventDestination {
      id
      destinationUrl
      verificationToken
      group {
        name
      }
    }
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Group owners can add an HTTP header using the GraphQL auditEventsStreamingHeadersCreate mutation. You can retrieve the destination ID by listing all the streaming destinations for the group or from the mutation above.

mutation {
  auditEventsStreamingHeadersCreate(input: { destinationId: "gid://gitlab/AuditEvents::ExternalAuditEventDestination/24601", key: "foo", value: "bar" }) {
    errors
  }
}

The header is created if the returned errors object is empty.

List streaming destinations

Users with the Owner role for a group can list streaming destinations.

Use the GitLab UI

To list the streaming destinations:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select Streams tab.
  4. To the right of the item, select Edit () to see all the custom HTTP headers.

Use the API

Users with the Owner role for a group can view a list of streaming destinations at any time using the externalAuditEventDestinations query type.

query {
  group(fullPath: "my-group") {
    id
    externalAuditEventDestinations {
      nodes {
        destinationUrl
        verificationToken
        id
        headers {
          nodes {
            key
            value
            id
          }
        }
      }
    }
  }
}

If the resulting list is empty, then audit streaming is not enabled for that group.

You need the ID values returned by this query for the update and delete mutations.

Update streaming destinations

Users with the Owner role for a group can update streaming destinations.

Use the GitLab UI

To update a streaming destinations custom HTTP headers:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select Streams tab.
  4. To the right of the item, select Edit ().
  5. Locate the Custom HTTP headers table.
  6. Locate the header that you wish to update.
  7. Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see the relevant issue.
  8. Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
  9. Select Save to update the streaming destination.

Use the API

Users with the Owner role for a group can update streaming destinations custom HTTP headers using the auditEventsStreamingHeadersUpdate mutation type. You can retrieve the custom HTTP headers ID by listing all the custom HTTP headers for the group.

mutation {
  externalAuditEventDestinationDestroy(input: { id: destination }) {
    errors
  }
}

Streaming destination is updated if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Group owners can remove an HTTP header using the GraphQL auditEventsStreamingHeadersDestroy mutation. You can retrieve the header ID by listing all the custom HTTP headers for the group.

mutation {
  auditEventsStreamingHeadersDestroy(input: { headerId: "gid://gitlab/AuditEvents::Streaming::Header/1" }) {
    errors
  }
}

The header is deleted if the returned errors object is empty.

Delete streaming destinations

Users with the Owner role for a group can delete streaming destinations.

When the last destination is successfully deleted, streaming is disabled for the group.

Use the GitLab UI

To delete a streaming destination:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select the Streams tab.
  4. To the right of the item, select Delete ().

To delete only the custom HTTP headers for a streaming destination:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select the Streams tab.
  4. To the right of the item, Edit ().
  5. Locate the Custom HTTP headers table.
  6. Locate the header that you wish to remove.
  7. To the right of the header, select Delete ().
  8. Select Save to update the streaming destination.

Use the API

Users with the Owner role for a group can delete streaming destinations using the externalAuditEventDestinationDestroy mutation type. You can retrieve the destinations ID by listing all the streaming destinations for the group.

mutation {
  externalAuditEventDestinationDestroy(input: { id: destination }) {
    errors
  }
}

Streaming destination is deleted if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

Group owners can remove an HTTP header using the GraphQL auditEventsStreamingHeadersDestroy mutation. You can retrieve the header ID by listing all the custom HTTP headers for the group.

mutation {
  auditEventsStreamingHeadersDestroy(input: { headerId: "gid://gitlab/AuditEvents::Streaming::Header/1" }) {
    errors
  }
}

The header is deleted if the returned errors object is empty.

Verify event authenticity

Introduced in GitLab 14.8.

Each streaming destination has a unique verification token (verificationToken) that can be used to verify the authenticity of the event. This token is either specified by the Owner or generated automatically when the event destination is created and cannot be changed.

Each streamed event contains the verification token in the X-Gitlab-Event-Streaming-Token HTTP header that can be verified against the destination’s value when listing streaming destinations.

Use the GitLab UI

Introduced in GitLab 15.2.

Users with the Owner role for a group can list streaming destinations and see the verification tokens:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Security & Compliance > Audit events.
  3. On the main area, select the Streams.
  4. View the verification token on the right side of each item.

Payload schema

Documentation for an audit event streaming schema was introduced in GitLab 15.3.

Streamed audit events have a predictable schema in the body of the response.

FieldDescriptionNotes
author_idUser ID of the user who triggered the event 
author_nameHuman-readable name of the author that triggered the eventHelpful when the author no longer exists
created_atTimestamp when event was triggered 
detailsJSON object containing additional metadataHas no defined schema but often contains additional information about an event
entity_idID of the audit event’s entity 
entity_pathFull path of the entity affected by the auditable event 
entity_typeString representation of the type of entityAcceptable values include User, Group, and Key. This list is not exhaustive
event_typeString representation of the type of audit event 
idUnique identifier for the audit eventCan be used for deduplication if required
ip_addressIP address of the host used to trigger the event 
target_detailsAdditional details about the target 
target_idID of the audit event’s target 
target_typeString representation of the target’s type 

Audit event streaming on Git operations

Version history
On self-managed GitLab, by default this feature is available. To hide the feature, ask an administrator to disable the feature flag named audit_event_streaming_git_operations.

Streaming audit events can be sent when signed-in users push, pull, or clone a project’s remote Git repositories:

  • Using SSH.
  • Using HTTP or HTTPS.
  • Using the Download button () in GitLab UI.

Audit events are not captured for users that are not signed in. For example, when downloading a public project.

To configure streaming audit events for Git operations, see Add a new streaming destination.

Headers

X-Gitlab-Audit-Event-Type introduced in GitLab 15.0.

Headers are formatted as follows:

POST /logs HTTP/1.1
Host: <DESTINATION_HOST>
Content-Type: application/x-www-form-urlencoded
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
X-Gitlab-Audit-Event-Type: repository_git_operation

Example payloads for SSH events

Fetch:

{
  "id": 1,
  "author_id": 1,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-02-23T06:21:05.283Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Push:

{
  "id": 1,
  "author_id": 1,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-receive-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-02-23T06:23:08.746Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Example payloads for SSH events with Deploy Key

Introduced in GitLab 15.3.

Fetch:

{
  "id": 1,
  "author_id": -3,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "author_name": "deploy-key-name",
    "author_class": "DeployKey",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "deploy-key-name",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-07-26T05:43:53.662Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Example payloads for HTTP and HTTPS events

Fetch:

{
  "id": 1,
  "author_id": 1,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-02-23T06:25:43.938Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Push:

{
  "id": 1,
  "author_id": 1,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "http",
      "action": "git-receive-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-02-23T06:26:29.294Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Example payloads for HTTP and HTTPS events with Deploy Token

Fetch:

{
  "id": 1,
  "author_id": -2,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "deploy-token-name",
    "author_class": "DeployToken",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "deploy-token-name",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-07-26T05:46:25.850Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

Example payloads for events from GitLab UI download button

Fetch:

{
  "id": 1,
  "author_id": 99,
  "entity_id": 29,
  "entity_type": "Project",
  "details": {
    "custom_message": "Repository Download Started",
    "author_name": "example_username",
    "author_class": "User",
    "target_id": 29,
    "target_type": "Project",
    "target_details": "example-group/example-project",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example_username",
  "entity_path": "example-group/example-project",
  "target_details": "example-group/example-project",
  "created_at": "2022-02-23T06:27:17.873Z",
  "target_type": "Project",
  "target_id": 29,
  "event_type": "repository_git_operation"
}

Audit event streaming on merge request approval actions

Introduced in GitLab 14.9.

Stream audit events that relate to merge approval actions performed within a project.

Headers

Headers are formatted as follows:

POST /logs HTTP/1.1
Host: <DESTINATION_HOST>
Content-Type: application/x-www-form-urlencoded
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
X-Gitlab-Audit-Event-Type: audit_operation

Example payload

{
  "id": 1,
  "author_id": 1,
  "entity_id": 6,
  "entity_type": "Project",
  "details": {
    "author_name": "example_username",
    "target_id": 20,
    "target_type": "MergeRequest",
    "target_details": "merge request title",
    "custom_message": "Approved merge request",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example_username",
  "entity_path": "example-group/example-project",
  "target_details": "merge request title",
  "created_at": "2022-03-09T06:53:11.181Z",
  "target_type": "MergeRequest",
  "target_id": 20,
  "event_type": "audit_operation"
}

Audit event streaming on merge request create actions

Introduced in GitLab 15.2.

Stream audit events that relate to merge request create actions using the /logs endpoint.

Send API requests that contain the X-Gitlab-Audit-Event-Type header with value merge_request_create. GitLab responds with JSON payloads with an event_type field set to merge_request_create.

Headers

Headers are formatted as follows:

POST /logs HTTP/1.1
Host: <DESTINATION_HOST>
Content-Type: application/x-www-form-urlencoded
X-Gitlab-Audit-Event-Type: merge_request_create
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>

Example payload

{
  "id": 1,
  "author_id": 1,
  "entity_id": 24,
  "entity_type": "Project",
  "details": {
    "author_name": "example_user",
    "target_id": 132,
    "target_type": "MergeRequest",
    "target_details": "Update test.md",
    "custom_message": "Added merge request",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Administrator",
  "entity_path": "example-group/example-project",
  "target_details": "Update test.md",
  "created_at": "2022-07-04T00:19:22.675Z",
  "target_type": "MergeRequest",
  "target_id": 132,
  "event_type": "merge_request_create"
}

Audit event streaming on project fork actions

Introduced in GitLab 15.2.

Stream audit events that relate to project fork actions using the /logs endpoint.

Send API requests that contain the X-Gitlab-Audit-Event-Type header with value project_fork_operation. GitLab responds with JSON payloads with an event_type field set to project_fork_operation.

Headers

Headers are formatted as follows:

POST /logs HTTP/1.1
Host: <DESTINATION_HOST>
Content-Type: application/x-www-form-urlencoded
X-Gitlab-Audit-Event-Type: project_fork_operation
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>

Example payload

{
  "id": 1,
  "author_id": 1,
  "entity_id": 24,
  "entity_type": "Project",
  "details": {
    "author_name": "example_username",
    "target_id": 24,
    "target_type": "Project",
    "target_details": "example-project",
    "custom_message": "Forked project to another-group/example-project-forked",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example_username",
  "entity_path": "example-group/example-project",
  "target_details": "example-project",
  "created_at": "2022-06-30T03:43:35.384Z",
  "target_type": "Project",
  "target_id": 24,
  "event_type": "project_fork_operation"
}

Introduced in GitLab 15.2.

Stream audit events that relate to project group link creation, updates, and deletion using the /logs endpoint.

Send API requests that contain the X-Gitlab-Audit-Event-Type header with value of either:

  • project_group_link_create.
  • project_group_link_update.
  • project_group_link_destroy.

GitLab responds with JSON payloads with an event_type field set to either:

  • project_group_link_create.
  • project_group_link_update.
  • project_group_link_destroy.

Example Headers

Headers are formatted as follows:

POST /logs HTTP/1.1
Host: <DESTINATION_HOST>
Content-Type: application/x-www-form-urlencoded
X-Gitlab-Audit-Event-Type: project_group_link_create
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
{
  "id": 1,
  "author_id": 1,
  "entity_id": 24,
  "entity_type": "Project",
  "details": {
    "author_name": "example-user",
    "target_id": 31,
    "target_type": "Group",
    "target_details": "another-group",
    "custom_message": "Added project group link",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example-user",
  "entity_path": "example-group/example-project",
  "target_details": "another-group",
  "created_at": "2022-07-04T00:43:09.318Z",
  "target_type": "Group",
  "target_id": 31,
  "event_type": "project_group_link_create"
}
{
  "id": 1,
  "author_id": 1,
  "entity_id": 24,
  "entity_type": "Project",
  "details": {
    "author_name": "example-user",
    "target_id": 31,
    "target_type": "Group",
    "target_details": "another-group",
    "custom_message": "Changed project group link profile group_access from Developer to Guest",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example-user",
  "entity_path": "example-group/example-project",
  "target_details": "another-group",
  "created_at": "2022-07-04T00:43:28.328Z",
  "target_type": "Group",
  "target_id": 31,
  "event_type": "project_group_link_update"
}
{
  "id": 1,
  "author_id": 1,
  "entity_id": 24,
  "entity_type": "Project",
  "details": {
    "author_name": "example-user",
    "target_id": 31,
    "target_type": "Group",
    "target_details": "another-group",
    "custom_message": "Removed project group link",
    "ip_address": "127.0.0.1",
    "entity_path": "example-group/example-project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "example-user",
  "entity_path": "example-group/example-project",
  "target_details": "another-group",
  "created_at": "2022-07-04T00:42:56.279Z",
  "target_type": "Group",
  "target_id": 31,
  "event_type": "project_group_link_destroy"
}