Track user activity with audit logs

6 minute read

Use W&B audit logs to track user activity within your organization and to conform to your enterprise governance requirements. Audit logs are available in JSON format. Refer to Audit log schema.

How to access audit logs depends on your W&B platform deployment type:

W&B Platform Deployment type	Audit logs access mechanism
Self-managed	Synced to instance-level bucket every 10 minutes. Also available using the API.
Dedicated Cloud with secure storage connector (BYOB)	Synced to instance-level bucket (BYOB) every 10 minutes. Also available using the API.
Dedicated Cloud with W&B managed storage (without BYOB)	Available only by using the API.
SaaS Cloud	Available for Enterprise plans only. Available only by using the API.

After fetching audit logs, you can analyze them using tools like Pandas, Amazon Redshift, Google BigQuery, or Microsoft Fabric. Some audit log analysis tools do not support JSON; refer to the documentation for your analysis tool for guidelines and requirements for transforming the JSON-formatted audit logs before analysis.

Audit log retention

If you require audit logs to be retained for a specific period of time, W&B recommends periodically transferring logs to long-term storage, either using storage buckets or the Audit Logging API.

If you are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), audit logs must be retained for a minimum of 6 years in an environment where they cannot be deleted or modified by any internal or exterrnal actor before the end of the mandatory retention period. For HIPAA-compliant Dedicated Cloud instances with BYOB, you must configure guardrails for your managed storage, including any long-term retention storage.

Audit log schema

This table shows all keys which may appear in an audit log entry, ordered alphabetically. Depending on the action and the circumstances, a specific log entry may include only a subset of the possible fields.

Key	Definition
`action`	The action of the event.
`actor_email`	The email address of the user that initiated the action, if applicable.
`actor_ip`	The IP address of the user that initiated the action.
`actor_user_id`	The ID of the logged-in user who performed the action, if applicable.
`artifact_asset`	The artifact ID associated with the action, if applicable.
`artifact_digest`	The artifact digest associated with the action, if applicable.
`artifact_qualified_name`	The full name of the artifact associated with the action, if applicable.
`artifact_sequence_asset`	The artifact sequence ID associated with the action, if applicable.
`cli_version`	The version of the Python SDK that initiated the action, if applicable.
`entity_asset`	The entity or team ID associated with the action, if applicable.
`entity_name`	The entity or team name associated with the action, if applicable.
`project_asset`	The project associated with the action, if applicable.
`project_name`	The name of the project associated with the action, if applicable.
`report_asset`	The report ID associated with the action, if applicable.
`report_name`	The name of the report associated with the action, if applicable.
`response_code`	The HTTP response code for the action, if applicable.
`timestamp`	The time of the event in RFC3339 format. For example, `2023-01-23T12:34:56Z` represents January 23, 2023 at 12:34:56 UTC.
`user_asset`	The user asset the action impacts (rather than the user performing the action), if applicable.
`user_email`	The email address of the user the action impacts (rather than the email address of the user performing the action), if applicable.

Personally identifiable information (PII)

Personally identifiable information (PII), such as email addresses and the names of projects, teams, and reports, is available only using the API endpoint option.

For Self-managed and Dedicated Cloud, an organization admin can exclude PII when fetching audit logs.
For SaaS Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.

Fetch audit logs

An organization or instance admin can fetch the audit logs for a W&B instance using the Audit Logging API, at the endpoint audit_logs/.

If a user other than an admin attempts to fetch audit logs, a HTTP 403 error occurs, indicating that access is denied.
If you are an admin of multiple Enterprise SaaS Cloud organizations, you must configure the organization where audit logging API requests are sent. Click your profile image, then click User Settings. The setting is named Default API organization.

Determine the correct API endpoint for your instance:
- Self-managed: <wandb-platform-url>/admin/audit_logs
- Dedicated Cloud: <wandb-platform-url>/admin/audit_logs
- SaaS Cloud (Enterprise required): https://api.wandb.ai/audit_logs
In proceeding steps, replace <API-endpoint> with your API endpoint.
Construct the full API endpoint from the base endpoint, and optionally include URL parameters:
- anonymize: if set to true, remove any PII; defaults to false. Refer to Exclude PII when fetching audit logs. Not supported for SaaS Cloud.
- numDays: logs will be fetched starting from today - numdays to most recent; defaults to 0, which returns logs only for today. For SaaS Cloud, you can fetch audit logs from a maximum of 7 days in the past.
- startDate: an optional date with format YYYY-MM-DD. Supported only on SaaS Cloud.
  
  startDate and numDays interact:
  - If you set both startDate and numDays, logs are returned from startDate to startDate + numDays.
  - If you omit startDate but include numDays, logs are returned from today to numDays.
  - If you set neither startDate nor numDays, logs are returned for today only.
Execute an HTTP GET request on the constructed fully qualified API endpoint using a web browser or a tool like Postman, HTTPie, or cURL.

The API response contains new-line separated JSON objects. Objects will include the fields described in the schema, just like when audit logs are synced to an instance-level bucket. In those cases, the audit logs are located in the /wandb-audit-logs directory in your bucket.

Use basic authentication

To use basic authentication with your API key to access the audit logs API, set the HTTP request’s Authorization header to the string Basic followed by a space, then the base-64 encoded string in the format username:API-KEY. In other words, replace the username and API key with your values separated with a : character, then base-64-encode the result. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.

Exclude PII when fetching audit logs

For Self-managed and Dedicated Cloud, a W&B organization or instance admin can exclude PII when fetching audit logs. For SaaS Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.

To exclude PII, pass the anonymize=true URL parameter. For example, if your W&B instance URL is https://mycompany.wandb.io and you would like to get audit logs for user activity within the last week and exclude PII, use an API endpoint like:

https://mycompany.wandb.io/admin/audit_logs?numDays=7&anonymize=true.

Actions

This table describes possible actions that can be recorded by W&B, sorted alphabetically.

Action	Definition
`artifact:create`	Artifact is created.
`artifact:delete`	Artifact is deleted.
`artifact:read`	Artifact is read.
`project:delete`	Project is deleted.
`project:read`	Project is read.
`report:read`	Report is read. ¹
`run:delete_many`	Batch of runs is deleted.
`run:delete`	Run is deleted.
`run:stop`	Run is stopped.
`run:undelete_many`	Batch of runs is restored from trash.
`run:update_many`	Batch of runs is updated.
`run:update`	Run is updated.
`sweep:create_agent`	Sweep agent is created.
`team:create_service_account`	Service account is created for the team.
`team:create`	Team is created.
`team:delete`	Team is deleted.
`team:invite_user`	User is invited to team.
`team:uninvite`	User or service account is uninvited from team.
`user:create_api_key`	API key for the user is created. ¹
`user:create`	User is created. ¹
`user:deactivate`	User is deactivated. ¹
`user:delete_api_key`	API key for the user is deleted. ¹
`user:initiate_login`	User initiates log in. ¹
`user:login`	User logs in. ¹
`user:logout`	User logs out. ¹
`user:permanently_delete`	User is permanently deleted. ¹
`user:reactivate`	User is reactivated. ¹
`user:read`	User profile is read. ¹
`user:update`	User is updated. ¹

1: On SaaS Cloud, audit logs are not collected for:

Open or Public projects.
The report:read action.
User actions which are not tied to a specific organization.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified March 27, 2025

Edit page Report issue PDF