1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
---
stage: Govern
group: Compliance
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Audit events administration
In addition to [audit events](../user/compliance/audit_events.md), self-managed administrators can access additional
features.
## Instance audit events
DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
You can view audit events from user actions across an entire GitLab instance.
To view instance audit events:
1. On the left sidebar, at the bottom, select **Admin**.
1. Select **Monitoring > Audit events**.
1. Filter by the following:
- Member of the project (user) who performed the action
- Group
- Project
- Date Range
Instance audit events can also be accessed using the [instance audit events API](../api/audit_events.md#instance-audit-events). Instance audit event queries are limited to a maximum of 30 days.
## Exporting audit events
DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
> - Entity type `Gitlab::Audit::InstanceScope` for instance audit events [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418185) in GitLab 16.2.
You can export the current view (including filters) of your instance audit events as a
CSV(comma-separated values) file. To export the instance audit events to CSV:
1. On the left sidebar, at the bottom, select **Admin**.
1. Select **Monitoring > Audit events**.
1. Select the available search filters.
1. Select **Export as CSV**.
A download confirmation dialog then appears for you to download the CSV file. The exported CSV is limited
to a maximum of 100000 events. The remaining records are truncated when this limit is reached.
### Audit event CSV encoding
The exported CSV file is encoded as follows:
- `,` is used as the column delimiter
- `"` is used to quote fields if necessary.
- `\n` is used to separate rows.
The first row contains the headers, which are listed in the following table along
with a description of the values:
| Column | Description |
| --------------------- | ---------------------------------------------------------------------------------- |
| **ID** | Audit event `id`. |
| **Author ID** | ID of the author. |
| **Author Name** | Full name of the author. |
| **Entity ID** | ID of the scope. |
| **Entity Type** | Type of the scope (`Project`, `Group`, `User`, or `Gitlab::Audit::InstanceScope`). |
| **Entity Path** | Path of the scope. |
| **Target ID** | ID of the target. |
| **Target Type** | Type of the target. |
| **Target Details** | Details of the target. |
| **Action** | Description of the action. |
| **IP Address** | IP address of the author who performed the action. |
| **Created At (UTC)** | Formatted as `YYYY-MM-DD HH:MM:SS`. |
All items are sorted by `created_at` in ascending order.
## User impersonation
DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
When a user is [impersonated](../administration/admin_area.md#user-impersonation), their actions are logged as audit events with the following additional details:
- Audit events include information about the impersonating administrator.
- Extra audit events are recorded for the start and end of the administrator's impersonation session.
## Time zones
For information on timezones and audit events, see [Time zones](../user/compliance/audit_events.md#time-zones).
## Contribute to audit events
For information on contributing to audit events, see
[Contribute to audit events](../user/compliance/audit_events.md#contribute-to-audit-events).
|
