1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
---
stage: Govern
group: Compliance
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Audit event streaming **(ULTIMATE)**
> - UI [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336411) in GitLab 14.9.
> - [Subgroup events recording](https://gitlab.com/gitlab-org/gitlab/-/issues/366878) fixed in GitLab 15.2.
> - Custom HTTP headers UI [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361630) in GitLab 15.2 [with a flag](../feature_flags.md) named `custom_headers_streaming_audit_events_ui`. Disabled by default.
> - Custom HTTP headers UI [made generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/365259) in GitLab 15.3. [Feature flag `custom_headers_streaming_audit_events_ui`](https://gitlab.com/gitlab-org/gitlab/-/issues/365259) removed.
> - [Improved user experience](https://gitlab.com/gitlab-org/gitlab/-/issues/367963) in GitLab 15.3.
Users can set a streaming destination for a top-level group or instance to receive all audit events about the group, subgroups, and
projects as structured JSON.
Top-level group owners and instance administrators can manage their audit logs in third-party systems. Any service that can receive
structured JSON data can be used as the streaming destination.
Each streaming destination can have up to 20 custom HTTP headers included with each streamed event.
NOTE:
GitLab can stream a single event more than once to the same destination. Use the `id` key in the payload to deduplicate incoming data.
## Add a new streaming destination
Add a new streaming destination to top-level groups or an entire instance.
WARNING:
Streaming destinations receive **all** audit event data, which could include sensitive information. Make sure you trust the streaming destination.
### Top-level group streaming destinations
Prerequisites:
- Owner role for a top-level group.
To add streaming destinations to a top-level group:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select **Streams** tab.
1. Select **Add streaming destination** to show the section for adding destinations.
1. Enter the destination URL to add.
1. Optional. Locate the **Custom HTTP headers** table.
1. Ignore the **Active** checkbox because it isn't functional. To track progress on adding functionality to the
**Active** checkbox, see [issue 367509](https://gitlab.com/gitlab-org/gitlab/-/issues/367509).
1. Select **Add header** to create a new name and value pair. Enter as many name and value pairs as required. You can add up to
20 headers per streaming destination.
1. After all headers have been filled out, select **Add** to add the new streaming destination.
### Instance streaming destinations
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `instance_streaming_audit_events`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../feature_flags.md) named
`instance_streaming_audit_events`. On GitLab.com, this feature is not available. The feature is not ready for production use.
Prerequisites:
- Administrator access on the instance.
To add a streaming destination for an instance:
1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
1. Select **Admin Area**.
1. On the left sidebar, select **Monitoring > Audit Events**.
1. On the main area, select **Streams** tab.
1. Select **Add streaming destination** to show the section for adding destinations.
1. Enter the destination URL to add.
1. Select **Add** to add the new streaming destination.
## List streaming destinations
List new streaming destinations for top-level groups or an entire instance.
### For top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To list the streaming destinations for a top-level group:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select **Streams** tab.
1. To the right of the item, select **Edit** (**{pencil}**) to see all the custom HTTP headers.
### For instance streaming destinations
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `instance_streaming_audit_events`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../feature_flags.md) named
`instance_streaming_audit_events`. On GitLab.com, this feature is not available. The feature is not ready for production use.
Prerequisites:
- Administrator access on the instance.
To list the streaming destinations for an instance:
1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
1. Select **Admin Area**.
1. On the left sidebar, select **Monitoring > Audit Events**.
1. On the main area, select **Streams** tab.
## Update streaming destinations
Update streaming destinations for a top-level group or an entire instance.
### Top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To update a streaming destination's custom HTTP headers:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select **Streams** tab.
1. To the right of the item, select **Edit** (**{pencil}**).
1. Locate the **Custom HTTP headers** table.
1. Locate the header that you wish to update.
1. Ignore the **Active** checkbox because it isn't functional. To track progress on adding functionality to the
**Active** checkbox, see [issue 367509](https://gitlab.com/gitlab-org/gitlab/-/issues/367509).
1. Select **Add header** to create a new name and value pair. Enter as many name and value pairs as required. You can add up to
20 headers per streaming destination.
1. Select **Save** to update the streaming destination.
## Delete streaming destinations
Delete streaming destinations for a top-level group or an entire instance. When the last destination is successfully
deleted, streaming is disabled for the group or the instance.
### Top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To delete a streaming destination:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select the **Streams** tab.
1. To the right of the item, select **Delete** (**{remove}**).
To delete only the custom HTTP headers for a streaming destination:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select the **Streams** tab.
1. To the right of the item, **Edit** (**{pencil}**).
1. Locate the **Custom HTTP headers** table.
1. Locate the header that you wish to remove.
1. To the right of the header, select **Delete** (**{remove}**).
1. Select **Save** to update the streaming destination.
### Instance streaming destinations
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `instance_streaming_audit_events`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../feature_flags.md) named
`instance_streaming_audit_events`. On GitLab.com, this feature is not available. The feature is not ready for production use.
Prerequisites:
- Administrator access on the instance.
To delete the streaming destinations for an instance:
1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
1. Select **Admin Area**.
1. On the left sidebar, select **Monitoring > Audit Events**.
1. On the main area, select the **Streams** tab.
1. To the right of the item, select **Delete** (**{remove}**).
## Verify event authenticity
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345424) in GitLab 14.8.
Each streaming destination has a unique verification token (`verificationToken`) that can be used to verify the authenticity of the event. This
token is either specified by the Owner or generated automatically when the event destination is created and cannot be changed.
Each streamed event contains the verification token in the `X-Gitlab-Event-Streaming-Token` HTTP header that can be verified against
the destination's value when [listing streaming destinations](#list-streaming-destinations).
### Top-level group streaming destinations
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/360814) in GitLab 15.2.
Prerequisites:
- Owner role for a group.
To list streaming destinations and see the verification tokens:
1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
1. Select **Secure > Audit events**.
1. On the main area, select the **Streams**.
1. View the verification token on the right side of each item.
### Instance streaming destinations
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `instance_streaming_audit_events`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../feature_flags.md) named
`instance_streaming_audit_events`. On GitLab.com, this feature is not available. The feature is not ready for production use.
Prerequisites:
- Administrator access on the instance.
To list streaming destinations for an instance and see the verification tokens:
1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
1. Select **Admin Area**.
1. On the left sidebar, select **Monitoring > Audit Events**.
1. On the main area, select the **Streams**.
1. View the verification token on the right side of each item.
## Override default content type header
By default, streaming destinations use a `content-type` header of `application/x-www-form-urlencoded`. However, you
might want to set the `content-type` header to something else. For example ,`application/json`.
To override the `content-type` header default value for either a top-level group streaming destination or an instance
streaming destination, use either the [GitLab UI](#update-streaming-destinations) or using the
[GraphQL API](graphql_api.md#update-streaming-destinations).
## Payload schema
> Documentation for an audit event streaming schema was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358149) in GitLab 15.3.
Streamed audit events have a predictable schema in the body of the response.
| Field | Description | Notes |
|------------------|------------------------------------------------------------|-----------------------------------------------------------------------------------|
| `author_id` | User ID of the user who triggered the event | |
| `author_name` | Human-readable name of the author that triggered the event | Helpful when the author no longer exists |
| `created_at` | Timestamp when event was triggered | |
| `details` | JSON object containing additional metadata | Has no defined schema but often contains additional information about an event |
| `entity_id` | ID of the audit event's entity | |
| `entity_path` | Full path of the entity affected by the auditable event | |
| `entity_type` | String representation of the type of entity | Acceptable values include `User`, `Group`, and `Key`. This list is not exhaustive |
| `event_type` | String representation of the type of audit event | |
| `id` | Unique identifier for the audit event | Can be used for deduplication if required |
| `ip_address` | IP address of the host used to trigger the event | |
| `target_details` | Additional details about the target | |
| `target_id` | ID of the audit event's target | |
| `target_type` | String representation of the target's type | |
### JSON payload schema
```json
{
"properties": {
"id": {
"type": "string"
},
"author_id": {
"type": "integer"
},
"author_name": {
"type": "string"
},
"details": {},
"ip_address": {
"type": "string"
},
"entity_id": {
"type": "integer"
},
"entity_path": {
"type": "string"
},
"entity_type": {
"type": "string"
},
"event_type": {
"type": "string"
},
"target_id": {
"type": "integer"
},
"target_type": {
"type": "string"
},
"target_details": {
"type": "string"
},
},
"type": "object"
}
```
|
