Skip to content

Audit Trail

Note: This feature is applicable to the Enterprise Edition.

What is Audit Trail

Audit Trail records user actions across all organizations in OpenObserve. It captures non-ingestion API calls and helps you monitor activity and improve security.

Who can access it

All Enterprise Edition users with access to the _meta organization can use Audit Trail.

Where to find it

Audit events are published into the audit stream under the _meta organization.

Configuration

To enable and configure Audit Trail, set the following environment variables:

  1. O2_AUDIT_ENABLED:

  2. Description: Enables audit logging

  3. Default: false

  4. O2_AUDIT_BATCH_SIZE:

  5. Description: Number of audit records to batch before publishing

  6. Default: 500

  7. O2_AUDIT_PUBLISH_INTERVAL:

  8. Description: Interval in seconds after which unpublished audits are published

  9. Default: 600

How it works

When Audit Trail is enabled, OpenObserve collects details of every non-ingestion API call made by users across all organizations. These events are stored temporarily in memory. Once the number of events reaches the batch size or the publish interval is reached, they are sent to the audit stream in the _meta organization. From there, you can view, query, or use them in dashboards and alerts.

Example

The following example shows a captured audit event from the audit stream: audit trail screenshot

Use case

Because audit events are stored in a log stream, you can:

  • Build dashboards to track user activity
  • Configure alerts to detect unusual trends