Audit event streaming (ULTIMATE)

UI Introduced in GitLab 14.9.

Subgroup events recording fixed in GitLab 15.2.

Custom HTTP headers UI introduced in GitLab 15.2 with a flag named custom_headers_streaming_audit_events_ui. Disabled by default.

Custom HTTP headers UI made generally available in GitLab 15.3. Feature flag custom_headers_streaming_audit_events_ui removed.

Improved user experience in GitLab 15.3.

Users can set a streaming destination for a top-level group or instance to receive all audit events about the group, subgroups, and projects as structured JSON.

Top-level group owners and instance administrators can manage their audit logs in third-party systems. Any service that can receive structured JSON data can be used as the streaming destination.

Each streaming destination can have up to 20 custom HTTP headers included with each streamed event.

NOTE: GitLab can stream a single event more than once to the same destination. Use the id key in the payload to deduplicate incoming data.

Add a new streaming destination

Add a new streaming destination to top-level groups or an entire instance.

WARNING: Streaming destinations receive all audit event data, which could include sensitive information. Make sure you trust the streaming destination.

Top-level group streaming destinations

Prerequisites:

Owner role for a top-level group.

To add streaming destinations to a top-level group:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select Streams tab.
Select Add streaming destination to show the section for adding destinations.
Enter the destination URL to add.
Optional. Locate the Custom HTTP headers table.
Ignore the Active checkbox because it isn't functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
After all headers have been filled out, select Add to add the new streaming destination.

Instance streaming destinations

Introduced in GitLab 16.1 with a flag named instance_streaming_audit_events. Disabled by default.

FLAG: On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to enable the feature flag named instance_streaming_audit_events. On GitLab.com, this feature is not available. The feature is not ready for production use.

Prerequisites:

Administrator access on the instance.

To add a streaming destination for an instance:

On the left sidebar, expand the top-most chevron ({chevron-down}).
Select Admin Area.
On the left sidebar, select Monitoring > Audit Events.
On the main area, select Streams tab.
Select Add streaming destination to show the section for adding destinations.
Enter the destination URL to add.
Select Add to add the new streaming destination.

List streaming destinations

List new streaming destinations for top-level groups or an entire instance.

For top-level group streaming destinations

Prerequisites:

Owner role for a group.

To list the streaming destinations for a top-level group:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select Streams tab.
To the right of the item, select Edit ({pencil}) to see all the custom HTTP headers.

For instance streaming destinations

Introduced in GitLab 16.1 with a flag named instance_streaming_audit_events. Disabled by default.

Prerequisites:

Administrator access on the instance.

To list the streaming destinations for an instance:

On the left sidebar, expand the top-most chevron ({chevron-down}).
Select Admin Area.
On the left sidebar, select Monitoring > Audit Events.
On the main area, select Streams tab.

Update streaming destinations

Update streaming destinations for a top-level group or an entire instance.

Top-level group streaming destinations

Prerequisites:

Owner role for a group.

To update a streaming destination's custom HTTP headers:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select Streams tab.
To the right of the item, select Edit ({pencil}).
Locate the Custom HTTP headers table.
Locate the header that you wish to update.
Ignore the Active checkbox because it isn't functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
Select Save to update the streaming destination.

Delete streaming destinations

Delete streaming destinations for a top-level group or an entire instance. When the last destination is successfully deleted, streaming is disabled for the group or the instance.

Top-level group streaming destinations

Prerequisites:

Owner role for a group.

To delete a streaming destination:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select the Streams tab.
To the right of the item, select Delete ({remove}).

To delete only the custom HTTP headers for a streaming destination:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select the Streams tab.
To the right of the item, Edit ({pencil}).
Locate the Custom HTTP headers table.
Locate the header that you wish to remove.
To the right of the header, select Delete ({remove}).
Select Save to update the streaming destination.

Instance streaming destinations

Introduced in GitLab 16.1 with a flag named instance_streaming_audit_events. Disabled by default.

Prerequisites:

Administrator access on the instance.

To delete the streaming destinations for an instance:

On the left sidebar, expand the top-most chevron ({chevron-down}).
Select Admin Area.
On the left sidebar, select Monitoring > Audit Events.
On the main area, select the Streams tab.
To the right of the item, select Delete ({remove}).

Verify event authenticity

Introduced in GitLab 14.8.

Each streaming destination has a unique verification token (verificationToken) that can be used to verify the authenticity of the event. This token is either specified by the Owner or generated automatically when the event destination is created and cannot be changed.

Each streamed event contains the verification token in the X-Gitlab-Event-Streaming-Token HTTP header that can be verified against the destination's value when listing streaming destinations.

Top-level group streaming destinations

Introduced in GitLab 15.2.

Prerequisites:

Owner role for a group.

To list streaming destinations and see the verification tokens:

On the left sidebar, at the top, select Search GitLab ({search}) to find your group.
Select Secure > Audit events.
On the main area, select the Streams.
View the verification token on the right side of each item.

Instance streaming destinations

Introduced in GitLab 16.1 with a flag named instance_streaming_audit_events. Disabled by default.

Prerequisites:

Administrator access on the instance.

To list streaming destinations for an instance and see the verification tokens:

On the left sidebar, expand the top-most chevron ({chevron-down}).
Select Admin Area.
On the left sidebar, select Monitoring > Audit Events.
On the main area, select the Streams.
View the verification token on the right side of each item.

Override default content type header

By default, streaming destinations use a content-type header of application/x-www-form-urlencoded. However, you might want to set the content-type header to something else. For example ,application/json.

To override the content-type header default value for either a top-level group streaming destination or an instance streaming destination, use either the GitLab UI or using the GraphQL API.

Payload schema

Documentation for an audit event streaming schema was introduced in GitLab 15.3.

Streamed audit events have a predictable schema in the body of the response.

Field	Description	Notes
`author_id`	User ID of the user who triggered the event
`author_name`	Human-readable name of the author that triggered the event	Helpful when the author no longer exists
`created_at`	Timestamp when event was triggered
`details`	JSON object containing additional metadata	Has no defined schema but often contains additional information about an event
`entity_id`	ID of the audit event's entity
`entity_path`	Full path of the entity affected by the auditable event
`entity_type`	String representation of the type of entity	Acceptable values include `User`, `Group`, and `Key`. This list is not exhaustive
`event_type`	String representation of the type of audit event
`id`	Unique identifier for the audit event	Can be used for deduplication if required
`ip_address`	IP address of the host used to trigger the event
`target_details`	Additional details about the target
`target_id`	ID of the audit event's target
`target_type`	String representation of the target's type

JSON payload schema

{
  "properties": {
    "id": {
      "type": "string"
    },
    "author_id": {
      "type": "integer"
    },
    "author_name": {
      "type": "string"
    },
    "details": {},
    "ip_address": {
      "type": "string"
    },
    "entity_id": {
      "type": "integer"
    },
    "entity_path": {
      "type": "string"
    },
    "entity_type": {
      "type": "string"
    },
    "event_type": {
      "type": "string"
    },
    "target_id": {
      "type": "integer"
    },
    "target_type": {
      "type": "string"
    },
    "target_details": {
      "type": "string"
    },
  },
  "type": "object"
}