Audit Events (STARTER)
GitLab offers a way to view the changes made within the GitLab server for owners and administrators on a paid plan.
GitLab system administrators can also take advantage of the logs located on the filesystem, see the logs system documentation for more details.
Overview
Audit Events is a tool for GitLab owners and administrators to be able to track important events such as who performed certain actions and the time they happened. These actions could be, for example, change a user permission level, who added a new user, or who removed a user.
Use-cases
- Check who was the person who changed the permission level of a particular user for a project in GitLab.
- Use it to track which users have access to a certain group of projects in GitLab, and who gave them that permission level.
List of events
There are two kinds of events logged:
- Events scoped to the group or project, used by group / project managers to look up who made what change.
- Instance events scoped to the whole GitLab instance, used by your Compliance team to perform formal audits.
Group events (STARTER)
NOTE: Note: You need Owner permissions to view the group Audit Events page.
To view a group's audit events, navigate to Group > Settings > Audit Events. From there, you can see the following actions:
- Group name/path changed
- Group repository size limit changed
- Group created/deleted
- Group changed visibility
- User was added to group and with which permissions
- Permissions changes of a user assigned to a group
- Removed user from group
- Project added to group and with which visibility level
- Project removed from group
- Project shared with group and with which permissions
- Removal of a previously shared group with a project
- LFS enabled/disabled
- Shared runners minutes limit changed
- Membership lock enabled/disabled
- Request access enabled/disabled
- 2FA enforcement/grace period changed
- Roles allowed to create project changed
Project events (STARTER)
NOTE: Note: You need Maintainer permissions or higher to view the project Audit Events page.
To view a project's audit events, navigate to Project > Settings > Audit Events. From there, you can see the following actions:
- Added/removed deploy keys
- Project created/deleted/renamed/moved(transferred)/changed path
- Project changed visibility level
- User was added to project and with which permissions
- Permission changes of a user assigned to a project
- User was removed from project
- Project export was downloaded
- Project repository was downloaded
Instance events (PREMIUM ONLY)
Introduced in GitLab Premium 9.3.
Server-wide audit logging introduces the ability to observe user actions across the entire instance of your GitLab server, making it easy to understand who changed what and when for audit purposes.
To view the server-wide admin log, visit Admin Area > Monitoring > Audit Log.
In addition to the group and project events, the following user actions are also recorded:
- Failed Logins
- Sign-in events and the authentication type (standard, LDAP, OmniAuth, etc.)
- Added SSH key
- Added/removed email
- Changed password
- Ask for password reset
- Grant OAuth access
- Started/stopped user impersonation
It is possible to filter particular actions by choosing an audit data type from the filter drop-down. You can further filter by specific group, project or user (for authentication events).
Missing events
Some events are not being tracked in Audit Events. Please see the following epics for more detail on which events are not being tracked and our progress on adding these events into GitLab: