Skip to main content
undefined
undefined

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

undefined

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit events now available in Cloud.gov logging system

May 8, 2025

Audit events are recorded by the Cloud.gov platform to track activity against any resource (e.g. users, services, apps, organizations, and more).

While audit events can be queried from the platform via an API, they are only retained by the platform for 31 days by default.

To simplify customer access to audit events and to satisfy M-21-31 guidelines for the retention of these logs, audit events are now available in the Cloud.gov logging system.

Using the Audit - Overview dashboard

A quick way to view audit events is to:

  1. Log in to the logging system
  2. Click on “Discover” in the left sidebar menu
  3. Enter “Audit” in search bar, as shown below,
    then follow the link for “Audit - Overview”
Screenshot of searching OpenSearch Dashboards for ones with 'Audit' in the name

The example “Audit - Overview” dashboard below shows sample audit events for restarting an app, and then SSH’ing to it. When using this dashboard, bear in mind that events may be delayed by 15 minutes.

Screenshot of searching OpenSearch Dashboards showing histogram of events, and sample events

How to search audit events in the logging system

Audit events are all ingested into the logging system with a value of @type: audit_event , which provides an easy way to filter for them.

To find your audit events in the logging system:

  1. Log in to the logging system

  2. Click on “Discover” in the left sidebar menu

  3. Add a filter for @type: audit_event  to your log search

    Screenshot of OpenSearch Dashboards interface showing the addition of a filter for the @type field with a value of audit_event

  4. Adjust the view of the results as desired

    Screenshot of OpenSearch Dashboards interface showing the results of a search for audit events

  5. Apply additional filters on the audit event fields as desired. For example, to filter for app restart events, add a filter of type: audit.app.restart :

    Screenshot of OpenSearch Dashboards interface showing a filtered search for app restart audit events

Audit event fields

The fields available on audit event records are:

  • guid  - GUID for the audit event
  • type  - the type of audit event recorded
  • actor.guid  - GUID of the actor for the event
  • actor.type  - Type of the actor for the event (e.g. user, process)
  • actor.name  - Name of the actor for the event
  • target.guid  - GUID of the target for the event
  • target.type  - Type of the target for the event (e.g. app, service)
  • target.name  - Name of the target for the event
  • data.*  - Additional information about the event. The fields are different for each type  of event.
  • created_at  - Time when the audit event was created
  • updated_at  - Time when the audit event was last updated

How audit events are ingested into the logging system

An automated job runs every 15 minutes to pull the audit events from the platform and ingest them into the logging system. Thus, there could be up to a 15-minute delay before any audit event logs appear in the logging system.

Retention

Audit events are retained in the logging system for 12 months and in offline storage for an additional 18 months.

Relevant NIST controls

Audit events stored in the logging system satisify NIST controls in the AU  control family, specifically:

  • AU-02
  • AU-11