- Add a new streaming destination
- List streaming destinations
- Update streaming destinations
- Delete streaming destinations
- Verify event authenticity
- Event type filters
- Override default content type header
- Payload schema
Audit event streaming
- UI Introduced in GitLab 14.9.
- Subgroup events recording fixed in GitLab 15.2.
- Custom HTTP headers UI introduced in GitLab 15.2 with a flag named
custom_headers_streaming_audit_events_ui. Disabled by default. - Custom HTTP headers UI made generally available in GitLab 15.3. Feature flag
custom_headers_streaming_audit_events_uiremoved. - Improved user experience in GitLab 15.3.
Users can set a streaming destination for a top-level group or instance to receive all audit events about the group, subgroups, and projects as structured JSON.
Top-level group owners and instance administrators can manage their audit logs in third-party systems. Any service that can receive structured JSON data can be used as the streaming destination.
Each streaming destination can have up to 20 custom HTTP headers included with each streamed event.
id key in the payload to deduplicate incoming data.Add a new streaming destination
Add a new streaming destination to top-level groups or an entire instance.
Top-level group streaming destinations
Prerequisites:
- Owner role for a top-level group.
To add streaming destinations to a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select Add streaming destination and select HTTP endpoint to show the section for adding destinations.
- Enter the destination URL to add.
- Optional. Locate the Custom HTTP headers table.
- Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
- Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
- After all headers have been filled out, select Add to add the new streaming destination.
Instance streaming destinations
-
Introduced in GitLab 16.1 with a flag named
ff_external_audit_events. Disabled by default. -
Feature flag
ff_external_audit_eventsenabled by default in GitLab 16.2.
ff_external_audit_events. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. The feature is ready for production use.Prerequisites:
- Administrator access on the instance.
To add a streaming destination for an instance:
- On the left sidebar, expand the top-most chevron ().
- Select Admin Area.
- On the left sidebar, select Monitoring > Audit Events.
- On the main area, select Streams tab.
- Select Add streaming destination and select HTTP endpoint to show the section for adding destinations.
- Enter the destination URL to add.
- Optional. To add custom HTTP headers, select Add header to create a new name and value pair, and input their values. Repeat this step for as many name and value pairs are required. You can add up to 20 headers per streaming destination.
- Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
- Select Add header to create a new name and value pair. Repeat this step for as many name and value pairs are required. You can add up to 20 headers per streaming destination.
- After all headers have been filled out, select Add to add the new streaming destination.
Google Cloud Logging streaming
Introduced in GitLab 16.2.
Prerequisites:
- Owner role for a top-level group.
To add Google Cloud Logging streaming destinations to a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select Add streaming destination and select Google Cloud Logging to show the section for adding destinations.
- Enter the Google project ID, Google client email, log ID, and Google private key to add.
- Select Add to add the new streaming destination.
List streaming destinations
List new streaming destinations for top-level groups or an entire instance.
For top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To list the streaming destinations for a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select the stream URL to expand it and see all the custom HTTP headers.
For instance streaming destinations
-
Introduced in GitLab 16.1 with a flag named
ff_external_audit_events. Disabled by default. -
Feature flag
ff_external_audit_eventsenabled by default in GitLab 16.2.
ff_external_audit_events. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. The feature is ready for production use.Prerequisites:
- Administrator access on the instance.
To list the streaming destinations for an instance:
- On the left sidebar, expand the top-most chevron ().
- Select Admin Area.
- On the left sidebar, select Monitoring > Audit Events.
- On the main area, select Streams tab.
Google Cloud Logging streaming
Introduced in GitLab 16.2.
Prerequisites:
- Owner role for a top-level group.
To list Google Cloud Logging streaming destinations for a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select the Google Cloud Logging stream to expand and see all the fields.
Update streaming destinations
Update streaming destinations for a top-level group or an entire instance.
Top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To update a streaming destination’s custom HTTP headers:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select the stream URL to expand.
- Locate the Custom HTTP headers table.
- Locate the header that you wish to update.
- Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
- Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
- Select Save to update the streaming destination.
Instance streaming destinations
-
Introduced in GitLab 16.1 with a flag named
ff_external_audit_events. Disabled by default. -
Feature flag
ff_external_audit_eventsenabled by default in GitLab 16.2.
ff_external_audit_events. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. The feature is ready for production use.Prerequisites:
- Administrator access on the instance.
To update the streaming destinations for an instance:
- On the left sidebar, expand the top-most chevron ().
- Select Secure > Audit events.
- On the main area, select the Streams tab.
- To the right of the item, select Edit ().
- Locate the Custom HTTP headers table.
- Locate the header that you wish to update.
- Ignore the Active checkbox because it isn’t functional. To track progress on adding functionality to the Active checkbox, see issue 367509.
- Select Add header to create a new name and value pair. Enter as many name and value pairs as required. You can add up to 20 headers per streaming destination.
- Select Save to update the streaming destination.
Google Cloud Logging streaming
- Introduced in GitLab 16.2.
- Button to add private key introduced in GitLab 16.3.
Prerequisites:
- Owner role for a top-level group.
To update Google Cloud Logging streaming destinations to a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select Streams tab.
- Select the Google Cloud Logging stream to expand.
- Enter the Google project ID, Google client email, and log ID to update.
- Select Add a new private key and enter a Google private key to update the private key.
- Select Save to update the streaming destination.
Delete streaming destinations
Delete streaming destinations for a top-level group or an entire instance. When the last destination is successfully deleted, streaming is disabled for the group or the instance.
Top-level group streaming destinations
Prerequisites:
- Owner role for a group.
To delete a streaming destination:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select the Streams tab.
- Select the stream URL to expand.
- Select Delete destination.
- Confirm by selecting Delete destination in the modal.
To delete only the custom HTTP headers for a streaming destination:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select the Streams tab.
- Select the stream URL to expand.
- Locate the Custom HTTP headers table.
- Locate the header that you wish to remove.
- To the right of the header, select Delete ().
- Select Save to update the streaming destination.
Instance streaming destinations
-
Introduced in GitLab 16.1 with a flag named
ff_external_audit_events. Disabled by default. -
Feature flag
ff_external_audit_eventsenabled by default in GitLab 16.2.
ff_external_audit_events. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. The feature is ready for production use.Prerequisites:
- Administrator access on the instance.
To delete the streaming destinations for an instance:
- On the left sidebar, expand the top-most chevron ().
- Select Admin Area.
- On the left sidebar, select Monitoring > Audit Events.
- On the main area, select the Streams tab.
- Select the stream URL to expand.
- Select Delete destination.
- Confirm by selecting Delete destination in the modal.
To delete only the custom HTTP headers for a streaming destination:
- On the left sidebar, expand the top-most chevron ().
- Select Admin Area.
- On the left sidebar, select Monitoring > Audit Events.
- On the main area, select the Streams tab.
- To the right of the item, Edit ().
- Locate the Custom HTTP headers table.
- Locate the header that you wish to remove.
- To the right of the header, select Delete ().
- Select Save to update the streaming destination.
Google Cloud Logging streaming
Introduced in GitLab 16.2.
Prerequisites:
- Owner role for a top-level group.
To delete Google Cloud Logging streaming destinations to a top-level group:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select the Streams tab.
- Select the Google Cloud Logging stream to expand.
- Select Delete destination.
- Confirm by selecting Delete destination in the modal.
Verify event authenticity
Introduced in GitLab 14.8.
Each streaming destination has a unique verification token (verificationToken) that can be used to verify the authenticity of the event. This
token is either specified by the Owner or generated automatically when the event destination is created and cannot be changed.
Each streamed event contains the verification token in the X-Gitlab-Event-Streaming-Token HTTP header that can be verified against
the destination’s value when listing streaming destinations.
Top-level group streaming destinations
Introduced in GitLab 15.2.
Prerequisites:
- Owner role for a group.
To list streaming destinations and see the verification tokens:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select the Streams.
- Select the stream URL to expand.
- Locate the Verification token input.
Instance streaming destinations
-
Introduced in GitLab 16.1 with a flag named
ff_external_audit_events. Disabled by default. -
Feature flag
ff_external_audit_eventsenabled by default in GitLab 16.2.
ff_external_audit_events. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. The feature is ready for production use.Prerequisites:
- Administrator access on the instance.
To list streaming destinations for an instance and see the verification tokens:
- On the left sidebar, expand the top-most chevron ().
- Select Admin Area.
- On the left sidebar, select Monitoring > Audit Events.
- On the main area, select the Streams.
- View the verification token on the right side of each item.
Event type filters
Event type filtering in the UI with a defined list of audit event types introduced in GitLab 16.1.
When this feature is enabled for a group, you can permit users to filter streamed audit events per destination. If the feature is enabled with no filters, the destination receives all audit events.
A streaming destination that has an event type filter set has a filtered () label.
To update a streaming destination’s event filters:
- On the left sidebar, at the top, select Search GitLab () to find your group.
- Select Secure > Audit events.
- On the main area, select the Streams tab.
- Select the stream URL to expand.
- Locate the Filter by audit event type dropdown.
- Select the dropdown list and select or clear the required event types.
- Select Save to update the event filters.
Override default content type header
By default, streaming destinations use a content-type header of application/x-www-form-urlencoded. However, you
might want to set the content-type header to something else. For example ,application/json.
To override the content-type header default value for either a top-level group streaming destination or an instance
streaming destination, use either the GitLab UI or using the
GraphQL API.
Payload schema
Documentation for an audit event streaming schema was introduced in GitLab 15.3.
Streamed audit events have a predictable schema in the body of the response.
| Field | Description | Notes |
|---|---|---|
author_id | User ID of the user who triggered the event | |
author_name | Human-readable name of the author that triggered the event | Helpful when the author no longer exists |
created_at | Timestamp when event was triggered | |
details | JSON object containing additional metadata | Has no defined schema but often contains additional information about an event |
entity_id | ID of the audit event’s entity | |
entity_path | Full path of the entity affected by the auditable event | |
entity_type | String representation of the type of entity | Acceptable values include User, Group, and Key. This list is not exhaustive |
event_type | String representation of the type of audit event | |
id | Unique identifier for the audit event | Can be used for deduplication if required |
ip_address | IP address of the host used to trigger the event | |
target_details | Additional details about the target | |
target_id | ID of the audit event’s target | |
target_type | String representation of the target’s type |
JSON payload schema
{
"properties": {
"id": {
"type": "string"
},
"author_id": {
"type": "integer"
},
"author_name": {
"type": "string"
},
"details": {},
"ip_address": {
"type": "string"
},
"entity_id": {
"type": "integer"
},
"entity_path": {
"type": "string"
},
"entity_type": {
"type": "string"
},
"event_type": {
"type": "string"
},
"target_id": {
"type": "integer"
},
"target_type": {
"type": "string"
},
"target_details": {
"type": "string"
},
},
"type": "object"
}