Skip to main content
Use W&B audit logs to track user activity within your organization and to conform to your enterprise governance requirements. Audit logs are available in JSON format. Refer to Audit log schema. How to access audit logs depends on your W&B platform deployment type: After fetching audit logs, you can analyze them using tools like Pandas, Amazon Redshift, Google BigQuery, or Microsoft Fabric. Some audit log analysis tools do not support JSON; refer to the documentation for your analysis tool for guidelines and requirements for transforming the JSON-formatted audit logs before analysis. For more details about the format of the logs, see Audit log schema and Actions.

Audit log retention

  • If you require audit logs to be retained for a specific period of time, W&B recommends periodically transferring logs to long-term storage, either using storage buckets or the Audit Logging API.
  • If you are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), audit logs must be retained for a minimum of 6 years in an environment where they cannot be deleted or modified by any internal or exterrnal actor before the end of the mandatory retention period. For HIPAA-compliant Dedicated Cloud instances with BYOB, you must configure guardrails for your managed storage, including any long-term retention storage.

Audit log schema

This table shows all keys which may appear in an audit log entry, ordered alphabetically. Depending on the action and the circumstances, a specific log entry may include only a subset of the possible fields.

Personally identifiable information (PII)

Personally identifiable information (PII), such as email addresses and the names of projects, teams, and reports, is available only using the API endpoint option.

Before you begin

  1. Organization level admins can fetch audit logs. If you receive a 403 error, ensure that you or your service account has adequate permission.
  2. Multi-tenant Cloud: If you are a member of multiple Multi-tenant Cloud organizations, you must configure the Default API organization, which determines where audit logging API calls are routed. Otherwise, you will receive the following error:
    To specify your default API organization:
    1. Click your profile image, then click User Settings.
    2. For Default API organization, select an organization.
    This is not applicable to a service account, which can be a member of only one Multi-tenant Cloud organization.

Fetch audit logs

To fetch audit logs:
  1. Determine the correct API endpoint for your instance:
  1. (Optional) Construct query parameters to append to the endpoint. In the following steps, replace <parameters> with the resulting string.
    • anonymize: if the URL includes the parameter anonymize=true, remove any PII. Otherwise, PII is included. Refer to Exclude PII when fetching audit logs. Not supported for Multi-tenant Cloud, where all fields are included, including PII.
    • Configure the date window of logs to fetch using a combination of numdays and startDate. Each parameter is optional, and they interact.
      • If neither parameter is included, only today’s logs are fetched.
      • numDays: An integer indicating the number of days backward from startDate to fetch logs. If it is omitted or set to 0, logs are fetched for startDate only. Multi-tenant Cloud organizations can fetch up to 7 days of audit logs. In other words, if you set numDays=9, the effective parameter is numDays=7.
      • startDate: Controls the newest logs to fetch, in the format startDate=YYYY-MM-DD. If it is omitted or explicitly set to today’s date, logs are fetched from today to numDays (up to 7 for Multi-tenant Cloud).
  2. Construct the fully qualified endpoint URL in the format <API-endpoint>?<parameters>.
  3. Execute an HTTP GET request on the fully qualified API endpoint using a web browser or a tool like Postman, HTTPie, or cURL.
The API response contains new-line separated JSON objects. Objects will include the fields described in the schema, just like when audit logs are synced to an instance-level bucket. In those cases, the audit logs are located in the /wandb-audit-logs directory in your bucket.

Use basic authentication

To use basic authentication with your API key to access the audit logs API, set the HTTP request’s Authorization header to the string Basic followed by a space, then the base-64 encoded string in the format username:API-KEY. In other words, replace the username and API key with your values separated with a : character, then base-64-encode the result. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.

Exclude PII when fetching audit logs

For Self-Managed and Dedicated Cloud, a W&B organization or instance admin can exclude PII when fetching audit logs. For Multi-tenant Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable. To exclude PII, pass the anonymize=true URL parameter. For example, if your W&B instance URL is https://mycompany.wandb.io and you would like to get audit logs for user activity within the last week and exclude PII, use an API endpoint like:

Actions

This table describes possible actions that can be recorded by W&B, sorted alphabetically. 1: On Multi-tenant Cloud, audit logs are not collected for:
  • Open or Public projects.
  • The report:read action.
  • User actions which are not tied to a specific organization.