From 137205575d8689cc3cc561d7ceea253b038818de Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Mon, 1 Nov 2021 10:09:33 -0500 Subject: [PATCH 1/2] add audit log action definitions --- admin/audit.md | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/admin/audit.md b/admin/audit.md index 3486f85b1..481a28aed 100644 --- a/admin/audit.md +++ b/admin/audit.md @@ -1,7 +1,6 @@ --- title: "Audit" -description: - Learn how Coder audits user and admin actions for greater traceability. +description: Learn how Coder audits user and admin actions. --- Coder maintains records of all user actions on system resources for auditing @@ -24,3 +23,33 @@ You can filter the logs displayed using the search filters available at the top: - **Resource Target**: The friendly name for the resource (e.g., the user with the email address **dev@coder.com**) - **User**: The user who performs the action + +## Actions + +The audit logs capture information about the following actions (those who +[export Coder logs](../guides/admin/logging.md) will see this information under +`message.fields.audit_log.action`): + +When reviewing Coder's audit logs, specifically, you will see the following +actions included: + +- `auto_off`: Coder automatically turned on a workspace was at the preset time +- `auto_start`: Coder automatically turned off a workspace due to inactivity +- `connect`: a user connected to an existing workspace +- `cordon`: a workspace provider became unavailable for new workspace creation + requests. +- `create`: the user created a Coder entity (e.g., dev URL, image/image tag, + workspace, etc.) +- `delete`: a user deleted a Coder entity (e.g., workspace or image) +- `enqueue`: a user added a new job to the queue (e.g., workspace build, user + deletion, workspace deletion) +- `login`: a user logs in via basic authentication or OIDC, with Coder + exchanging a token as a result +- `open`: a user opened a workspace using an IDE through the browser +- `ssh`: a user opened a web terminal or used SSH via `envproxy` +- `stop`: a user manually stopped a workspace +- `uncordon`: a workspace provider became available for new workspace creation + requests. +- `view`: the Coder CLI used a secret +- `write`: the user made a change to a Coder entity (e.g., workspace, user, + resource pool, etc.) From 3b94ee742f29fd6556d17f6a6369956b88d67cd7 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Mon, 1 Nov 2021 13:29:06 -0500 Subject: [PATCH 2/2] apply changes based on reviews --- admin/audit.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin/audit.md b/admin/audit.md index 481a28aed..69fac1f3d 100644 --- a/admin/audit.md +++ b/admin/audit.md @@ -33,8 +33,9 @@ The audit logs capture information about the following actions (those who When reviewing Coder's audit logs, specifically, you will see the following actions included: -- `auto_off`: Coder automatically turned on a workspace was at the preset time -- `auto_start`: Coder automatically turned off a workspace due to inactivity +- `auto_off`: Coder automatically turned off a workspace due to inactivity +- `auto_start`: Coder automatically turned on a workspace at the time preset by + its owner - `connect`: a user connected to an existing workspace - `cordon`: a workspace provider became unavailable for new workspace creation requests. @@ -46,7 +47,7 @@ actions included: - `login`: a user logs in via basic authentication or OIDC, with Coder exchanging a token as a result - `open`: a user opened a workspace using an IDE through the browser -- `ssh`: a user opened a web terminal or used SSH via `envproxy` +- `ssh`: a user opened a web terminal or used SSH to access Coder - `stop`: a user manually stopped a workspace - `uncordon`: a workspace provider became available for new workspace creation requests.