Skip to main content
Version: Beta 🚧

System Audit Logs

Tecton's System Audit Logging allows you to see the configuration changes occurring in your Tecton account. System Audit Logging differs from Feature Request Audit Logs. The former records access-related changes in your Tecton account, while the latter records what requests are being sent to your production feature serving endpoint.

Accessing System Audit Logs

System Audit logs are available in your Cloud Provider's Object Storage that you configured for use with Tecton. For example, AWS customers will find their System Audit Logs in: s3://tecton-{DEPLOYMENT_NAME}/logging/system_audit_logs.

Note that Tecton on Snowflake customers do not have object storage configured, and must contact Support to access System Audit Logs.

Files are partitioned per day, and each filename is named with the ISO 8601 UTC timestamp that started the logging period. Filenames are formatted like YYYY-MM-dd/yyyyMMddTHHmmssZ.jsonl. Logs files are emitted in 15 minute intervals. Log events are available within 30 minutes of the event time.

For example, logs for the period starting at 08:00 UTC (inclusive) and ending at 08:15 UTC (exclusive) on July 1st 2023 can be found at


If no auditable events occur in a 15-minute interval, no file will be written for that interval.

Understanding System Audit Logs

System System Audit Logs are emitted as files of newline-separated json objects, with each object representing one auditable action.

Event Schema

timestampTimestamp of Event
actorActor Object
  • id : Service Account or User ID
  • email : User email, only set for USER Actors
  • user_agentUser Agent Header
    request_idRequest ID
    event_type<EVENT_TYPE>.<VERSION_NUMBER> (see possible EVENT_TYPE values here)
    account_nameTecton Account Name
    requestRequest Object (See event types for fields)
    responseResponse Object (See event types for fields)
    statusRequest Status
    error_messageError message (on failure only)

    Sample Log Event

    "request_id": "eb88d142a4cd2cf5c1cc111e1f7a422f",
    "timestamp": "2023-07-20T21:31:55.826993Z",
    "account_name": "account_name",
    "event_type": "create_service_account.v1",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36",
    "actor": {
    "type": "USER",
    "id": "00u38dayyxAF2xQ6O358",
    "email": ""
    "status": "OK",
    "request": {
    "name": "service_account_name",
    "description": "Service Account for CI/CD"
    "response": {
    "id": "dgeb493c4d684b9xxx31d3b8ac5c0b09",
    "name": "service_account_name",
    "description": "Service Account for CI/CD",
    "is_active": false

    Event Types

    The following are the event types currently captured in the System Audit Log.

    event_typeRequest FieldsResponse Fields
  • workspace_name
  • workspace_capabilities
  • delete_workspace
  • workspace
  • create_service_account
  • name
  • description
  • id
  • name
  • description
  • is_active
  • update_service_account
  • id
  • name
  • description
  • is_active
  • id
  • name
  • description
  • is_active
  • delete_service_account
  • id
  • create_account_user
  • login_email
  • delete_account_user
  • okta_id
  • account_user_action
  • okta_id
  • resend_activation_email
  • unlock_user
  • grant_admin
  • revoke_admin
  • assign_rolesList of Assignment Objects with:
  • resource_type
  • resource_id
  • role
  • principal_type
  • principal_id
  • unassign_rolesList of Assignment Objects with:
  • resource_type
  • resource_id
  • role
  • principal_type
  • principal_id
  • assign_roles_put
  • resource_type
  • resource_id
  • roles
  • principal_type
  • principal_id
  • set_feature_server_config
  • count
  • currentCount
  • availableCount
  • desiredCount
  • Versioning

    If a field is ever removed from an event type, the version number will increase. Fields may be added to an event type object without a change in version number.


    Version stability for System Audit Log event types is not supported at this time - events may be versioned at any time.

    Using Audit Logs

    System Audit Log events can be ingested into a customer's SIEM system (e.g. Microsoft Sentinel, Splunk, Sumo Logic, IBM QRadar, Securonix) for monitoring and alerting.

    Alternatively, you can download System Audit Log files for local processing.

    Downloading Audit Logs

    You can download the audit logs files programmatically with:

    The following is an example for how to download all files from S3 for July 1st 2023 (UTC) into a local directory:

    import boto3
    import os

    # Prefix matching your time range of interest, e.g. events on July 1st 2023
    PREFIX = "logging/system_audit_logs/2023-07-01"
    s3 = boto3.resource("s3") # assumes credentials & configuration are handled outside python (e.g. in the .aws directory)
    local_dir = "<SOME_LOCAL_DIRECTORY>"

    bucket = s3.Bucket(BUCKET_NAME)
    for obj in bucket.objects.filter(Prefix=PREFIX):
    filename = obj.key.split("/")[-1] # filename will be like yyyyMMddTHHmmssZ.jsonl
    bucket.download_file(obj.key, os.join(local_dir, filename))

    Processing System Audit Logs Locally

    Below is one example of how to process System Audit Log files using Python.

    import os
    import pandas as pd
    import json

    local_dir = "<SOME_LOCAL_DIRECTORY>" # directory containing only System Audit Log .jsonl files

    events_as_string = []
    for filename in os.listdir(local_dir):
    with open(os.path.join(local_dir, filename), "r") as f:
    events_as_string.extend([line for line in f.readlines()])

    events_as_json = [json.loads(event) for event in events_as_string]

    # events_as_json is now a list of json objects which can be analyzed however you like. One option is using pandas dataframes:

    df = pd.DataFrame(events_as_json)

    # Find all events where a user was granted administrative access
    f = (df["event_type"] == "account_user_action.v1") & df.apply(lambda x: x["request"].get("grant_admin", False), axis=1)
    grant_admin_events_only = df[f]

    # Find all events where the action was taken by
    g = df.apply(lambda x: x["actor"].get("email", "") == "", axis=1)
    alice_actions_only = df[g]

    Was this page helpful?

    🧠 Hi! Ask me anything about Tecton!

    Floating button icon