HashiCorp Cloud Platform
HCP audit log streaming reference
Public beta available
HCP audit log streaming is currently in beta. This documentation supports testing and development scenarios. Do not use this feature in secure production environments.
This page provides reference information for HashiCorp Cloud Platform (HCP) audit log streaming. The HashiCorp Cloud Platform (HCP) produces audit logs when an organization’s users interact with HCP platform services and individual products.
HCP platform events
The HCP platform produces audit logs when the following events occur.
- Create, read, update, and delete (CRUD) operations
- Identity events
- Sign up for new users
- Sign in for existing users
- MFA authentication success
- Successful login
- Password reset for accounts
- Revoke HCP Portal active sessions by user principal
- Remove user from HCP Organization
- User joins HCP Organization
- Sign in failure to HCP
- Bad password
- Bad MFA
- MFA enabled
- MFA disabled
- HCP Project deletion
- Role-based access control (RBAC)
- Add and delete users
- Manage user permissions
- View users and groups
- Manage service principals
- Manage groups
- View current billing status
- Create projects
- View projects
- View project resources
- Request Organization deletion
HCP Boundary events
HCP Boundary generates audit logs when events related to the following Boundary resources occur.
- Clusters
- Sessions
- Scopes
- Workers
- Credential Stores, Credential Libraries, Credentials
- Auth Methods, Roles, Managed Groups, Groups, Users, Accounts, Grants
- Host Catalogs, Host Sets, Host, Targets
For more information, refer to Auditing in the Boundary documentation.
HCP Packer events
HCP Packer generates audit logs when the following events occur.
- Bucket events:
- Create bucket
- Delete bucket
- Update bucket
- Create bucket labels
- Update bucket labels
- Build events
- Created build
- Updated build
- Channel events
- Created channel
- Deleted channel
- Updated channel
- Assigned version to channel
- Version events
- Created version
- Completed version
- Revoked version
- Restored version
- Deleted version
- Scheduled version revocation
- Cancelled version revocation
For a complete list of HCP Packet audit log events and metadata fields, refer to HCP Packer audit log descriptions and metadata.
HCP Vault Secrets events
HCP Vault Secrets produces audit logs when the following events occur.
- Create, update, delete applications
- Create, update, read, delete secrets
- Create, update, read, delete integrations
Payload examples
Refer to the following sections for examples of the audit logs generated by product and platform events.
- Platform user authentication payload example
- Platform project deletion payload example
- HCP Boundary event payload example
Platform user authentication payload example
A user signing into HCP generates an audit log that contains the following information.
{
"request_info": {
"http_verb": "GET",
"http_path": "/consent/complete"
},
"principal": {
"user": {
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com"
}
},
"authentication_info": {
"principal": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"type": "PRINCIPAL_TYPE_USER",
"user": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com",
"subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
}
}
},
"metadata": {
"email": "jane.doe@company.com",
"event_type": "hcp_id_auth_success",
"ip": "69.323.323.201",
"message": "Authenticated successfully",
"timestamp": "2024-01-18 19:50:55 +0000 UTC",
"user_id": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
},
"operation_info": {},
"description": "Authenticated successfully",
"action": "CREATE",
"status_code": "OK"
}
Platform project deletion payload example
Deleting a project from HCP generates an audit log that contains the following information.
{
"request_info": {
"http_verb": "DELETE",
"http_path": "/resource-manager/2019-12-10/projects/c666065a-b21e-489c-8045-a79d3802fb64",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"http_client_ip": "69.323.323.201"
},
"principal": {
"user": {
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com"
}
},
"authentication_info": {
"principal": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"type": "PRINCIPAL_TYPE_USER",
"user": {
"id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
"email": "jane.doe@company.com",
"full_name": "jane.doe@company.com",
"identity_type": "EMAIL_PASSWORD",
"subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
},
"group_ids": [
"iam.group:w7NkwCwBmdWH88f8mQqR"
]
}
},
"authorization_info": [
{
"permissions": [
"resource-manager.projects.update"
],
"organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
"project_id": "c666065a-b21e-489c-8045-a79d3802fb64"
}
],
"operation_info": {
"operation_id": "937d1354-6fc2-4cbf-8f94-03a1b82bcd8d"
},
"description": "Deleted project",
"action": "DELETE",
"status_code": "OK"
}
HCP Boundary event payload example
Sign in attempts to the Boundary Admin UI through HCP generate an audit log that contains the following information.
{
"cluster_id": "boundary-cluster-test",
"data": {
"auth": {
"auth_token_id": "",
"email": "[REDACTED]",
"grants_info": {},
"name": "[REDACTED]",
"user_info": {
"id": "u_recovery"
}
},
"id": "e_LM2Og3ZWhe",
"request": {
"details": {
"recursive": true,
"scope_id": "global"
}
},
"request_info": {
"client_ip": "10.10.0.222",
"id": "gtraceid_6daQ2ZnwHEZwYNtAqmfW",
"method": "GET",
"path": "/v1/sessions?recursive=true&scope_id=global"
},
"response": {
"details": {},
"status_code": 200
},
"timestamp": "2024-01-18T19:48:28.819219731Z",
"type": "APIRequest",
"version": "v0.1"
},
"datacontentype": "application/cloudevents",
"hcp_product": "boundary",
"id": "7YdpvNxqFn",
"organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
"project_id": "98a0dcc3-5473-4e4d-a28e-6c343c498530",
"serialized": "eyJpZCI6IjdZZHB2TnhxRm4iLCJzb3VyY2UiOiJodHRwczovL2hhc2hpY29ycC5jb20vYm91bmRhcnkvMGM3Nzg2MzEzYjE5L2NvbnRyb2xsZXIiLCJzcGVjdmVyc2lvbiI6IjEuMCIsInR5cGUiOiJhdWRpdCIsImRhdGEiOnsiaWQiOiJlX0xNMk9nM1pXaGUiLCJ2ZXJzaW9uIjoidjAuMSIsInR5cGUiOiJBUElSZXF1ZXN0IiwidGltZXN0YW1wIjoiMjAyNC0wMS0xOFQxOTo0ODoyOC44MTkyMTk3MzFaIiwicmVxdWVzdF9pbmZvIjp7ImlkIjoiZ3RyYWNlaWRfNmRhUTJabndIRVp3WU50QXFtZlciLCJtZXRob2QiOiJHRVQiLCJwYXRoIjoiL3YxL3Nlc3Npb25zP3JlY3Vyc2l2ZT10cnVlXHUwMDI2c2NvcGVfaWQ9Z2xvYmFsIiwiY2xpZW50X2lwIjoiMTAuMTAuMC4yMjIifSwiYXV0aCI6eyJhdXRoX3Rva2VuX2lkIjoiIiwidXNlcl9pbmZvIjp7ImlkIjoidV9yZWNvdmVyeSJ9LCJncmFudHNfaW5mbyI6e30sImVtYWlsIjoiW1JFREFDVEVEXSIsIm5hbWUiOiJbUkVEQUNURURdIn0sInJlcXVlc3QiOnsiZGV0YWlscyI6eyJzY29wZV9pZCI6Imdsb2JhbCIsInJlY3Vyc2l2ZSI6dHJ1ZX19LCJyZXNwb25zZSI6eyJzdGF0dXNfY29kZSI6MjAwLCJkZXRhaWxzIjp7fX19LCJkYXRhY29udGVudHlwZSI6ImFwcGxpY2F0aW9uL2Nsb3VkZXZlbnRzIiwidGltZSI6IjIwMjQtMDEtMThUMTk6NDg6MjguODE5MjM1NDY0WiJ9Cg",
"serialized_hmac": "hmac-sha256:u2pUHrsbNO2X6cs6PRwhdzgyyF0xUW8FIv8PbNG1E-c",
"source": "https://hashicorp.com/boundary/0c7786313b19/controller",
"specversion": "1.0",
"time": "2024-01-18T19:48:28.819235464Z",
"type": "audit"
}