HCP audit log streaming reference

This page provides reference information for HashiCorp Cloud Platform (HCP) audit log streaming. The HashiCorp Cloud Platform (HCP) produces audit logs when an organization’s users interact with HCP platform services and individual products.

HCP platform events

The HCP platform produces audit logs when the following events occur.

Create, read, update, and delete (CRUD) operations
Identity events
- Sign up for new users
- Sign in for existing users
- MFA authentication success
- Successful login
- Password reset for accounts
- Revoke HCP Portal active sessions by user principal
- Remove user from HCP Organization
- User joins HCP Organization
- Sign in failure to HCP
- Bad password
- Bad MFA
- MFA enabled
- MFA disabled
- HCP Project deletion
Role-based access control (RBAC)
- Add and delete users
- Manage user permissions
- View users and groups
- Manage service principals
- Manage groups
- View current billing status
- Create projects
- View projects
- View project resources
- Request Organization deletion

HCP Boundary events

HCP Boundary generates audit logs when events related to the following Boundary resources occur.

Clusters
Sessions
Scopes
Workers
Credential Stores, Credential Libraries, Credentials
Auth Methods, Roles, Managed Groups, Groups, Users, Accounts, Grants
Host Catalogs, Host Sets, Host, Targets

For more information, refer to Auditing in the Boundary documentation.

HCP Packer events

HCP Packer generates audit logs when the following events occur.

Bucket events:
- Create bucket
- Delete bucket
- Update bucket
- Create bucket labels
- Update bucket labels
Build events
- Created build
- Updated build
Channel events
- Created channel
- Deleted channel
- Updated channel
- Assigned version to channel
Version events
- Created version
- Completed version
- Revoked version
- Restored version
- Deleted version
- Scheduled version revocation
- Cancelled version revocation

For a complete list of HCP Packet audit log events and metadata fields, refer to HCP Packer audit log descriptions and metadata.

HCP Vault Radar events

HCP Vault Radar produces audit logs for the following user actions:

Entity	Actions	Action type
Agent	Create agent Delete agent	`CREATE` `DELETE`
Agent (old station API)	Create agent Delete agent	`CREATE` `DELETE`
Data Source	Create Data Source Update Data Source Update Data Sources Update Data Source feature	`CREATE` `UPDATE` `UPDATE` `UPDATE`
Data Source	Create Data Source with Public API Update Data Source with public API	`CREATE` `UPDATE`
Data Source Group	Create Data Source Group Update Data Source Group	`CREATE` `UPDATE`
Secret Manager Location	Update Secret Manager Locations Delete Secret Manager Location	`UPDATE` `DELETE`
Secret	Secrets Copy Job	`CREATE`
Event	Update Event	`CREATE`
Event	Update Event with Public API	`CREATE`
Global Ignore Rules	Update Global Ignore Rules Delete Global Ignore Rules	`UPDATE` `DELETE`
Global Ignore Rules	Update Global Ignore Rules with Public API Delete Global Ignore Rules with Public API	`UPDATE` `DELETE`
Event Rule	Update Rules Delete Rule	`UPDATE` `DELETE`
Scan / Secret re-index	Schedule Scans	`CREATE`
Integration	Create Connection Update Connection Delete Connection	`CREATE` `UPDATE` `DELETE`
Integration	Create Subscription Update Subscription Delete Subscription	`CREATE` `UPDATE` `DELETE`
Subscription Filter	Create Subscription Filter Delete Subscription Filter	`CREATE` `DELETE`
Custom Expressions	Create Custom Expression Update Custom Expression Delete Custom Expression	`CREATE` `UPDATE` `DELETE`
Custom Expressions	Create Custom Expression with Public API Update Custom Expression with Public API Delete Custom Expression with Public API	`CREATE` `UPDATE` `DELETE`
Filter	Create Filter Update Filter Delete Filter	`CREATE` `UPDATE` `DELETE`
Remediation	Create Remediations Update Remediation	`CREATE` `UPDATE`

HCP Vault Secrets events

HCP Vault Secrets produces audit logs when the following events occur.

Create, update, delete applications
Create, update, read, delete secrets
Create, update, read, delete integrations

HCP Vault Dedicated events

HCP Vault Dedicated produces audit logs when the following events occur.

Create, update, delete clusters
Create, restore snapshots
Add, delete plugins
Lock, unlock cluster
Fetch audit log
Update version
Host manager alive check
Plugin registered check

Payload examples

Refer to the following sections for examples of the audit logs generated by product and platform events.

Platform user authentication payload example

A user signing into HCP generates an audit log that contains the following information.

{
    "request_info": {
        "http_verb": "GET",
        "http_path": "/consent/complete"
    },
    "principal": {
        "user": {
            "email": "jane.doe@company.com",
            "full_name": "jane.doe@company.com"
        }
    },
    "authentication_info": {
        "principal": {
            "id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
            "type": "PRINCIPAL_TYPE_USER",
            "user": {
                "id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
                "email": "jane.doe@company.com",
                "full_name": "jane.doe@company.com",
                "subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
            }
        }
    },
    "metadata": {
        "email": "jane.doe@company.com",
        "event_type": "hcp_id_auth_success",
        "ip": "69.323.323.201",
        "message": "Authenticated successfully",
        "timestamp": "2024-01-18 19:50:55 +0000 UTC",
        "user_id": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
    },
    "operation_info": {},
    "description": "Authenticated successfully",
    "action": "CREATE",
    "status_code": "OK"
}

Platform project deletion payload example

Deleting a project from HCP generates an audit log that contains the following information.

{
    "request_info": {
        "http_verb": "DELETE",
        "http_path": "/resource-manager/2019-12-10/projects/c666065a-b21e-489c-8045-a79d3802fb64",
        "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
        "http_client_ip": "69.323.323.201"
    },
    "principal": {
        "user": {
            "email": "jane.doe@company.com",
            "full_name": "jane.doe@company.com"
        }
    },
    "authentication_info": {
        "principal": {
            "id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
            "type": "PRINCIPAL_TYPE_USER",
            "user": {
                "id": "e6132914-c9bf-4bea-854a-7520bb57bf7b",
                "email": "jane.doe@company.com",
                "full_name": "jane.doe@company.com",
                "identity_type": "EMAIL_PASSWORD",
                "subject": "e6132914-c9bf-4bea-854a-7520bb57bf7b"
            },
            "group_ids": [
                "iam.group:w7NkwCwBmdWH88f8mQqR"
            ]
        }
    },
    "authorization_info": [
        {
            "permissions": [
                "resource-manager.projects.update"
            ],
            "organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
            "project_id": "c666065a-b21e-489c-8045-a79d3802fb64"
        }
    ],
    "operation_info": {
        "operation_id": "937d1354-6fc2-4cbf-8f94-03a1b82bcd8d"
    },
    "description": "Deleted project",
    "action": "DELETE",
    "status_code": "OK"
}

HCP Boundary event payload example

{
    "cluster_id": "boundary-cluster-test",
    "data": {
        "auth": {
            "auth_token_id": "",
            "email": "[REDACTED]",
            "grants_info": {},
            "name": "[REDACTED]",
            "user_info": {
                "id": "u_recovery"
            }
        },
        "id": "e_LM2Og3ZWhe",
        "request": {
            "details": {
                "recursive": true,
                "scope_id": "global"
            }
        },
        "request_info": {
            "client_ip": "10.10.0.222",
            "id": "gtraceid_6daQ2ZnwHEZwYNtAqmfW",
            "method": "GET",
            "path": "/v1/sessions?recursive=true&scope_id=global"
        },
        "response": {
            "details": {},
            "status_code": 200
        },
        "timestamp": "2024-01-18T19:48:28.819219731Z",
        "type": "APIRequest",
        "version": "v0.1"
    },
    "datacontentype": "application/cloudevents",
    "hcp_product": "boundary",
    "id": "7YdpvNxqFn",
    "organization_id": "067acbc1-ed49-4dc2-9fcb-6b4aff713469",
    "project_id": "98a0dcc3-5473-4e4d-a28e-6c343c498530",
    "serialized": "eyJpZCI6IjdZZHB2TnhxRm4iLCJzb3VyY2UiOiJodHRwczovL2hhc2hpY29ycC5jb20vYm91bmRhcnkvMGM3Nzg2MzEzYjE5L2NvbnRyb2xsZXIiLCJzcGVjdmVyc2lvbiI6IjEuMCIsInR5cGUiOiJhdWRpdCIsImRhdGEiOnsiaWQiOiJlX0xNMk9nM1pXaGUiLCJ2ZXJzaW9uIjoidjAuMSIsInR5cGUiOiJBUElSZXF1ZXN0IiwidGltZXN0YW1wIjoiMjAyNC0wMS0xOFQxOTo0ODoyOC44MTkyMTk3MzFaIiwicmVxdWVzdF9pbmZvIjp7ImlkIjoiZ3RyYWNlaWRfNmRhUTJabndIRVp3WU50QXFtZlciLCJtZXRob2QiOiJHRVQiLCJwYXRoIjoiL3YxL3Nlc3Npb25zP3JlY3Vyc2l2ZT10cnVlXHUwMDI2c2NvcGVfaWQ9Z2xvYmFsIiwiY2xpZW50X2lwIjoiMTAuMTAuMC4yMjIifSwiYXV0aCI6eyJhdXRoX3Rva2VuX2lkIjoiIiwidXNlcl9pbmZvIjp7ImlkIjoidV9yZWNvdmVyeSJ9LCJncmFudHNfaW5mbyI6e30sImVtYWlsIjoiW1JFREFDVEVEXSIsIm5hbWUiOiJbUkVEQUNURURdIn0sInJlcXVlc3QiOnsiZGV0YWlscyI6eyJzY29wZV9pZCI6Imdsb2JhbCIsInJlY3Vyc2l2ZSI6dHJ1ZX19LCJyZXNwb25zZSI6eyJzdGF0dXNfY29kZSI6MjAwLCJkZXRhaWxzIjp7fX19LCJkYXRhY29udGVudHlwZSI6ImFwcGxpY2F0aW9uL2Nsb3VkZXZlbnRzIiwidGltZSI6IjIwMjQtMDEtMThUMTk6NDg6MjguODE5MjM1NDY0WiJ9Cg",
    "serialized_hmac": "hmac-sha256:u2pUHrsbNO2X6cs6PRwhdzgyyF0xUW8FIv8PbNG1E-c",
    "source": "https://hashicorp.com/boundary/0c7786313b19/controller",
    "specversion": "1.0",
    "time": "2024-01-18T19:48:28.819235464Z",
    "type": "audit"
}

HCP Vault Radar event payload example

Creating a subscription filter for HCP Vault Radar generates an audit log that contains the following information.

{
    "id": "42b9b6f3-e87e-4855-88f9-e0ddc2a12db7",
    "timestamp": "2025-05-02T20:21:02.423Z",
    "stream": {
        "organization_id": "022910a1-e843-40d0-b754-b471480cdd5a",
        "project_id": "b38f0dbb-f921-4913-abcf-bc68f67e72d3",
        "topic": "hashicorp.platform.audit"
    },
    "control_plane_event": {
        "request_info": {
            "http_verb": "POST",
            "http_path": "/2023-05-01/vault-radar/projects/b38f0dbb-f921-4913-abcf-bc68f67e72d3/api/integrations/subscriptions/8e6f2daa-505c-47b9-8c18-cbcbfba80d35/filters/294a02bd-6ba5-45e6-aa0a-4a369f5eef57",
            "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
            "http_client_ip": "70.187.230.239"
        },
        "authentication_info": {
            "principal": {
                "id": "[REDACTED]",
                "type": "PRINCIPAL_TYPE_USER",
                "user": {
                    "id": "[REDACTED]",
                    "email": "john.doe@hashicorp.com",
                    "full_name": "john.doe@hashicorp.com",
                    "identity_type": "EMAIL_PASSWORD",
                    "identity_types": [],
                    "subject": "[REDACTED]",
                    "scim_synchronized": false
                },
                "group_ids": []
            },
            "service_principal_delegation_chain": []
        },
        "authorization_info": [
            {
                "permissions": [
                    "vault-radar.integrations.create"
                ],
                "organization_id": "022910a1-e843-40d0-b754-b471480cdd5a",
                "project_id": "b38f0dbb-f921-4913-abcf-bc68f67e72d3",
                "resource_id": "b38f0dbb-f921-4913-abcf-bc68f67e72d3"
            }
        ],
        "metadata": {
            "action_success": true,
            "correlation_id": "d55d4c67-4fcd-4ce9-b7ea-1f5e286df2d2",
            "service_name": "Vault Radar"
        },
        "operation_info": {
            "operation_id": ""
        },
        "description": "Radar - Create Subscription Filter",
        "action": "CREATE",
        "status_code": "OK"
    }
}