Platform
W&B Models
W&B Weave
W&B Inference
W&B Training
Release Notes| W&B Platform Deployment type | Audit logs access mechanism |
|---|---|
| Dedicated Cloud |
|
| Multi-tenant Cloud | Available for Enterprise plans only. Available only by using the API. |
| Self-Managed | Synced to instance-level bucket every 10 minutes. Also available using the API. |
Audit log retention
- If you require audit logs to be retained for a specific period of time, W&B recommends periodically transferring logs to long-term storage, either using storage buckets or the Audit Logging API.
- If you are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), audit logs must be retained for a minimum of 6 years in an environment where they cannot be deleted or modified by any internal or exterrnal actor before the end of the mandatory retention period. For HIPAA-compliant Dedicated Cloud instances with BYOB, you must configure guardrails for your managed storage, including any long-term retention storage.
Audit log schema
This table shows all keys which may appear in an audit log entry, ordered alphabetically. Depending on the action and the circumstances, a specific log entry may include only a subset of the possible fields.| Key | Definition |
|---|---|
action | The action of the event. |
actor_email | The email address of the user that initiated the action, if applicable. |
actor_ip | The IP address of the user that initiated the action. |
actor_user_id | The ID of the logged-in user who performed the action, if applicable. |
artifact_asset | The artifact ID associated with the action, if applicable. |
artifact_digest | The artifact digest associated with the action, if applicable. |
artifact_qualified_name | The full name of the artifact associated with the action, if applicable. |
artifact_sequence_asset | The artifact sequence ID associated with the action, if applicable. |
cli_version | The version of the Python SDK that initiated the action, if applicable. |
entity_asset | The entity or team ID associated with the action, if applicable. |
entity_name | The entity or team name associated with the action, if applicable. |
project_asset | The project associated with the action, if applicable. |
project_name | The name of the project associated with the action, if applicable. |
report_asset | The report ID associated with the action, if applicable. |
report_name | The name of the report associated with the action, if applicable. |
response_code | The HTTP response code for the action, if applicable. |
timestamp | The time of the event in RFC3339 format. For example, 2023-01-23T12:34:56Z represents January 23, 2023 at 12:34:56 UTC. |
user_asset | The user asset the action impacts (rather than the user performing the action), if applicable. |
user_email | The email address of the user the action impacts (rather than the email address of the user performing the action), if applicable. |
Personally identifiable information (PII)
Personally identifiable information (PII), such as email addresses and the names of projects, teams, and reports, is available only using the API endpoint option.- For Self-Managed and Dedicated Cloud, an organization admin can exclude PII when fetching audit logs.
- For Multi-tenant Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.
Before you begin
-
Organization level admins can fetch audit logs. If you receive a
403error, ensure that you or your service account has adequate permission. -
Multi-tenant Cloud: If you are a member of multiple Multi-tenant Cloud organizations, you must configure the Default API organization, which determines where audit logging API calls are routed. Otherwise, you will receive the following error:
To specify your default API organization:
- Click your profile image, then click User Settings.
- For Default API organization, select an organization.
Fetch audit logs
To fetch audit logs:- Determine the correct API endpoint for your instance:
-
Self-Managed:
<wandb-platform-url>/admin/audit_logs -
Dedicated Cloud:
<instance-name>.wandb.io/admin/audit_logs -
Multi-tenant Cloud (Enterprise required):
https://api.wandb.ai/audit_logsIn the following steps, replace<API-endpoint>with your API endpoint.
- (Optional) Construct query parameters to append to the endpoint. In the following steps, replace
<parameters>with the resulting string.anonymize: if the URL includes the parameteranonymize=true, remove any PII. Otherwise, PII is included. Refer to Exclude PII when fetching audit logs. Not supported for Multi-tenant Cloud, where all fields are included, including PII.- Configure the date window of logs to fetch using a combination of
numdaysandstartDate. Each parameter is optional, and they interact.- If neither parameter is included, only today’s logs are fetched.
numDays: An integer indicating the number of days backward fromstartDateto fetch logs. If it is omitted or set to0, logs are fetched forstartDateonly. Multi-tenant Cloud organizations can fetch up to 7 days of audit logs. In other words, if you setnumDays=9, the effective parameter isnumDays=7.startDate: Controls the newest logs to fetch, in the formatstartDate=YYYY-MM-DD. If it is omitted or explicitly set to today’s date, logs are fetched from today tonumDays(up to7for Multi-tenant Cloud).
- Construct the fully qualified endpoint URL in the format
<API-endpoint>?<parameters>. - Execute an HTTP
GETrequest on the fully qualified API endpoint using a web browser or a tool like Postman, HTTPie, or cURL.
/wandb-audit-logs directory in your bucket.
Use basic authentication
To use basic authentication with your API key to access the audit logs API, set the HTTP request’sAuthorization header to the string Basic followed by a space, then the base-64 encoded string in the format username:API-KEY. In other words, replace the username and API key with your values separated with a : character, then base-64-encode the result. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.
Exclude PII when fetching audit logs
For Self-Managed and Dedicated Cloud, a W&B organization or instance admin can exclude PII when fetching audit logs. For Multi-tenant Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable. To exclude PII, pass theanonymize=true URL parameter. For example, if your W&B instance URL is https://mycompany.wandb.io and you would like to get audit logs for user activity within the last week and exclude PII, use an API endpoint like:
Actions
This table describes possible actions that can be recorded by W&B, sorted alphabetically.| Action | Definition |
|---|---|
artifact:create | Artifact is created. |
artifact:delete | Artifact is deleted. |
artifact:read | Artifact is read. |
project:delete | Project is deleted. |
project:read | Project is read. |
report:read | Report is read. 1 |
run:delete_many | Batch of runs is deleted. |
run:delete | Run is deleted. |
run:stop | Run is stopped. |
run:undelete_many | Batch of runs is restored from trash. |
run:update_many | Batch of runs is updated. |
run:update | Run is updated. |
sweep:create_agent | Sweep agent is created. |
team:create_service_account | Service account is created for the team. |
team:create | Team is created. |
team:delete | Team is deleted. |
team:invite_user | User is invited to team. |
team:uninvite | User or service account is uninvited from team. |
user:create_api_key | API key for the user is created. 1 |
user:create | User is created. 1 |
user:deactivate | User is deactivated. 1 |
user:delete_api_key | API key for the user is deleted. 1 |
user:initiate_login | User initiates log in. 1 |
user:login | User logs in. 1 |
user:logout | User logs out. 1 |
user:permanently_delete | User is permanently deleted. 1 |
user:reactivate | User is reactivated. 1 |
user:read | User profile is read. 1 |
user:update | User is updated. 1 |
- Open or Public projects.
- The
report:readaction. Useractions which are not tied to a specific organization.