Accessing Enterprise audit logs in Airtable

1. Visit your admin panel.

2. Click Reports.

   1. Your organization's audit log is available on the second row of reports.

Note

Generating reports can take up to 10 minutes. Once your report is available, you'll receive an email confirmation. 

1. From your admin panel, click Reports and select the "Audit log" panel.

   1. From here, choose your preferred lookback period or custom date range.

   2. You can filter for specific users or use the “More search options” option for specific event categories.

2. Click Search. 

A new page opens, showing all the events matching your query parameters. You can change your query or create additional filters in the returned events using the dropdowns.

Note

You are limited to 10,000 events via the admin panel interface. If you need to download more, add more filters to your data, or consider using the audit log API.

You can also click on any event's row to open a more detailed view of the event.

Note

Admins can immediately download audit log reports for the current day or generate a new report for a different date, as discussed in the previous section.

1. Once your report is available, click Download report. 

2. Open the CSV in your preferred application.

• ID: A unique identifier for the audit log entry. This helps distinguish each record within the log.

• Timestamp: The exact date and time when the action was logged or performed.

• Action: The type of action that was performed, such as "created", "updated", or "deleted". It describes what occurred during the event. See Audit log event types for more information.

• Payload version: Refers to the version of the data structure or format used in the log entry. This helps track changes or updates to the structure of the logged information over time.

• Model ID: A unique identifier for the object or entity that was affected by the action (such as a record or table in Airtable). See Finding Airtable IDs for more information.

• Model type: The type of object or entity that the action was performed on, such as "record", "table", or "workspace". This describes the Model ID.

• IP address: The IP address from which the action originated, identifying the network location of the user who performed the action.

• User agent: A string that provides information about the browser, operating system, or software used by the user when the action was performed.

• Action ID: A unique identifier for the specific action, useful for tracking and referencing particular events.

• Workspace ID: The unique identifier for the workspace in which the action occurred.

• Base ID: The unique identifier for the base where the action was taken.

• Interface ID: The unique identifier for the interface where the action was taken.

• User ID: The unique identifier for the user who performed the action.

• User email: The email address of the user who performed the action, providing a way to identify them personally.

• User full name: The full name of the user who performed the action.

• Payload: The detailed data associated with the action. This may include changes made, records affected, or additional metadata related to the action.

Event logs are in a CSV format when downloaded from the Admin Panel and returned in JSON format when retrieved via the API.

Yes, filter events by modelID and date in the Admin Panel, or use parameters like originatingUserId and eventType with the API.

To limit a query to a particular time range, you can supply startTime and/or endTime. These should be supplied in ISO 8601 format, e.g. 2023-01-20T15:58:30Z.

The API has standard Web API rate limits with 1000 events per response and pagination for more results.

Events are updated in near real-time, with a delay of a few minutes at most.

Audit log events are stored and searchable for 180 days.