Skip to content
Cloudflare API
Start here
API Reference
User
Audit Logs

Get user audit logs

client.user.auditLogs.list(AuditLogListParams { id, action, actor, 8 more } query?, RequestOptionsoptions?): V4PagePaginationArray<AuditLog { id, action, actor, 7 more } >
GET/user/audit_logs

Gets a list of audit logs for a user account. Can be filtered by who made the change, on which zone, and the timeframe of the change.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Account Settings WriteAccount Settings Read
ParametersExpand Collapse
query: AuditLogListParams { id, action, actor, 8 more }
id?: string

Finds a specific log by its ID.

action?: Action
type?: string

Filters by the action type.

actor?: Actor
email?: string

Filters by the email address of the actor that made the change.

formatemail
ip?: string

Filters by the IP address of the request that made the change by specific IP address or valid CIDR Range.

before?: (string & {}) | (string & {})

Limits the returned results to logs older than the specified date. A full-date that conforms to RFC3339.

One of the following:
(string & {})
(string & {})
direction?: "desc" | "asc"

Changes the direction of the chronological sorting.

One of the following:
"desc"
"asc"
_export?: boolean

Indicates that this request is an export of logs in CSV format.

hide_user_logs?: boolean

Indicates whether or not to hide user level audit logs.

page?: number

Defines which page of results to return.

minimum1
per_page?: number

Sets the number of results to return per page.

maximum1000
minimum1
since?: (string & {}) | (string & {})

Limits the returned results to logs newer than the specified date. A full-date that conforms to RFC3339.

One of the following:
(string & {})
(string & {})
zone?: Zone
name?: string

Filters by the name of the zone associated to the change.

ReturnsExpand Collapse
AuditLog { id, action, actor, 7 more }
id?: string

A string that uniquely identifies the audit log.

action?: Action { result, type }
result?: boolean

A boolean that indicates if the action attempted was successful.

type?: string

A short string that describes the action that was performed.

actor?: Actor { id, email, ip, type }
id?: string

The ID of the actor that performed the action. If a user performed the action, this will be their User ID.

email?: string

The email of the user that performed the action.

formatemail
ip?: string

The IP address of the request that performed the action.

type?: "user" | "admin" | "Cloudflare"

The type of actor, whether a User, Cloudflare Admin, or an Automated System.

One of the following:
"user"
"admin"
"Cloudflare"
interface?: string

The source of the event.

metadata?: unknown

An object which can lend more context to the action being logged. This is a flexible value and varies between different actions.

newValue?: string

The new value of the resource that was modified.

oldValue?: string

The value of the resource before it was modified.

owner?: Owner { id }
id?: string

Identifier

maxLength32
resource?: Resource { id, type }
id?: string

An identifier for the resource that was affected by the action.

type?: string

A short string that describes the resource that was affected by the action.

when?: string

A UTC RFC3339 timestamp that specifies when the action being logged occured.

formatdate-time

Get user audit logs

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

// Automatically fetches more pages as needed.
for await (const auditLog of client.user.auditLogs.list()) {
  console.log(auditLog.id);
}
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "d5b0f326-1232-4452-8858-1089bd7168ef",
      "action": {
        "result": true,
        "type": "change_setting"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "email": "michelle@example.com",
        "ip": "198.41.129.166",
        "type": "user"
      },
      "interface": "API",
      "metadata": {
        "name": "security_level",
        "type": "firewall",
        "value": "high",
        "zone_name": "example.com"
      },
      "newValue": "low",
      "oldValue": "high",
      "owner": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353"
      },
      "resource": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353",
        "type": "zone"
      },
      "when": "2017-04-26T17:31:07Z"
    }
  ],
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "d5b0f326-1232-4452-8858-1089bd7168ef",
      "action": {
        "result": true,
        "type": "change_setting"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "email": "michelle@example.com",
        "ip": "198.41.129.166",
        "type": "user"
      },
      "interface": "API",
      "metadata": {
        "name": "security_level",
        "type": "firewall",
        "value": "high",
        "zone_name": "example.com"
      },
      "newValue": "low",
      "oldValue": "high",
      "owner": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353"
      },
      "resource": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353",
        "type": "zone"
      },
      "when": "2017-04-26T17:31:07Z"
    }
  ],
  "success": true
}