Datadog’s Audit Trail is your digital notary, logging every significant action taken within your Datadog account, letting you answer "who did what, when, and to what?" for any change.
Let’s watch it in action. Imagine a developer accidentally deletes a critical dashboard.
# Simulate a user deleting a dashboard
# This would typically be done via the Datadog UI or API
# Later, to find out who did it:
datadog-cli audit query --query "resource.type:dashboard AND action:delete" --from "now-24h" --to "now"
This command, using a hypothetical datadog-cli tool (Datadog’s API or UI are your actual interfaces), would surface an event like this:
{
"timestamp": "2023-10-27T10:30:00Z",
"user": {
"email": "developer@example.com"
},
"action": "delete",
"resource": {
"type": "dashboard",
"id": "a1b2c3d4-e5f6-7890-1234-abcdef123456",
"name": "Production Server Health"
},
"request": {
"ip": "192.168.1.100"
}
}
You’ve just seen the dashboard deletion logged. The Audit Trail is built on a core principle: immutability of logs. Once an event is recorded, it’s there for good (within your configured retention period), forming an unbroken chain of custody for your Datadog configurations.
The problem this solves is fundamental to security and operational hygiene: accountability and forensics. Without an audit trail, recovering from accidental misconfigurations, malicious changes, or simply understanding a configuration drift becomes a guessing game. You’re left staring at the current state, with no clear path to how you got there.
Internally, Datadog’s Audit Trail captures events across a wide spectrum of actions. This includes:
- User Management: Adding, removing, or modifying user roles and permissions.
- Resource Creation/Modification/Deletion: Changes to monitors, dashboards, notebooks, SLOs, security signals, integrations, API keys, etc.
- Configuration Changes: Updates to account-level settings, organization settings, and feature flags.
- API Key Management: Creation, revocation, and permission changes for API keys.
You control what you see through the Audit Trail interface (or API queries) by filtering on user.email, action (e.g., create, update, delete), resource.type (e.g., monitor, dashboard, slo), resource.id, and timestamp ranges. You can even filter by the request.ip address from which the action originated.
To get a full picture, you’d typically navigate to "Logs" -> "Audit Trail" in the Datadog UI. From there, you can use the search bar to construct queries. For instance, to find all changes to monitors by a specific user over the last week:
user.email:jane.doe@example.com AND resource.type:monitor AND timestamp:>now-7d
This would reveal a list of events, each detailing when jane.doe@example.com created, updated, or deleted a monitor, along with the specific monitor ID and name.
The one thing most people don’t know is that the Audit Trail doesn’t just log what changed, but also how. When you look at an audit event for a monitor update, for example, you can often see the request payload that was sent to Datadog. This includes the exact JSON diff of the monitor’s configuration before and after the change, providing granular detail that’s invaluable for precise rollback or understanding the subtle shift in alerting logic.
The next concept you’ll likely encounter is setting up retention policies for your audit logs to meet compliance requirements.