Audit Logs

Export a timeline of material actions performed by your organization.

With a Render Organization or Enterprise plan, admins can export audit logs of material events performed by team members over a specified time frame. Audit logs help you meet the requirements of various regulatory standards.

Exporting audit logs

You can export an audit log of workspace events for an individual workspace. With an Enterprise plan, you can also export a separate audit log of Enterprise events for your org.

Select a tab to view instructions for each type of audit log:

Only workspace admins can export these audit logs.

In the Render Dashboard, navigate to your workspace's Workspace Settings page.
Scroll down to the Compliance section.
Under Audit Logs, select a start and end date, then click Export as CSV:

This audit log includes the event types listed under Workspace events.

Availability of audit log data

Render begins retaining audit log data for your team as soon as you upgrade to an Organization or Enterprise plan.
- Event data from prior to upgrading is not available.
Audit log data is available from June 24, 2024 onward if you upgraded to an Organization or Enterprise plan before that date.
Whenever Render adds a new audit log event type, tracking for that event begins on the date of the event's introduction.

Audit log format

Audit logs are exported as a chronologically ordered CSV file with a separate row for each distinct event. The file includes the following columns:

Column	Description
timestamp	The UTC timestamp when the event occurred.
actor	The entity that performed the action. Depending on the type of actor, this value has one of two formats: The email address of the existing Render user that performed the action (e.g., `person@example.com`) This is the most common actor type and format. The ID of the deleted Render user that performed the action (e.g., `Deleted User ID#123123123`)
event	The type of event that occurred. See below for all supported workspace events and Enterprise events.
status	Indicates whether the event's associated action succeeded. One of the following values: `success` `error`
metadata	A JSON object containing additional details about the event. The fields of this object vary depending on the event type.

Workspace events

The event types below appear in audit logs for individual Render workspaces.

Member management

`InviteToTeamEvent`

A user was invited to the workspace.

`RemoveUserFromTeamEvent`

A user was removed from the workspace.

`AcceptTeamInviteEvent`

An invitation to join the workspace was accepted.

`ChangeTeamMemberRoleEvent`

A workspace member's role was changed.

`ChangeTeamAllowedLoginMethodsEvent`

The workspace's set of allowed login methods was changed.

Currently, a workspace can either allow all Render-supported login methods or require login via Google account.

`ChangeTeam2FAEnforcementEvent`

Two-factor authentication (2FA) enforcement was enabled or disabled for the workspace.

`LoginEvent`

A workspace member logged in.

`LogoutEvent`

A workspace member logged out.

Apps & services

Render does not log events for services belonging to a service preview or preview environment.

`CreateServerEvent`

A web service, private service, background worker, or static site was created.

`SuspendServiceEvent`

A web service, private service, background worker, or static site was suspended.

`ResumeServiceEvent`

A previously suspended web service, private service, background worker, or static site was resumed.

`MaintenanceModeEnabledEvent`

Maintenance mode was toggled for a web service.

In the event's metadata, the to field is true if maintenance mode was enabled and false if it was disabled.

`MaintenanceModeURIUpdatedEvent`

The URL of a web service's maintenance mode page was changed.

`UpdateServiceNameEvent`

The name of a web service, private service, background worker, static site, or cron job was changed.

`DeleteServerEvent`

A web service, private service, background worker, or static site was deleted.

`StartShellEvent`

A service was accessed via SSH, either from the command line or from the service's Shell page in the Render Dashboard.

`ApplyBlueprintEvent`

A new Blueprint was created and applied to the workspace.

`CreateCronJobEvent`

A cron job was created.

`DeleteCronJobEvent`

A cron job was deleted.

Datastores

General

`UpdateIPAllowListEvent`

The IP allow list was updated for a Render Postgres or Key Value instance.

Render Postgres

These events are logged only for primary Render Postgres instances, not for high availability standby instances or read replicas.

`CreatePostgresEvent`

A Render Postgres database was created.

`DeletePostgresEvent`

A Render Postgres database was deleted.

`SuspendPostgresEvent`

A Render Postgres database was suspended.

`ResumePostgresEvent`

A previously suspended Render Postgres database was resumed.

`DownloadDatabaseBackupEvent`

A logical backup of a Render Postgres database was downloaded.

`ViewConnectionInfoEvent`

The connection URL or password for a Render Postgres database was viewed.

Render Key Value

`CreateRedisEvent`

A Render Key Value instance was created.

`DeleteRedisEvent`

A Render Key Value instance was deleted.

`ViewConnectionInfoEvent`

The connection URL or password for a Render Key Value instance was viewed.

Persistent disks

`CreateServerDiskEvent`

The persistent disk for a web service, private service, or background worker was created.

`DeleteServerDiskEvent`

The persistent disk for a web service, private service, or background worker was deleted.

`RestoreDiskSnapshotEvent`

The persistent disk for a web service, private service, or background worker was restored to a snapshot.

Environment variables

`UpdateEnvVarsEvent`

One or more existing environment variables were modified for a service.

`CreateEnvVarsEvent`

One or more environment variables were created for a service.

`DeleteEnvVarsEvent`

One or more environment variables were deleted for a service.

`ViewEnvVarValuesEvent`

One or more environment variable values were viewed for a service.

`DeleteEnvGroupEvent`

An environment group was deleted.

Webhooks

`CreateWebhookEvent`

A webhook was created.

`UpdateWebhookEvent`

A webhook was changed.

`DeleteWebhookEvent`

A webhook was deleted.

Metrics

`CreateOtelIntegrationEvent`

A metrics stream was created.

`DeleteOtelIntegrationEvent`

A metrics stream was deleted.

`UpdateOtelIntegrationEvent`

A metrics stream was changed.

Projects & environments

`CreateProjectEvent`

A project was created.

This event is always accompanied by one CreateEnvironmentEvent event, because every project is created with a default environment.

`DeleteProjectEvent`

A project was deleted.

This event is always accompanied by at least one DeleteEnvironmentEvent event, because deleting a project also deletes all of its associated environments.

`CreateEnvironmentEvent`

A project environment was created.

`DeleteEnvironmentEvent`

A project environment was deleted.

`MoveEnvironmentResourceEvent`

A resource (such as a service or environment group) was moved into or out of a project environment.

`ChangeEnvironmentProtectionEvent`

Protected access was enabled or disabled for a project environment.

Compliance & documents

`DocumentDownloadEvent`

A workspace member downloaded a document from the Render Document Center.

`SignNDAEvent`

A workspace member signed an NDA to view compliance documentation.

Enterprise events

The event types below are specific to Enterprise orgs. They pertain to SSO and other org-level configuration.

These events appear only in audit logs exported from your org's Settings page (not in audit logs exported for an individual workspace).

Member management

`InviteToOrgEvent`

A user was invited to the org.

`AcceptOrgInviteEvent`

An invitation to join the org was accepted.

`AddOrgMemberEvent`

A user was added to the org.

`RemoveOrgMemberEvent`

A user was removed from the org.

`JoinTeamEvent`

An org member added themselves to a workspace in the org.

Enterprise Owners can add themselves to any workspace as an admin. Other org members can add themselves to public workspaces only (they receive the Developer role).

`ChangeOrgRoleEvent`

An org member's role was changed.

This refers to a member's org-level role (such as Enterprise Owner), not their role within a particular workspace.

`ChangeOrgAllowedLoginMethodsEvent`

The org's set of allowed login methods was changed.

`ChangeOrg2FAEnforcementEvent`

Two-factor authentication enforcement was enabled or disabled for the org.

Workspace management

`CreateWorkspaceEvent`

A workspace was created in the org.

`DeleteWorkspaceEvent`

A workspace in the org was deleted.

`ChangeWorkspacePrivacyEvent`

The access setting for a workspace in the org was changed.

IdP management

`CreateOrgDomainEvent`

A domain was added to the org as part of configuring SSO.

`VerifyOrgDomainEvent`

Ownership of a domain was verified as part of configuring SSO.

`DeleteOrgDomainEvent`

A domain was removed from the org.

`CreateSSOConnectionEvent`

An SSO connection was created.

`UpdateSSOConnectionEvent`

An SSO connection was changed.

`DeleteSSOConnectionEvent`

An SSO connection was deleted.

`ProvisionOrganizationSCIMToken`

A SCIM token was provisioned for the org.

`RevokeOrganizationSCIMToken`

A SCIM token was revoked for the org.

History of audit log event changes

Date	Change
`2025-03-13`	Added initial set of Enterprise events.
`2025-03-11`	Added the following workspace event types: `CreateOtelIntegrationEvent` `DeleteOtelIntegrationEvent` `UpdateOtelIntegrationEvent` `CreateWebhookEvent` `UpdateWebhookEvent` `DeleteWebhookEvent`
`2024-12-18`	Added the following workspace event types: `DocumentDownloadEvent` `SignNDAEvent`
`2024-09-24`	Added the following workspace event types: `MaintenanceModeEnabledEvent` `MaintenanceModeURIUpdatedEvent`
`2024-08-14`	Added the following workspace event types: `ViewEnvVarValuesEvent` `ViewConnectionInfoEvent` (Render Postgres) `ViewConnectionInfoEvent` (Render Key Value)
`2024-06-24`	Added initial set of Workspace events.