Skip to main content

View user audit logs

Learn how to view and query user audit logs.

Audit logs require administrator permissions.

Retool automatically logs user actions, such as query runs and password resets. The logs include the user's name, the action taken, and when the action took place.

You can access audit logs from either:

  • The User menu on the top-right when browsing your organization.
  • The Retool menu on the top-left of the App IDE.
Viewing audit logs

Logged events

By default, Retool captures the following events in the audit log:

ActionIdentifier in logs
Query runsQUERY_RUN
Query previewsQUERY_PREVIEW
Page viewsPAGE_VIEW
User logs inLOGIN
User logs outLOGOUT
User signs upSIGN_UP
User redeems an inviteREDEEM_INVITE
User invites another userINVITE_USER
User re-sends inviteRE_INVITE_USER
User runs a query in the Query LibraryPLAYGROUND_QUERY_RUN
User disables two-factor authenticationDISABLE_TWO_FACTOR_AUTH
User requests a password reset linkREQUEST_PASSWORD_RESET_LINK
User requests passwordless loginREQUEST_PASSWORDLESS_LOGIN
User confirms a password reset requestCONFIRM_PASSWORD_RESET_LINK
User creates a groupCREATE_GROUP
User updates a groupUPDATE_GROUP
User deletes a groupDELETE_GROUP
User adds other users to a groupADD_USERS_TO_GROUP
User removes other users from a groupREMOVE_USERS_FROM_GROUP
User disables another userDISABLE_USER
User enables another userENABLE_USER
User updates an organizationUPDATE_ORGANIZATION
User creates a resourceCREATE_RESOURCE
User updates a resourceUPDATE_RESOURCE
User deletes a resourceDELETE_RESOURCE
User exports a pagePAGE_EXPORT
User creates a workflowCREATE_WORKFLOW
User deletes a workflowDELETE_WORKFLOW
User releases a workflowRELEASE_WORKFLOW
User enables a workflowENABLE_WORKFLOW
User disables a workflowDISABLE_WORKFLOW
User views a workflowVIEW_WORKFLOW
User runs a workflow manuallyRUN_WORKFLOW
User runs a workflow block manuallyRUN_WORKFLOW_BLOCK

To access the audit log, visit /audit. You can see a list of all the events, the user who performed them, and the time. You can also explore more detailed information, including the exact query, the parameters passed, the user's IP address, or response time.

Audit logs for Retool Cloud organizations are retained for one year. Self-hosted deployments manage their own audit log retention.

Access audit logs in SQL

Access to the audit logs SQL table are only available on self-hosted deployments. If you're interested in a self-hosted deployment, reach out for a demo.

Self-hosted Retool deployments can use SQL to query the audit logs database table.

Query audit logs in SQL

Retool logs events to the audit_trail_events table in the postgres database of the deployment instance. You can create a PostgreSQL resource if you want to build apps and workflows to query audit log data.

The audit_trail_events table contains the following columns.

ColumnDescription
actionTypeThe type of action taken. See Logged events for possible values.
userIdThe ID of the user taking the action.
ipAddressThe IP address of the user taking the action.
responseTimeMsThe response time of the action, in milliseconds.
pageNameThe name of the app, module, workflow, or page on which the action was taken.
queryNameFor query actions, the name of the query.
resourceNameFor actions on resources, the name of the resource.
metadataAdditional data about the action.

You can join the audit_trail_events table with the users table to learn more details about the users who performed actions. For example, the following query returns records of groups created and the user who created each group.

select
u.email, u."userName", a."actionType", a.metadata
from
audit_trail_events a
join users u on a."userId" = u.id
where a."actionType" = 'CREATE_GROUP';

Export and download audit logs

If you self-host Retool, you can export and stream audit logs using SQL and stdout or by connecting to DataDog, which is supported on Retool Cloud as well.

Output audit logs to stdout

If you self-host Retool, set the environment variable LOG_AUDIT_EVENTS=true to output all audit log events to stdout. This is useful if you use external services to monitor and consume logs from stdout. You can set up a sidecar service that ingests these logs and set up custom monitoring in your APM solution.

Stream audit logs to Datadog and Splunk

This feature is only available on the Enterpise plan. If you self-host Retool, you must be running version 3.38 or later for Datadog and 3.114 or later for Splunk.

To configure Datadog:

  1. Create a Datadog API key for streaming Retool audit logs.
  2. Enter your Datadog API key on Settings > Advanced under Audit Log.

Logs will be sent to Datadog with service:retool-audit-log attribute.

Download audit logs on Retool Cloud

Retool Cloud customers on Business and Enterprise plans can download audit logs directly from the Audit Logs page.

Downloading audit logs

After selecting a date range and starting a download, the download job is displayed in a list with a Pending status. Once complete, a temporary link with a compressed CSV file is made available in the Downloads list. The link expires an hour after being created.

Download audit logs on Self-hosted

If you self-host Retool and have connected to the Retool audit logs database table, you can export audit logs through the following SQL command:

\copy audit_trail_events to 'audit_logs' csv;

Hide query data from logs

You can hide parameters from logs on a per-query basis. See the query documentation for more details.

To prevent all headers in queries from being logged, enable the HIDE_ALL_HEADERS_IN_AUDIT_LOG_EVENTS environment variable. This is only available on self-hosted deployments.