For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Trebellar Platform
DocsGuidesAPI Reference
DocsGuidesAPI Reference
  • Get started
    • Overview
    • Quickstart
  • Data Management
    • Raw Bulk Import
  • Governance
    • Audit log delivery
  • Changelog
    • Changelog
Trebellar Platform
LogoLogo
On this page
  • How delivery works
  • Configuration
  • Option 1 — Bring your own bucket
  • Locking the bucket to Trebellar’s IP ranges
  • Option 2 — Use the Trebellar bucket
  • Record schema
  • Top-level fields
  • audit_event fields
  • Trace correlation
  • Authentication types
  • Event catalog
  • authentication service
  • users service
  • Sample records
  • Querying the logs
  • Troubleshooting
Governance

Audit log delivery

Consume a verifiable trail of every privileged action on your Trebellar tenant
||View as Markdown|
Was this page helpful?
Previous

Raw bulk import

Next

Changelog

Built with

Trebellar emits an audit log for every security-relevant action that happens on your tenant — authentication events, user-management changes, and other governance-critical operations. These logs are delivered to cloud object storage once per day so you can retain them for as long as your compliance program requires, stream them into your SIEM, or query them ad-hoc with your warehouse of choice.

This page explains:

  • How the delivery pipeline works and what the files look like
  • How to configure delivery (bring-your-own-bucket, or hosted on Trebellar)
  • The full schema of a single audit record
  • The catalog of event types Trebellar currently emits

Audit log delivery is an organization-level feature and must be enabled by an administrator from the Trebellar admin panel at my.trebellar.app.

How delivery works

Audit events are written as structured records to Trebellar’s log pipeline in real time, then batched, serialized as newline-delimited JSON (NDJSON), and delivered to the destination of your choice once every 24 hours.

Each daily file contains every audit record produced for your organization during the prior UTC day. Files are written under a deterministic key prefix so they are easy to ingest incrementally:

audit-logs/
  orgId=<your-org-id>/
    year=2026/
      month=04/
        day=19/
          trebellar-audit-2026-04-19.ndjson

Key properties of the delivery:

PropertyValue
FormatNDJSON (one JSON object per line, UTF-8)
CadenceOnce per UTC day, typically within a few hours of 00:00 UTC
PartitioningBy orgId and calendar day
OrderingRecords are ordered by audit_event.eventTime within a file, but downstream consumers should not rely on strict ordering
CompletenessEach file contains every event emitted for the partition window. Late-arriving events (< 5 min skew) are rolled into the file before it is closed
RetentionTrebellar retains the originating logs for 30 days. Long-term retention is your responsibility once the file is delivered

NDJSON is easy to read line-by-line without loading the full file into memory, and is natively supported by BigQuery, Snowflake, Redshift Spectrum, Athena, DuckDB, jq, and most SIEMs.

Configuration

There are two delivery modes. Both are configured from the Admin panel → Governance → Audit logs section of the Trebellar platform.

Option 1 — Bring your own bucket

Use this mode if you want the logs to land directly in cloud storage that you own. This is the recommended mode for regulated workloads because the data never leaves your tenancy after the handoff.

You provide:

FieldDescription
Bucket URLThe fully qualified bucket URI — e.g. s3://acme-trebellar-audit-logs or gs://acme-trebellar-audit-logs
RegionThe bucket’s region (required for S3)
Client IDAccess key ID / service account client identifier that Trebellar will use to authenticate when writing
Client secretThe matching secret. Trebellar encrypts this at rest and never returns it in the admin UI after saving
Prefix (optional)A key prefix under which files will be written — defaults to audit-logs/

Steps:

  1. Create a dedicated bucket in your cloud provider (S3 or GCS).
  2. Provision an IAM principal (IAM user for S3, service account for GCS) that has only PutObject / storage.objects.create on the target prefix. Do not grant list, read, or delete permissions — Trebellar does not need them.
  3. Generate a long-lived access key and secret for that principal.
  4. In Admin panel → Governance → Audit logs, choose Bring your own bucket and paste the values above.
  5. Click Test connection. Trebellar will write a small .trebellar-healthcheck object and delete it. If the test succeeds, delivery starts on the next daily cycle.

Rotate the client secret periodically. Trebellar surfaces the last-used timestamp for each credential so you can verify the rotation took effect before revoking the old key.

Locking the bucket to Trebellar’s IP ranges

If your security policy requires bucket access to be pinned to a known set of source IPs, Trebellar publishes a stable list of egress addresses used by the audit-log delivery workers. You can attach these to your bucket policy (aws:SourceIp on S3 or a VPC Service Controls perimeter on GCS) so that writes are only accepted from Trebellar’s infrastructure.

To avoid drift between these docs and the live set, we don’t publish the ranges inline. To request the current list:

  1. Contact your Customer Success representative, or email support@trebellar.com.
  2. Specify the cloud provider (AWS or GCP) and the region your bucket lives in — we’ll send back the narrowest range that covers delivery to that region.
  3. Trebellar announces changes to the egress set at least 30 days in advance in the changelog. Subscribe to the changelog to be notified before you need to update your bucket policy.

Egress pinning is optional. Delivery works without an IP allowlist — the bucket credentials are scoped narrowly enough that IP pinning is defense-in-depth rather than a requirement.

Option 2 — Use the Trebellar bucket

If you don’t need the logs to land in your own cloud, Trebellar can host them in a tenant-isolated bucket managed on your behalf. You’ll be issued a short-lived, read-only pre-signed URL (refreshed every 7 days) that you can use to pull the files into your SIEM or warehouse.

Steps:

  1. In Admin panel → Governance → Audit logs, choose Use Trebellar bucket.
  2. Pick a retention window (30, 90, 180, or 365 days).
  3. Save. The admin panel will display a Download URL and a Manifest URL that you can poll for the list of available files.

In hosted mode, files are deleted at the end of the retention window. Export them to your own long-term storage if you need them longer.

Record schema

Every line of the NDJSON file is a single JSON object with the fields below. The shape is stable — Trebellar will only add new optional fields under audit_event.*, and each change is announced in the changelog with at least 30 days notice.

Top-level fields

FieldTypeDescription
severitystringNOTICE for SUCCESS, WARNING for DENIED, ERROR for FAILURE
messagestringHuman-readable summary, e.g. audit.authentication.login.success
event_typestringAlways the literal "audit" — useful for routing when multiplexed with other log streams
service_namestringThe Trebellar service that produced the event — see the event catalog
action_namestringThe specific action within that service
outcomestringOne of SUCCESS, FAILURE, DENIED
org_idstring?The organization the event is scoped to. Absent on application-level events
request_idstringStable unique ID for the originating HTTP request; matches audit_event.requestId
httpRequest.requestMethodstringGET, POST, PUT, PATCH, DELETE
httpRequest.requestUrlstringThe route path (query string stripped)
httpRequest.remoteIpstring?First value of X-Forwarded-For, falling back to the socket IP
httpRequest.userAgentstring?The User-Agent header from the request
httpRequest.statusnumber?HTTP status returned, when available

audit_event fields

The audit_event object is the authoritative payload for downstream consumers. The top-level fields above are derived from it and kept for ergonomic querying.

FieldTypeDescription
versionstringSchema version. Currently "1.0"
auditLevelstringORG_LEVEL when scoped to an organization, APPLICATION_LEVEL otherwise
deployEnvironmentstringproduction, staging, development, etc.
eventTimestringISO-8601 UTC timestamp, millisecond precision
orgIdstring?Redundant with top-level org_id
sourceIPAddressstring?See httpRequest.remoteIp
userAgentstring?See httpRequest.userAgent
sessionIdstring?Trebellar session identifier, when the caller was session-authenticated
requestIdstringSee top-level request_id
request.methodstringHTTP method
request.routestringRoute path
userIdentity.typestringOne of user, api_token, anonymous, system
userIdentity.idnumber | string?The actor’s user ID
userIdentity.emailstring?The actor’s email
userIdentity.namestring?The actor’s display name
userIdentity.orgIdstring?The actor’s organization
userIdentity.rolestring | number?The actor’s Trebellar role
serviceNamestringSee top-level service_name
actionNamestringSee top-level action_name
target.typestringThe resource kind being acted on — e.g. user, organization, project
target.idnumber | string?The target resource identifier
target.emailstring?Target email when the resource is a user
target.namestring?Target display name
target.orgIdstring?Target’s organization
authentication.typestring?How the actor authenticated — see authentication types
authentication.providerstring?Provider identifier for federated auth (e.g. google, okta, saml)
requestParamsobject?Non-sensitive, structured parameters describing the request. Secrets are never included
response.statusCodenumber?HTTP status returned
response.errorMessagestring?Error message on FAILURE / DENIED, null otherwise
response.resultstring?Short machine code for the outcome, e.g. created, password_changed, invalid_credentials
metadataobject?Action-specific free-form context. Fields here are additive over time

Trace correlation

Each record also carries Google Cloud Logging trace fields (logging.googleapis.com/trace, logging.googleapis.com/spanId, logging.googleapis.com/trace_sampled) and a logging.googleapis.com/labels map for fast filtering. These are safe to ignore if you don’t use Cloud Logging — they never contain tenant data beyond what’s already in audit_event.

Authentication types

audit_event.authentication.type describes how the actor proved their identity to Trebellar. The current set of values:

ValueMeaning
passwordEmail + password credentials
oauthOAuth / OIDC federated login (Google, Microsoft, etc.) — see authentication.provider
samlSAML 2.0 single sign-on — authentication.provider is always saml
token_loginOne-time signed login link (magic link)
password_resetPassword-reset flow token
sessionPre-existing authenticated session (e.g. for logout events)

Event catalog

The sections below enumerate every event Trebellar currently emits. The list will grow over time — new events are appended rather than repurposing existing ones, so existing consumers never break.

authentication service

Events about how users sign in and manage their credentials.

actionNameOutcomesWhen it fires
loginSUCCESS, FAILUREAny authentication attempt — password, OAuth, SAML, or magic-link. FAILURE includes bad credentials, missing SAML response, unregistered user, and provider errors
logoutSUCCESSUser-initiated logout. authentication.type is always session
resetPasswordSUCCESS, FAILURE, DENIEDPassword-reset flow. DENIED is emitted on CSRF failures; FAILURE covers expired tokens, missing recipient email, and downstream errors

users service

Events about user-account lifecycle, scoped to the acting admin’s organization.

actionNameOutcomesWhen it fires
createUserSUCCESSA new user is created. requestParams includes role, authMethod, and signupEmail (boolean indicating whether an invitation email was sent)
updateUserSUCCESSA user record is modified. requestParams includes the new role and authMethod
deleteUserSUCCESSA user is removed from the organization
changePasswordSUCCESSA user changes their own password via the API

Only the outcomes currently emitted in production are listed above. Failures in user-management flows are returned as HTTP errors before reaching the audit log sink — this will tighten over time as more actions are instrumented for FAILURE/DENIED events.

Sample records

A successful SAML login:

1{
2  "severity": "NOTICE",
3  "message": "audit.authentication.login.success",
4  "event_type": "audit",
5  "service_name": "authentication",
6  "action_name": "login",
7  "outcome": "SUCCESS",
8  "org_id": "org_01HF2Z8X5N",
9  "request_id": "req_01HQW9K2B4",
10  "httpRequest": {
11    "requestMethod": "POST",
12    "requestUrl": "/saml/callback",
13    "remoteIp": "203.0.113.42",
14    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_3) AppleWebKit/537.36",
15    "status": 302
16  },
17  "audit_event": {
18    "version": "1.0",
19    "auditLevel": "ORG_LEVEL",
20    "deployEnvironment": "production",
21    "eventTime": "2026-04-19T14:22:07.418Z",
22    "orgId": "org_01HF2Z8X5N",
23    "sourceIPAddress": "203.0.113.42",
24    "sessionId": "sess_01HQW9K2B4",
25    "requestId": "req_01HQW9K2B4",
26    "request": { "method": "POST", "route": "/saml/callback" },
27    "userIdentity": {
28      "type": "user",
29      "id": 4219,
30      "email": "alex@acme.example",
31      "name": "Alex Doe",
32      "orgId": "org_01HF2Z8X5N",
33      "role": "admin"
34    },
35    "serviceName": "authentication",
36    "actionName": "login",
37    "target": {
38      "type": "user",
39      "id": 4219,
40      "email": "alex@acme.example",
41      "orgId": "org_01HF2Z8X5N"
42    },
43    "authentication": { "type": "saml", "provider": "saml" },
44    "response": { "statusCode": 302, "errorMessage": null, "result": "SUCCESS" }
45  }
46}

A denied password-reset (CSRF mismatch):

1{
2  "severity": "WARNING",
3  "message": "audit.authentication.resetPassword.denied",
4  "event_type": "audit",
5  "service_name": "authentication",
6  "action_name": "resetPassword",
7  "outcome": "DENIED",
8  "request_id": "req_01HQWB3TX0",
9  "httpRequest": {
10    "requestMethod": "POST",
11    "requestUrl": "/reset-password",
12    "remoteIp": "198.51.100.7",
13    "status": 403
14  },
15  "audit_event": {
16    "version": "1.0",
17    "auditLevel": "APPLICATION_LEVEL",
18    "deployEnvironment": "production",
19    "eventTime": "2026-04-19T14:25:11.902Z",
20    "requestId": "req_01HQWB3TX0",
21    "request": { "method": "POST", "route": "/reset-password" },
22    "serviceName": "authentication",
23    "actionName": "resetPassword",
24    "authentication": { "type": "password_reset" },
25    "response": { "statusCode": 403, "errorMessage": "csrf_mismatch", "result": "DENIED" }
26  }
27}

A user-create event:

1{
2  "severity": "NOTICE",
3  "message": "audit.users.createUser.success",
4  "event_type": "audit",
5  "service_name": "users",
6  "action_name": "createUser",
7  "outcome": "SUCCESS",
8  "org_id": "org_01HF2Z8X5N",
9  "request_id": "req_01HQWC5JPZ",
10  "httpRequest": {
11    "requestMethod": "POST",
12    "requestUrl": "/api/users",
13    "status": 200
14  },
15  "audit_event": {
16    "version": "1.0",
17    "auditLevel": "ORG_LEVEL",
18    "deployEnvironment": "production",
19    "eventTime": "2026-04-19T15:02:44.311Z",
20    "orgId": "org_01HF2Z8X5N",
21    "requestId": "req_01HQWC5JPZ",
22    "request": { "method": "POST", "route": "/api/users" },
23    "userIdentity": {
24      "type": "user",
25      "id": 4219,
26      "email": "alex@acme.example",
27      "orgId": "org_01HF2Z8X5N",
28      "role": "admin"
29    },
30    "serviceName": "users",
31    "actionName": "createUser",
32    "target": {
33      "type": "user",
34      "id": 5502,
35      "email": "jamie@acme.example",
36      "name": "Jamie Lee",
37      "orgId": "org_01HF2Z8X5N"
38    },
39    "requestParams": {
40      "role": "member",
41      "authMethod": "saml",
42      "signupEmail": true
43    },
44    "response": { "statusCode": 200, "errorMessage": null, "result": "created" }
45  }
46}

Querying the logs

Because each file is plain NDJSON, any tool that can read line-delimited JSON works out of the box.

Pull the last hour of failed logins with jq:

$cat trebellar-audit-2026-04-19.ndjson \
>  | jq -c 'select(.service_name == "authentication"
>                 and .action_name == "login"
>                 and .outcome == "FAILURE")'

Create an external table in BigQuery:

1CREATE OR REPLACE EXTERNAL TABLE audit.trebellar_events
2OPTIONS (
3  format = 'NEWLINE_DELIMITED_JSON',
4  uris = ['gs://acme-trebellar-audit-logs/audit-logs/*/*.ndjson']
5);

Troubleshooting

SymptomLikely cause
No file delivered for a given dayNo audit-worthy events occurred for your org that day. An empty file is not written
Delivery paused, error InvalidCredentialsThe client ID / secret you provided has been rotated or deleted on your side. Update it in the admin panel
Delivery paused, error AccessDeniedThe IAM principal lost PutObject on the target prefix
File contains events for other organizationsThis cannot happen — files are strictly partitioned by orgId. Contact support

Need an event that isn’t on the list yet? Reach out at support@trebellar.com — the audit schema is designed to accept new service_name / action_name pairs without requiring a version bump.