Audit Log JSON Schema¶
Available on Enterprise plans
self-hosted deployments
The audit log JSON schema functions as a standardized blueprint or schematic that consistently defines how a single event should appear when being written to the audit log, including: field names, data types, objects, and structure.
An outline of the JSON audit logging schema is provided below. See the JSON data model for additional details.
{
"timestamp": "", // Event time
"status": "", // Success or failure of the audited event or activity
"event_name": "", // Logged event name
"error": { // Error if status = fail
"status_code": 0,
"description": ""
},
"actor": { // The user performing the action
"user_id": "" // Unique identifier of the event user
"session_id": "" // Unique session identifier of the event user
"client": "" // User agent of the client/platform in use by the event user
"ip_address": "" // IPv4/IPv6 IP address of the event user
},
"event": { // Event-specific data
"parameters": {} // Map containing parameters of the audited event or activity
"prior_state": {} // Pre-event state of the object
"resulting_state": {} // Post-event state of the object
"object_type": "" // Object targeted by the event or activity
},
"meta": {
"api_path": "", // API endpoint interacted with for event or activity
"cluster_id": "" // Unique identifier of the cluster in use by the event user
}
}
Audit log record examples¶
Update user preferences¶
{
"timestamp": "2022-08-17 20:37:52.846 +01:00",
"event_name": "updatePreferences",
"status": "success",
"actor": {
"user_id": "aw8ehkwaziytzry1qqxi9tsqwh",
"session_id": "kth3jyadc3b1p84kbz6y3o75na",
"client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15",
"ip_address": "192.168.0.169"
},
"event": {
"parameters": {},
"prior_state": {},
"resulting_state": {},
"object_type": ""
},
"meta": {
"api_path": "/api/v4/users/aw8ehkwaziytzry1qqxi9tsqwh/preferences",
"cluster_id": "8dxdbfx6fpdwtki1z6n8whtkho"
},
"error": {}
}
Create post¶
{
"timestamp": "2025-04-30 16:17:44.207 Z",
"event_name": "createPost",
"status": "success",
"actor": {
"user_id": "i764hi6h5bbz8p1955ed4ahj6y",
"session_id": "t7894ft76igtpb788nkkej1yoy",
"client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
"ip_address": "172.19.0.8"
},
"event": {
"parameters": {
"post": {
"channel_id": "pfis7ycuy78o7m3zebajmxqeuo",
"user_id": "i764hi6h5bbz8p1955ed4ahj6y",
"message": "Sample post content"
}
},
"prior_state": {},
"resulting_state": {
"channel_id": "pfis7ycuy78o7m3zebajmxqeuo",
"create_at": 1746029864145,
"id": "xpw97hf6kfncirzhqisb5sym7e",
"user_id": "i764hi6h5bbz8p1955ed4ahj6y"
},
"object_type": "post"
},
"meta": {
"api_path": "/api/v4/posts",
"cluster_id": "i5twhjm3ainatcifiy3oksshae"
},
"error": {}
}
System configuration change¶
{
"timestamp": "2025-04-30 16:18:30.803 Z",
"event_name": "patchConfig",
"status": "success",
"actor": {
"user_id": "i764hi6h5bbz8p1955ed4ahj6y",
"session_id": "t7894ft76igtpb788nkkej1yoy",
"client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
"ip_address": "172.19.0.8"
},
"event": {
"parameters": {},
"prior_state": {
"config_diffs": [
{
"actual_val": false,
"base_val": true,
"path": "MetricsSettings.EnableClientMetrics"
}
]
},
"resulting_state": {},
"object_type": "config"
},
"meta": {
"api_path": "/api/v4/config/patch",
"cluster_id": "i5twhjm3ainatcifiy3oksshae"
},
"error": {}
}
Audit event types¶
The following tables list the comprehensive audit event types (event_name
values) that are captured in Mattermost audit logs:
User Management Events¶
Event Name |
Description |
---|---|
|
Attaching device IDs to user sessions |
|
Creating new user accounts |
|
Creating user access tokens |
|
Deleting user accounts |
|
Demoting users to guest status |
|
Disabling user access tokens |
|
Enabling user access tokens |
|
Following message threads by user |
|
Retrieving user audit logs |
|
User login events |
|
User logout events |
|
Migrating user authentication to LDAP |
|
Migrating user authentication to SAML |
|
Updating user properties |
|
Promoting guest users to regular users |
|
Resetting user passwords |
|
Resetting password failed attempt counters |
|
Revoking user access tokens |
|
Sending password reset emails |
|
Sending email verification messages |
|
Setting default profile images |
|
Setting custom profile images |
|
Setting unread thread status by post ID |
|
Switching account types |
|
Unfollowing message threads by user |
|
Updating user passwords |
|
Updating read state for all threads by user |
|
Updating read state for specific threads by user |
|
Updating user account information |
|
Updating user active/inactive status |
|
Updating user authentication settings |
|
Updating user multi-factor authentication |
|
Updating user roles and permissions |
|
Verifying user email addresses |
|
Verifying user email without token |
Channel Management Events¶
Event Name |
Description |
---|---|
|
Adding members to channels |
|
Converting group messages to channels |
|
Creating new channels |
|
Creating channel bookmarks |
|
Creating direct message channels |
|
Creating group message channels |
|
Deleting channels |
|
Deleting channel bookmarks |
|
Moving channels between teams |
|
Updating channel properties |
|
Updating channel moderation settings |
|
Removing members from channels |
|
Restoring deleted channels |
|
Updating channel information |
|
Updating channel bookmarks |
|
Updating channel bookmark sort order |
|
Updating channel member notification properties |
|
Updating channel member roles |
|
Updating channel member scheme roles |
|
Updating channel privacy settings |
|
Updating channel permission schemes |
Team Management Events¶
Event Name |
Description |
---|---|
|
Adding members to teams |
|
Adding multiple members to teams |
|
Adding users to teams from invitations |
|
Creating new teams |
|
Deleting teams |
|
Importing team data |
|
Invalidating all email invitations |
|
Inviting guests to channels |
|
Inviting users to teams |
|
Updating team properties |
|
Regenerating team invitation IDs |
|
Removing team icons |
|
Removing members from teams |
|
Restoring deleted teams |
|
Setting team icons |
|
Updating team information |
|
Updating team member roles |
|
Updating team member scheme roles |
|
Updating team privacy settings |
|
Updating team permission schemes |
Posts & Content Events¶
Event Name |
Description |
---|---|
|
Creating new posts |
|
Creating scheduled posts |
|
Deleting posts |
|
Deleting scheduled posts |
|
Moving message threads |
|
Updating post properties |
|
Restoring previous post versions |
|
Saving pinned post status |
|
Searching through posts |
|
Updating post content |
|
Updating scheduled posts |
Authentication and Security Events¶
Event Name |
Description |
---|---|
|
Adding LDAP private certificates |
|
Adding LDAP public certificates |
|
Adding SAML IDP certificates |
|
Adding SAML private certificates |
|
Adding SAML public certificates |
|
Completing SAML authentication |
|
Extending session expiry times |
|
Migrating IDs to LDAP |
|
Linking LDAP groups |
|
Removing LDAP private certificates |
|
Removing LDAP public certificates |
|
Removing SAML IDP certificates |
|
Removing SAML private certificates |
|
Removing SAML public certificates |
|
Revoking all sessions for all users |
|
Revoking all sessions for specific user |
|
Revoking individual sessions |
|
Synchronizing LDAP data |
|
Unlinking LDAP groups |
System Administration Events¶
Event Name |
Description |
---|---|
|
Clearing server busy status |
|
Completing system onboarding |
|
Reloading system configuration |
|
Recycling database connections |
|
Downloading system logs |
|
Getting applied schema migrations |
|
Retrieving audit logs |
|
Getting system configuration |
|
Getting system logs |
|
Getting onboarding status |
|
Invalidating system caches |
|
Migrating configuration |
|
Updating configuration properties |
|
Querying system logs |
|
Restarting server |
|
Setting server busy status |
|
Updating system configuration |
|
Updating viewed product notices |
|
Upgrading to Enterprise edition |
File Management Events¶
Event Name |
Description |
---|---|
|
Creating file uploads |
|
Retrieving files |
|
Getting file links |
|
Uploading data |
|
Uploading multipart files |
|
Uploading legacy multipart files |
|
Uploading simple files |
OAuth Applications Events¶
Event Name |
Description |
---|---|
|
Authorizing OAuth applications |
|
OAuth authorization page access |
|
Completing OAuth flow |
|
Creating OAuth applications |
|
Deauthorizing OAuth applications |
|
Deleting OAuth applications |
|
Getting OAuth access tokens |
|
Login with OAuth |
|
Mobile login with OAuth |
|
Regenerating OAuth app secrets |
|
Signup with OAuth |
|
Updating OAuth applications |
Webhooks Events¶
Event Name |
Description |
---|---|
|
Creating incoming webhooks |
|
Creating outgoing webhooks |
|
Deleting incoming webhooks |
|
Deleting outgoing webhooks |
|
Getting incoming webhooks |
|
Getting outgoing webhooks |
|
Regenerating outgoing webhook tokens |
|
Updating incoming webhooks |
|
Updating outgoing webhooks |
Slash Commands Events¶
Event Name |
Description |
---|---|
|
Creating slash commands |
|
Deleting slash commands |
|
Executing slash commands |
|
Moving slash commands |
|
Regenerating command tokens |
|
Updating slash commands |
Plugins Events¶
Event Name |
Description |
---|---|
|
Disabling plugins |
|
Enabling plugins |
|
Getting first admin visit marketplace status |
|
Installing marketplace plugins |
|
Installing plugins from URL |
|
Removing plugins |
|
Setting first admin visit marketplace status |
|
Uploading plugins |
Groups & LDAP Events¶
Event Name |
Description |
---|---|
|
Adding members to groups |
|
Adding users to group syncables |
|
Creating new groups |
|
Deleting groups |
|
Removing members from groups |
|
Linking group syncables to teams/channels |
|
Updating group properties |
|
Updating group syncable properties |
|
Restoring deleted groups |
|
Unlinking group syncables from teams/channels |
Remote Clusters Events¶
Event Name |
Description |
---|---|
|
Creating remote cluster connections |
|
Deleting remote cluster connections |
|
Generating invites for remote clusters |
|
Inviting remote clusters to channels |
|
Updating remote cluster properties |
|
Accepting remote cluster invites |
|
Accepting messages from remote clusters |
|
Uploading profile images from remote clusters |
|
Removing remote cluster invites from channels |
|
Uploading data from remote clusters |
Data Retention Events¶
Event Name |
Description |
---|---|
|
Adding channels to data retention policies |
|
Adding teams to data retention policies |
|
Creating data retention policies |
|
Deleting data retention policies |
|
Updating data retention policies |
|
Removing channels from data retention policies |
|
Removing teams from data retention policies |
Jobs Events¶
Event Name |
Description |
---|---|
|
Canceling background jobs |
|
Creating new background jobs |
|
Job server operations |
|
Updating job status/progress |
Licensing Events¶
Event Name |
Description |
---|---|
|
Adding enterprise licenses |
|
Local license addition (cluster mode) |
|
Local license removal (cluster mode) |
|
Removing enterprise licenses |
|
Requesting trial licenses |
Bot Management Events¶
Event Name |
Description |
---|---|
|
Assigning bots to users |
|
Converting bot accounts to user accounts |
|
Converting user accounts to bot accounts |
|
Creating new bot accounts |
|
Updating bot account properties |
|
Updating bot account active/inactive status |
Custom Emojis Events¶
Event Name |
Description |
---|---|
|
Creating custom emojis |
|
Deleting custom emojis |
Branding Events¶
Event Name |
Description |
---|---|
|
Deleting brand images |
|
Uploading brand images |
Search Events¶
Event Name |
Description |
---|---|
|
Purging Bleve search indexes |
|
Purging Elasticsearch search indexes |
Roles and Schemes Events¶
Event Name |
Description |
---|---|
|
Creating permission schemes |
|
Deleting permission schemes |
|
Updating role permissions |
|
Updating permission schemes |
Preferences Events¶
Event Name |
Description |
---|---|
|
Deleting user preferences |
|
Updating user preferences |
Channel Categories Events¶
Event Name | Description |
||
---|---|---|
|
||
|
Deleting channel categories for users |
|
|
Updating multiple channel categories for users |
|
|
Updating single channel category for users |
|
|
Updating channel category order for users |
Export and Import Events¶
Event Name |
Description |
---|---|
|
Bulk data export operations |
|
Bulk data import operations |
|
Deleting export files |
|
Deleting import files |
|
Generating presigned URLs for exports |
|
Scheduling export operations |
|
Slack data import operations |
Access Control Events¶
Event Name |
Description |
---|---|
|
Applying IP filtering rules |
|
Assigning access policies to users/teams |
|
Creating new access control policies |
|
Deleting access control policies |
|
Unassigning access policies from users/teams |
|
Updating active status of access control policies |
Custom Profile Attributes Events¶
Event Name |
Description |
---|---|
|
Creating custom profile attribute fields |
|
Deleting custom profile attribute fields |
|
Updating custom profile attribute fields |
|
Updating custom profile attribute values |
Outgoing OAuth Connections Events¶
Event Name |
Description |
---|---|
|
Creating outgoing OAuth connections |
|
Deleting outgoing OAuth connections |
|
Updating outgoing OAuth connections |
|
Validating outgoing OAuth connection credentials |
Terms of Service Events¶
Event Name |
Description |
---|---|
|
Creating terms of service |
|
Saving user acceptance of terms of service |
Compliance and Audit Events¶
Event Name |
Description |
---|---|
|
Adding audit log certificates |
|
Creating compliance reports |
|
Downloading compliance reports |
|
Getting compliance reports |
|
Getting multiple compliance reports |
|
Removing audit log certificates |
Local Operations Events¶
Event Name |
Description |
---|---|
|
Local integrity checks |
|
Local channel creation |
|
Local command creation |
|
Local incoming webhook creation |
|
Local team creation |
|
Local channel deletion |
|
Local post deletion |
|
Local team deletion |
|
Local user deletion |
|
Local client configuration retrieval |
|
Local configuration retrieval |
|
Local user invitation to teams |
|
Local channel moving |
|
Local channel patching |
|
Local configuration patching |
|
Local permanent deletion of all users |
|
Local channel member removal |
|
Local channel restoration |
|
Local channel privacy update |
|
Local configuration update |
Note
This comprehensive list includes all audit events captured by Mattermost across all major system operations. Additional events may be logged depending on your Mattermost version, enabled features, and configuration settings. Enterprise and Enterprise Advanced features may generate additional audit events.
JSON data model¶
Name |
Type |
Description |
timestamp |
int64 |
Date/time when event or activity has taken place. Mattermost currently supports three log formats: plain, JSON, and GELF.
|
event_name |
string |
Unique name and identifier of the event type taking place. See the audit event types section for a comprehensive list of all supported event names. |
status |
string |
Success or failure of the audited event. |
event |
Event parameters and object states. |
|
actor |
User involved with the event. |
|
meta |
Related event metadata. |
|
error |
The resulting error if the status is in a failed state. |
EventData¶
Field name |
Data type |
Description |
parameters |
map |
Payload and parameters being processed as part of the request. |
prior_state |
map |
Prior state of the entity being modified. |
resulting_state |
map |
Resulting entity after creating or modifying it. |
object_type |
string |
String representation of the entity type (e.g. post) |
EventActor¶
Field name |
Data type |
Description |
user_id |
string |
Unique identifier of the event actor. |
session_id |
string |
Unique session identifier of the event actor. |
client |
string |
User agent of the client/platform in use by the event actor. |
ip_address |
string |
IPv4/IPv6 IP address of the event actor. |
EventMeta¶
Field name |
Data type |
Description |
api_path |
string |
The REST endpoint which caused the event. |
cluster_id |
integer |
Cluster identifier. |
EventError¶
Field name |
Data type |
Description |
description |
string |
(Optional) Error description. |
status_code |
integer |
(Optional) Error status code. |