What is H2O Audit Trail?

H2O Audit Trail tracks user and administrative activities in H2O AI Cloud. Use audit events to meet compliance requirements, investigate security incidents and gain operational insight.

What you can do with H2O Audit Trail

H2O Audit Trail helps you:

Track user activities across H2O AI Cloud services and external systems like Keycloak
Search and filter audit events with complex queries including time ranges, resources, and users
Export events to external storage systems like AWS S3 for long-term retention
Control access with global or workspace-scoped permissions
Integrate with your applications using REST API or Python client

Event structure

Each audit event includes:

Field	Description
`name`	The resource name. Format: `events/{event}`.
`event_time`	The time when the event occurred.
`receive_time`	The time when the event was received.
`event_source`	The canonical name of the container image where the event occurred. It must match the agreed HAIC container naming. For example, `h2oai-enginemanager-server` or `thirdparty-chainguard-bitnamikeycloak`.
`action`	The requested action. Where applicable, it must match the name of the action registered with AuthZ.
`read_only`	True if the action is a read-only operation; false otherwise.
`resource`	The target of the request, specified as a full resource name or a collection name. Must be a scheme-less URI followed by the relative name. For example, `//engine-manager/workspaces/8dcc8393-7b39-45f8-9f85-d1978adba483/daiEngines/new-dai-engine-7268` or `//engine-manager/workspaces/8dcc8393-7b39-45f8-9f85-d1978adba483/daiEngines`.
`request_parameters`	The parameters, if any, that were sent with the request. May not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the event.
`status`	The status of the request. Contains `code` (status code of the audit request, an enum value of `google.rpc.Code`) and optional `message` (error message of the audit request).
`principal`	The identifier of the authenticated principal making the request. For example, `users/a2b3b8a6-05c6-47d1-8ae1-774113404975` or `services/appstore`.
`login_principal`	A unique user-friendly identifier of the user typically used for authentication. The value is taken at the search event time.
`source_ip_address`	The IP address that the request was made from. For a source from the Internet, this is the public IPv4 or IPv6 address. Private IP addresses are redacted to `private`.
`user_agent`	The agent through which the request was made.
`metadata`	Other service-specific data about the request, response, and other information associated with the current event.
`workspace`	The name of the workspace to which the event is related. Format: `workspaces/*`. When the event is not related to a workspace, this field is unset (empty string). The workspace can be derived from other fields. For example, if `resource="workspaces/w1/daiEngines/e1"`, then `workspace="workspaces/w1"`.

Access methods

You can access audit data through these interfaces:

REST API

Read events using HTTP requests
Filter events by time range, user, resource, and more
Support for pagination to handle large result sets
Read-only access for security

Python client

A Python library that wraps the Audit Trail Service REST API endpoints.
Provides convenient methods for interacting with the REST API.
Handles authentication and connection management.
Ideal for automation scripts and custom integrations.

gRPC interface

Used internally by H2O AI Cloud services
Supports both reading and creating events

Permissions

H2O Audit Trail uses two permission types to control who can search events:

Global search

Permission: actions/audittrail/events/SEARCH on resource //audittrail
Access: Search across all events in any workspace
Use case: For administrators who need system-wide visibility

Workspace-scoped search

Permission: actions/audittrail/events/SEARCH_WORKSPACE on resource //workspaceserver/workspaces/{workspace_id}
Access: Search events within a specific workspace only
Use case: For users who need access to their workspace activities

Storage options

Internal storage (Grafana Loki)

Events are stored internally in Grafana Loki (blob storage)
Provides efficient storage and fast querying capabilities
Data is accessed only through the Audit Trail API (not directly readable)
Events are immediately available for searching and filtering
Supports complex filters and aggregation

S3 replication

Events are automatically replicated from Loki to AWS S3
Stored in compressed JSON Lines (.jsonl.gz) format for efficient storage
Provides human-readable format for direct access or consumption by other applications
Organized by time ranges for easy data management
Compression reduces storage space and network transfer during replication

Feedback

Submit and view feedback for this page
Send feedback about Audit Trail Documentation to cloud-feedback@h2o.ai

What you can do with H2O Audit Trail​

Event structure​

Access methods​

REST API​

Python client​

gRPC interface​

Permissions​

Global search​

Workspace-scoped search​

Storage options​

Internal storage (Grafana Loki)​

S3 replication​