Audit Logging
The creation and modification of Dremio resources are tracked and traceable via the sys.project.history.events table. Audit logging is enabled by default and available to users with administrative permissions on the project.
An event can take up to three hours to propagate to the system table, and there is currently no maximum retention policy for audit events.
Tracked Events
Dremio provides events for organization objects, such as integrated identity providers and users, and project objects such as sources, engines, and Reflections.
Organization Events
Dremio supports audit logging for the following organization event types and actions:
| Event Type | Actions | Description |
|---|---|---|
| BILLING_ACCOUNT | BILLING_ACCOUNT_ADD_PROJECT | Dremio added a new project to the billing account during project creation. |
| BILLING_ACCOUNT | BILLING_ACCOUNT_CREATE | A user created a billing account. |
| BILLING_ACCOUNT | BILLING_ACCOUNT_REMOVE_PROJECT | Dremio removed a project from the billing account during project deletion. |
| BILLING_ACCOUNT | BILLING_ACCOUNT_UPDATE | A user modified the billing account, such as the notification email address. |
| BILLING_TRANSACTION | TRANSACTION_CHARGE | Dremio recorded Dremio Consumption Unit (DCU) usage charges for the period. |
| BILLING_TRANSACTION | TRANSACTION_CREDIT_LOAD | Dremio loaded DCU credits into the billing account. |
| CLOUD |
| A user created a cloud. Clouds provide resources for running engines and storing metadata in a project. |
| CLOUD |
| A user deleted a cloud. |
| CLOUD | UPDATE | A user updated a cloud. |
| CONNECTION | FORCE_LOGOUT | A user changed their password or deactivated another user, ending all of that user's sessions. |
| CONNECTION | LOGIN | A user logged in. |
| CONNECTION | LOGOUT | A user logged out. |
| EDITION | DOWNGRADE | A user downgraded the billing edition in the Dremio organization. |
| EDITION | UPGRADE | A user upgraded the billing edition in the Dremio organization. |
| IDENTITY_PROVIDER | CREATE | A user configured a new OpenID Connect (OIDC) identity provider integration. |
| IDENTITY_PROVIDER | DELETE | A user deleted an OIDC identity provider. |
| IDENTITY_PROVIDER | UPDATE | A user updated an OIDC identity provider configuration. |
| ORGANIZATION |
| A user created the Dremio Cloud organization. |
| ORGANIZATION |
| A user closed and deleted the Dremio Cloud organization. |
| ORGANIZATION | UPDATE | A user updated the Dremio Cloud organization. |
| PERSONAL_ACCESS_TOKEN | CREATE | A user created a new personal access token in their account. |
| PERSONAL_ACCESS_TOKEN | DELETE | A user deleted a personal access token. |
| PROJECT |
| A user created a project in the Dremio Cloud organization. |
| PROJECT |
| A user deleted a project. |
| PROJECT |
| A user archived a project. |
| PROJECT |
| A user activated an archived project. |
| PROJECT | UPDATE | A user updated the configuration of a project. |
| ROLE | CREATE | A user created a custom role. |
| ROLE | DELETE | A user deleted a role. |
| ROLE | UPDATE | A user updated a custom role. |
| ROLE | MEMBERS_ADDED | A user added users or roles as members of a role. |
| ROLE | MEMBERS_REMOVED | A user removed users or roles as members of a role. |
| ROLE | UPDATE | A user updated the metadata of a custom role, such as the description. |
| USER_ACCOUNT | CREATE | A user added a user account. |
| USER_ACCOUNT | DELETE | A user deleted a user account. |
| USER_ACCOUNT | PASSWORD_CHANGE | A user updated their account password. |
| USER_ACCOUNT | UPDATE | A user updated user account metadata. |
The sys.project.history.events table contains these events in the default project.
Project Events
Dremio supports audit logging for the following project event types and actions:
| Event Type | Actions | Description |
|---|---|---|
| ENGINE |
| A user created an engine. |
| ENGINE |
| A user deleted an engine. |
| ENGINE |
| A user disabled an engine. |
| ENGINE |
| A user enabled an engine. |
| ENGINE |
| A user updated an engine configuration. |
| ENGINE_SCALING |
| Dremio scaled down an engine by stopping one or more running replicas. |
| ENGINE_SCALING |
| Dremio scaled up an engine by starting one or more additional replicas. |
| FOLDER | CREATE | Dremio created a managed folder. |
| FOLDER | DELETE | Dremio deleted a managed folder. |
| LABEL | UPDATE | A user created a label on a dataset, source, or other object. |
| PIPE | CREATE | A user created an autoingest pipe for Apache Iceberg. |
| PIPE | DELETE | A user dropped an autoingest pipe. |
| PIPE | UPDATE | A user updated the configuration of an existing autoingest pipe. |
| PRIVILEGE | DELETE | A user deleted a privilege from a user or role. |
| PRIVILEGE | UPDATE | A user granted a privilege to a user or role. |
| REFLECTION | CREATE | A user created a new raw or aggregate Reflection. |
| REFLECTION | DELETE | A user deleted a Reflection. |
| REFLECTION | UPDATE | A user updated the content or configuration of a Reflection. |
| REPLICA |
| Dremio started a replica during an ENGINE_SCALING scale up event. |
| REPLICA |
| Dremio stopped a replica during an ENGINE_SCALING scale down event. |
| ROUTING_RULESET | UPDATE | A user modified an engine routing rule. |
| SOURCE | CREATE | A user created a Dremio data source. |
| SOURCE | DELETE | A user deleted a Dremio source connection. Any tables from the source were removed. |
| SOURCE | UPDATE | A user updated a Dremio source configuration. |
| SUPPORT_SETTING | RESET | A user reset an advanced configuration or diagnostic setting. |
| SUPPORT_SETTING | SET | A user set an advanced configuration or diagnostic setting. |
| TABLE | CREATE | A user created a non-catalog table. |
| TABLE | DELETE | A user deleted a non-catalog table. |
| TABLE | UPDATE | Generated by one of the following:
|
| UDF | CREATE | A user created a user-defined function. |
| UDF | DELETE | A user deleted a user-defined function. |
| UDF | UPDATE | A user modified the SQL definition of a user-defined function. |
| WIKI | EDIT | A user created or updated a wiki. |