This document describes the shape of each Astro Private Cloud (APC) API audit event and lists every operation that produces one. Use it when you build queries, alerts, or dashboards on top of APC API audit logs. For background on the feature, see APC API audit logging overview.
The APC API emits each audit event as a single JSON object on standard output. The object has stable field names and a consistent top-level structure. The Vector sidecar adds Kubernetes metadata and renames timestamp to @timestamp before delivering the event to the configured sink.
The following example shows a raw event emitted by the APC API:
The Vector sidecar doesn’t drop APC API audit fields. Before delivery to a sink, Vector:
timestamp to @timestamp.kubernetes object with pod_name, pod_namespace, and container_name.platform, component, and service fields that identify the emitting control plane component.level field to uppercase.After the transform, the same event in the sink contains every original APC API audit field plus the added metadata:
Each sink wraps the delivered event in its own envelope. In CloudWatch Logs, the fields appear as a structured log event. In GCP Cloud Logging, they appear inside jsonPayload. In Elasticsearch, they appear inside the _source object of each document. Field names and values inside the event are identical across sinks.
When you build queries against a sink, use @timestamp. When you inspect Pod standard output with kubectl logs, use timestamp.
The following fields are present only in some events:
errorMessage appears only when the APC API records an explicit error message.changes appears only for change-aware operations, such as deployment.update_flag. It holds before and after values for each changed field.origin appears only when origin metadata is available.username and userEmail can be absent when the APC API can’t derive them from the request.When present, origin contains any of the following fields:
The APC API sanitizes GraphQL variables before it writes them to request.graphql.variables. Matching is case-insensitive.
Each audit event includes a message field that APC API generates from the action, entity, and outcome. The patterns follow these rules:
<Entity type> <entity> <past-tense action> successfully, and failure messages use Failed to <verb> <entity type> <entity>: <error>.
Workspace abc-123 created successfullyFailed to delete deployment analytics-prod: Not authorizedUser <identity> logged in successfullyFailed to login as <identity>: <error>User <identity> logged out successfullyUser alice@example.com added to workspace finance successfullyTeam team-123 removed from deployment analytics successfullyUser alice@example.com role changed to WORKSPACE_EDITOR in workspace finance successfully<Entity type> <action> successfully (<role> to <subject>).Invite for alice@example.com deleted successfully.changes payload, for example Deployment analytics flags updated (paused: changed from disabled to enabled).Messages use plain identifiers without surrounding quotes. When a failure carries an error message, it is appended after a colon.
The following tables list every operation that the APC API currently audits, grouped by category. Each row maps the GraphQL mutation or worker action to its audit action value. Expand a category to see its operations.
The APC API emits worker events from background jobs with component set to houston-worker. Worker actions aren’t triggered by a GraphQL mutation, so they have no mutation mapping. When a worker action has no authenticated actor, the APC API records userId: "system", username: "system", role: "SYSTEM", and clientType: "system".