Audit log offers a record of important events in your Greenhouse Recruiting environment from the previous 30 days. You can use audit log for a variety of use cases. We've collected a few workflows and example queries to explore.
Audit sensitive activities
You can use audit log to detect sensitive changes in Greenhouse Recruiting, like when job posts or candidates are deleted. Use audit log results to monitor events like the following:
- Single Sign-On Changed
- Candidate has been unhired
- API Key Created
Unlike the change log or activity feed in Greenhouse Recruiting, audit log allows for programmatic retrieval and analysis of data from the previous 30 days. Check out the audit log glossary for all the events you can audit, and review the example queries below.
Business Intelligence Connector
With Business Intelligence Connector, use queries and statements with event_target_type to filter results for the type of event you need to investigate.
With this query, audit log will return results with an event target type of Single Sign-On Changed:
Query
select * from audit_log where event_target_type = 'Single Sign-On Changed'
Return
| organization_id | event_time | request_id | request_type | performer_id | performer_type | performer_meta | performer_ip_address | event_type | event_target_id | event_target_type | event_meta |
| 400123123 | 2023-06-29 14:15:00.306 | 8df9ae5a17e522b8 |
developer/sso/saml_configs#update
|
5407147002 | user | {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} | 123.123.123.123 | action | [NULL] | Single Sign-On Changed |
When you find an event worth investigating further, use the log's request_id to search for more information about the event:
Query
select * from audit_log where request_id = '8df9ae5a17e522b8'
Return
| organization_id | event_time | request_id | request_type | performer_id | performer_type | performer_meta | performer_ip_address | event_type | event_target_id | event_target_type | event_meta |
| 400123123 | 2023-06-29 14:15:00.306 | 8df9ae5a17e522b8 |
developer/sso/saml_configs#update
|
5407147002 | user | {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} | 123.123.123.123 | action | [NULL] | Single Sign-On Changed | |
| 400123123 | 2023-06-29 14:15:00.706 | 8df9ae5a17e522b8 |
developer/sso/saml_configs#update
|
5407147002 | user | {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} | 123.123.123.123 | data_change_update | 4000562002 | SamlConfig | {"idp_cert_fingerprint"=>["", "geI4003kEMo03p2mL0"], "idp_slo_target_url"=>["", "www"], "name_identifier_format"=>["", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"], "sso_enabled_status"=>["disabled", "soft_enabled"], "idp_sso_target_url"=>["", "com" |
Audit log API
With audit log API, use query parameters to filter results to the type of event you need to investigate. event_target_types allow you to query by important events.
With this GET request, audit log will return event target type results for candidate has been unhired event:
Request
GET https://auditlog.us.greenhouse.io/events?event_target_types=Candidate has been unhired
Return
{
"results": [
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katy.g@ymail.com"
},
"id": 5407147002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": null,
"target_type": "Candidate has been unhired",
"type": "action"
},
"event_time": "2023-07-21T18:21:23.607Z"
}
]
}
When you find an event worth investigating further, use the event's request_ids to uncover deeper knowledge. In this example, we can see more details about who Katy unhired and the ramifications of the action:
Request
GET https://auditlog.us.greenhouse.io/events?request_ids=8df9ae5a17e522b8
Return
"hits": 7,
"results": [
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": {
"stage_status_id": [
4000004002,
4000006002
],
"current_application_stage_id": [
null,
1216369280002
]
},
"target_type": "Application",
"target_id": 167525819002,
"type": "data_change_update"
},
"event_time": "2023-07-27T19:39:11.613Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": {
"note_id": 828292793002,
"id": 403920108002,
"application_id": 167525819002
},
"target_type": "ApplicationNote",
"target_id": 403920108002,
"type": "data_change_create"
},
"event_time": "2023-07-27T19:39:11.608Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 4351826002,
"event": {
"meta": {
"visibility": "admin_only_visible",
"id": 828292793002,
"email_cc": [],
"person_id": 155832526002,
"note_type_id": 4000001002
},
"target_type": "Note",
"target_id": 828292793002,
"type": "data_change_create"
},
"event_time": "2023-07-27T19:39:11.606Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": {
"close_date": [
"2023-07-27T13:39:08.284-06:00",
null
],
"application_id": [
167525819002,
null
]
},
"target_type": "Opening",
"target_id": 7763743002,
"type": "data_change_update"
},
"event_time": "2023-07-27T19:39:11.605Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 4351826002,
"event": {
"meta": {
"offer_status_id": [
4000001002,
4000000002
],
"resolved_at": [
"2023-07-27T13:39:08.284-06:00",
null
]
},
"target_type": "Offer",
"target_id": 6298144002,
"type": "data_change_update"
},
"event_time": "2023-07-27T19:39:11.602Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": {
"entered_date": [
null,
"2023-07-27T13:39:11.489-06:00"
]
},
"target_type": "ApplicationStage",
"target_id": 1216369280002,
"type": "data_change_update"
},
"event_time": "2023-07-27T19:39:11.598Z"
},
{
"request": {
"id": "8df9ae5a17e522b8",
"type": "people#change_application_state"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 4351826002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": null,
"target_type": "Candidate has been unhired",
"type": "action"
},
"event_time": "2023-07-27T19:39:11.540Z"
}
]
}
Audit access and permission changes
You can use audit log to audit user access and permission changes in Greenhouse Recruiting.
Business Intelligence Connector
With this SQL statement, audit log will return results for user logins:
Query
select * from audit_log where event_target_type = 'User Login'
Return
| organization_id | event_time | request_id | request_type | performer_id | performer_type | performer_meta | performer_ip_address | event_type | event_target_id | event_target_type | event_meta |
| 400123123 | 2023-06-30 15:27:07.334 | 2db753c5eecf | sessions#create | 5407147002 | user | {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} | 123.123.123.123 | action | [NULL] | User Login |
Audit log API
Use query parameters on audit log API to filter results to the type of events you need to investigate. You can query events with event_target_types and times with event_time. Query the people involved with performer_ids, performer_types, performer_metas, or performer_ip_addresses.
With this GET request, audit log will return results with an event target type of User Permission Edited from the date of June 29 — 30, 2023:
Request
GET https://auditlog.us.greenhouse.io/events?event_target_types=User Permission Edited&before_time=2023-06-30T23:59:59&after_time=2023-06-30T00:00:00
Return
"results": [
{
"request": {
"id": "3d31824fe93a2",
"type": "users#update_permissions"
},
"performer": {
"meta": {
"name": "Katy Glaude",
"username": "katyg@ymail.com"
},
"id": 5407147002,
"ip_address": "123.123.123.123",
"type": "user"
},
"organization_id": 400123123,
"event": {
"meta": null,
"target_type": "User Permission Edited",
"type": "action"
},
"event_time": "2023-06-30T17:00:45.975Z"
},
Note: Returns have been truncated for presentation.