jitsudo audit
Query the tamper-evident audit log.
Synopsis
Section titled “Synopsis”jitsudo audit [flags]Description
Section titled “Description”jitsudo audit queries the append-only audit log stored in the jitsudo control plane. Every significant action — request submission, approval, denial, credential issuance, revocation, and policy changes — is recorded as an immutable audit event.
Each event includes a SHA-256 hash of the previous entry, forming a tamper-evident hash chain. Any modification to a historical event breaks the chain and is detectable.
Without filters, the most recent events are returned (newest first, default page size 100).
| Flag | Default | Description |
|---|---|---|
--user <email> | — | Filter by actor identity (the email address of the user who performed the action) |
--provider <name> | — | Filter by cloud provider (aws, gcp, azure, kubernetes) |
--request <id> | — | Filter by request ID (shows all events associated with that request) |
--since <duration|timestamp> | — | Return events after this point in time. Accepts a Go duration (e.g. 24h, 7d) or RFC3339 timestamp (e.g. 2026-01-01T00:00:00Z) |
--until <timestamp> | — | Return events before this RFC3339 timestamp |
--output <format> | table | Output format: table, json, csv |
Global Flags
Section titled “Global Flags”| Flag | Default | Description |
|---|---|---|
--server <url> | Stored credentials | Control plane URL |
--token <token> | Stored credentials | Bearer token override |
-q, --quiet | false | Suppress non-essential output |
--debug | false | Enable debug logging |
Examples
Section titled “Examples”# Show all recent audit eventsjitsudo audit
# Show everything done by alice in the last 24 hours
# Show all events for a specific requestjitsudo audit --request req_01J8KZ4F2EMNQZ3V7XKQYBD4W
# Show all AWS events from the past week in JSONjitsudo audit --provider aws --since 168h --output json
# Export a time-bounded CSV for SIEM ingestionjitsudo audit \ --since 2026-01-01T00:00:00Z \ --until 2026-02-01T00:00:00Z \ --output csv > january-audit.csvOutput — Table Format
Section titled “Output — Table Format”TIMESTAMP ACTOR ACTION REQUEST ID OUTCOME2026-03-20T16:00:00Z [email protected] request.created req_01J8KZ4F2EMNQ... success2026-03-20T16:01:00Z [email protected] request.approved req_01J8KZ4F2EMNQ... success2026-03-20T16:01:00Z system grant.issued req_01J8KZ4F2EMNQ... success2026-03-20T18:00:00Z system grant.expired req_01J8KZ4F2EMNQ... successOutput — JSON Format
Section titled “Output — JSON Format”[ { "id": 1042, "timestamp": "2026-03-20T16:00:00Z", "action": "request.created", "request_id": "req_01J8KZ4F2EMNQZ3V7XKQYBD4W", "provider": "aws", "resource_scope": "123456789012", "outcome": "success" }]Output — CSV Format
Section titled “Output — CSV Format”timestamp,actor,action,request_id,provider,outcome2026-03-20T16:00:00Z,[email protected],request.created,req_01J8KZ...,aws,successAudit Event Actions
Section titled “Audit Event Actions”| Action | Description |
|---|---|
request.created | A new elevation request was submitted |
request.approved | A request was approved by an approver |
request.denied | A request was denied by an approver |
grant.issued | Credentials were issued to the requester |
grant.revoked | An active grant was manually revoked |
grant.expired | A grant expired at its natural expiry time |
policy.created | A new OPA policy was applied |
policy.updated | An existing OPA policy was updated |
policy.deleted | An OPA policy was deleted |
See the Audit Log reference for the full event schema and hash-chain verification details.