{"slug":"configuration-audit-logging","title":"Configuration audit logging","tags":["tailscale","logging"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Configuration audit logging\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nConfiguration audit logs let you identify _who_ did _what_, and _when_, in your tailnet. Configuration audit logs record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.\r\n\r\nYou can export logs for long-term storage and/or for security analysis, threat detection, and incident investigation. You can also stream logs to a security information and event management ( [SIEM](https://tailscale.com/learn/security-information-and-event-management)) system.\r\n\r\nFor changes to the tailnet policy file, the log includes a full diff of the previous and new files.\r\n\r\nConfiguration audit logsare available for [all plans](https://tailscale.com/pricing).\r\n\r\nAll [users who have access to the admin console](https://tailscale.com/docs/reference/user-roles) can find configuration audit logs in the [Logs](https://login.tailscale.com/admin/logs) page of the admin console, and can filter these logs to find specific events.\r\n\r\nConfiguration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.\r\n\r\n## [Log structure](https://tailscale.com/docs/features/logging/audit-logging\\#log-structure)\r\n\r\nLogs include several components:\r\n\r\n- **Timestamp**: When the event happened. This is displayed in your browser's local time.\r\n- **Action**: What action happened. For example, approve a device, or modify the tailnet policy file.\r\n- **Actor**: Which user or process completed the action. If the action is made by a user, this value is the user's name. The user's email or GitHub username, as well as their name, is available in the events returned by the API. If the action is made by the Tailscale control plane, this value is the Tailscale service. For a list of actions made by the Tailscale control plane, refer to [Service events](https://tailscale.com/docs/features/logging/audit-logging#service-events).\r\n- **Target**: Which resource the action applied to. For example, for an action modifying a user's role, the target is the user. For an action approving a device, the target is the device. Where the action is a tailnet-wide configuration, the target is the tailnet.\r\n- **Diff**: The old and the new values provided, if relevant. For example, if you renamed a node's machine name, or updated a list of tags, you will find both the old and new values. For access control policy changes, you'll find a full diff of the previous and updated versions, including non-substantive changes like comments. For re-authenticating a node, you'll find the old node key expiry and the new key expiry.\r\n\r\n![The Logs page of the admin console listing example configuration logs.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Faudit-logging-page.f678414b.png&w=3840&q=75)\r\n\r\n## [Enabling configuration audit logging](https://tailscale.com/docs/features/logging/audit-logging\\#enabling-configuration-audit-logging)\r\n\r\nConfiguration audit logs are always enabled for all tailnets and cannot be disabled.\r\n\r\nConfiguration audit logs are a subset of the logs that Tailscale uses to provide the service, in line with our [privacy policy](https://tailscale.com/privacy-policy#the-information-we-collect).\r\n\r\n## [Accessing configuration audit logs](https://tailscale.com/docs/features/logging/audit-logging\\#accessing-configuration-audit-logs)\r\n\r\nConfiguration audit logs can be accessed in the [Logs](https://login.tailscale.com/admin/logs) page of admin console or by using the API.\r\n\r\n### [Viewing configuration audit logs in the admin console](https://tailscale.com/docs/features/logging/audit-logging\\#viewing-configuration-audit-logs-in-the-admin-console)\r\n\r\nAll [users who have access to the admin console](https://tailscale.com/docs/reference/user-roles) can access configuration audit logs in the [Logs](https://login.tailscale.com/admin/logs) page of the admin console, and can filter these logs to find specific events.\r\n\r\nLogs are shown in the order that events occurred, starting with the most recent.\r\n\r\n#### [Filtering configuration audit logs](https://tailscale.com/docs/features/logging/audit-logging\\#filtering-configuration-audit-logs)\r\n\r\nEvents in the [Logs](https://login.tailscale.com/admin/logs) page of the admin console can be filtered to more easily find events meeting certain criteria.\r\n\r\nFilters can be used on time, action, and actor. Multiple filters can be applied simultaneously to find events meeting all the filtering criteria.\r\n\r\n![The 'Action' dropdown expanded with filters. Several example filters have checkmarks.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Faudit-log-filter.74ba9f3f.png&w=1080&q=75)\r\n\r\n#### [Time](https://tailscale.com/docs/features/logging/audit-logging\\#time)\r\n\r\nUse the **Timeframe** filter to show only logs between two specified dates.\r\n\r\n#### [Type of action](https://tailscale.com/docs/features/logging/audit-logging\\#type-of-action)\r\n\r\nUse the **Action** filter to show only logs that match the selected actions. For example, you can review all events that include an update to your tailnet policy file.\r\n\r\n#### [Actor](https://tailscale.com/docs/features/logging/audit-logging\\#actor)\r\n\r\nUse the **Actor** filter to show only logs where actions were taken by the selected users.\r\n\r\n### [Accessing configuration audit logs using the Tailscale API](https://tailscale.com/docs/features/logging/audit-logging\\#accessing-configuration-audit-logs-using-the-tailscale-api)\r\n\r\nYou can export configuration audit logs from the Tailscale [API](https://tailscale.com/docs/reference/tailscale-api). You need an [API access token](https://tailscale.com/docs/reference/tailscale-api#authentication) with the `logs:configuration:read` scope to access configuration audit logs.\r\n\r\nThe response to the `logs` API call is in the form of the `TailnetLogsResponse` struct:\r\n\r\n```go\r\ntype TailnetLogsResponse struct {\r\n\tVersion string        `json:\"version\"`\r\n\tTailnet dbx.TailnetID `json:\"tailnetId\"`\r\n\r\n\tLogs []Log `json:\"logs\"` // Ordered chronologically\r\n}\r\n```\r\n\r\nYou can use the following query parameters with the API:\r\n\r\n- `start`: Required. Start of the timeframe, in [RFC3339](https://www.rfc-editor.org/rfc/rfc3339.html) timestamp format, for the logs to retrieve. For example: `2022-07-20T00:00:00Z`.\r\n- `end`: Required. End of the timeframe, in RFC3339 timestamp format, for the logs to retrieve. For example, `2022-07-21T00:00:00Z`.\r\n\r\n`start` and `end` times are inclusive within nanosecond resolution.\r\n\r\nThis example assumes you have set up the following variables to use for your API call:\r\n\r\n- `$ACCESS_TOKEN`: An [API access token](https://tailscale.com/docs/reference/tailscale-api#authentication) to use when calling the Tailscale API. You can create an API access token in the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n- `$TAILNET_ID`: The [tailnet ID](https://tailscale.com/docs/concepts/tailnet-name#tailnet-id). You can find your tailnet ID in the [General](https://login.tailscale.com/admin/settings/general) page of the admin console.\r\n- `$START`: The start of the timeframe for the logs to retrieve.\r\n- `$END`: The end of the timeframe for the logs to retrieve.\r\n\r\n```shell\r\nexport ACCESS_TOKEN=tskey-api-k123456CNTRL-0123456789abcdef\r\nexport TAILNET_ID=example.com\r\nexport START=2022-07-20T00:00:00Z\r\nexport END=2022-07-21T00:00:00Z\r\n```\r\n\r\n```shell\r\ncurl -u  $ACCESS_TOKEN:  -X GET \\\r\n  \"https://api.tailscale.com/api/v2/tailnet/{$TAILNET_ID}/logging/configuration?start={$START}&end={$END}\"\r\n```\r\n\r\nOptionally, use `json_pp` to prettify the JSON output:\r\n\r\n```shell\r\ncurl -u  $ACCESS_TOKEN: -X GET \\\r\n  \"https://api.tailscale.com/api/v2/tailnet/{$TAILNET_ID}/logging/configuration?start={$START}&end={$END}\" \\\r\n  | json_pp\r\n```\r\n\r\nThe output will look like:\r\n\r\n```json\r\n{\r\n\t\"logs\": [\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"UPDATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Alice Architect\",\\\r\n\t\t\t\t\"id\": \"123456CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"alice@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"12345\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T20:13:30.136022207Z\",\\\r\n\t\t\t\"new\": \"2023-01-14T20:13:30.134350003Z\",\\\r\n\t\t\t\"old\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"origin\": \"NODE\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"654321CNTRL\",\\\r\n\t\t\t\t\"name\": \"node1.yak-bebop.ts.net\",\\\r\n\t\t\t\t\"property\": \"KEY_EXPIRY_TIME\",\\\r\n\t\t\t\t\"type\": \"NODE\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t},\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"CREATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Alice Architect\",\\\r\n\t\t\t\t\"id\": \"123456CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"alice@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"23456\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T18:40:58.838529518Z\",\\\r\n\t\t\t\"new\": {\\\r\n\t\t\t\t\"capabilities\": [\"CONTROL_API_SCOPE_ALL_READ\", \"CONTROL_API_SCOPE_ALL\"],\\\r\n\t\t\t\t\"expires\": \"2022-10-18 18:40:58.653877012 +0000 UTC\"\\\r\n\t\t\t},\\\r\n\t\t\t\"origin\": \"ADMIN_UI\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"789123CNTRL\",\\\r\n\t\t\t\t\"name\": \"Control API key\",\\\r\n\t\t\t\t\"type\": \"API_KEY\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t},\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"UPDATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Bob Builder\",\\\r\n\t\t\t\t\"id\": \"987654CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"bob@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"34567\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T22:35:19.590021877Z\",\\\r\n\t\t\t\"new\": [\"...\", \"...\", \"10.0.0.0/24\", \"10.0.1.0/24\"],\\\r\n\t\t\t\"old\": [\"...\", \"...\"],\\\r\n\t\t\t\"origin\": \"ADMIN_UI\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"876543CNTRL\",\\\r\n\t\t\t\t\"name\": \"bob-workstation.yak-bebop.ts.net\",\\\r\n\t\t\t\t\"property\": \"ALLOWED_IPS\",\\\r\n\t\t\t\t\"type\": \"NODE\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t}\\\r\n\t],\r\n\t\"tailnetId\": \"example.com\",\r\n\t\"version\": \"1.1\"\r\n}\r\n```\r\n\r\nCurrently, there is no pagination support and no maximum page size for the API. All events in the specified timeframe are returned.\r\n\r\nWhen [multiple events occur for a single operation](https://tailscale.com/docs/features/logging/audit-logging#multiple-events-for-a-single-operation), the actions have the same value for `eventGroupID`.\r\n\r\n## [Reverting access control policies from audit logs](https://tailscale.com/docs/features/logging/audit-logging\\#reverting-access-control-policies-from-audit-logs)\r\n\r\nThis option is not available if you are using [GitOps for Tailscale](https://tailscale.com/docs/gitops).\r\n\r\nYou need to be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to revert a [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file) from audit logs.\r\n\r\nYou can revert your tailnet policy file from a previous date and time.\r\n\r\n1. Open the [Configuration logs](https://login.tailscale.com/admin/logs) page of the admin console.\r\n\r\n2. Locate and expand the log entry containing the policy file change you want to revert to, then select **Revert to previous version**. In the confirmation dialog, select **Revert**.\r\n![The policy file change display. Highlighting 'Revert to previous version'.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Flog-acl-revert.1b1c75e4.png&w=3840&q=75)\r\n3. Open the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console and verify the policy file was reverted with the expected changes.\r\n\r\n\r\n## [Events](https://tailscale.com/docs/features/logging/audit-logging\\#events)\r\n\r\nConfiguration audit logs include write actions that change the configuration of a tailnet, including changes that a user can make in the admin console or by using the Tailscale API.\r\n\r\nAny successfully completed event will create a corresponding log entry.\r\n\r\nEvents included in configuration audit logs are:\r\n\r\n| **Target** | **Action** | **Description** |\r\n| --- | --- | --- |\r\n| Tailnet | Create tailnet | Tailnet was created. |\r\n|  | Update policy file for tailnet | [Tailnet policy file](https://tailscale.com/docs/features/access-control/acls) was modified. This includes changes to [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests), [`tagOwners`](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [autoApprovers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers), and [Tailscale SSH](https://tailscale.com/docs/reference/syntax/policy-file#ssh) configurations. |\r\n|  | Update max key duration for tailnet | [Key expiry](https://tailscale.com/docs/features/access-control/key-expiry) was modified. |\r\n|  | Update DNS configuration for tailnet | [DNS](https://tailscale.com/docs/reference/dns-in-tailscale) configuration was updated. This includes adding global or restricted nameservers (Split DNS) and changes to MagicDNS. |\r\n|  | Enable device approval for tailnet | [Device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) was enabled. |\r\n|  | Disable device approval for tailnet | Device approval was disabled. |\r\n|  | Enable user approval for tailnet | [User approval](https://tailscale.com/docs/features/access-control/user-approval) was enabled. |\r\n|  | Disable user approval for tailnet | User approval was disabled. |\r\n|  | User joined external tailnet | A user in your tailnet joined [another tailnet](https://tailscale.com/docs/features/sharing/how-to/invite-any-user). |\r\n|  | User left external tailnet | A user in your tailnet left another tailnet. |\r\n|  | Enable MagicDNS for tailnet | [MagicDNS](https://tailscale.com/docs/features/magicdns) was enabled. |\r\n|  | Disable MagicDNS for tailnet | MagicDNS was disabled. |\r\n|  | Enable Mullvad VPN for tailnet | [Mullvad Exit Nodes](https://tailscale.com/docs/features/exit-nodes/mullvad-exit-nodes) were enabled. |\r\n|  | Disable Mullvad VPN for tailnet | Mullvad Exit Nodes were disabled. |\r\n|  | Enable Taildrop for tailnet | [Taildrop](https://tailscale.com/docs/features/taildrop) was enabled. |\r\n|  | Disable Taildrop for tailnet | Taildrop was disabled. |\r\n|  | Enable services collection for tailnet | [Services collection](https://tailscale.com/docs/features/services) was enabled. |\r\n|  | Disable services collection for tailnet | Services collection was disabled. |\r\n|  | Enable HTTPS domain for tailnet | [HTTPS](https://tailscale.com/docs/how-to/set-up-https-certificates) was enabled. |\r\n|  | Disable HTTPS domain for tailnet | HTTPS was disabled. |\r\n|  | Update tailnet DNS name | [Tailnet DNS name](https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name) was changed. |\r\n|  | Enable user and group provisioning for tailnet | [User and group provisioning](https://tailscale.com/docs/features/user-group-provisioning) was enabled. |\r\n|  | Disable user and group provisioning for tailnet | User and group provisioning was disabled. |\r\n|  | Update account email for tailnet | [Account email](https://tailscale.com/docs/reference/contact-preferences#setting-the-account-changes-email) was updated. |\r\n|  | Verify account email for tailnet | Account email was verified. |\r\n|  | Update configuration email for tailnet | [Configuration email](https://tailscale.com/docs/reference/contact-preferences#setting-the-configuration-issues-email) was updated. |\r\n|  | Verify configuration email for tailnet | Configuration email was verified. |\r\n|  | Update security email for tailnet | [Security email](https://tailscale.com/docs/reference/contact-preferences#setting-the-security-issues-email) was updated. |\r\n|  | Verify security email for tailnet | Security email was verified. |\r\n|  | Join waitlist for feature | A waitlist for an [invite only feature](https://tailscale.com/docs/reference/invite-only-feature) was joined. |\r\n|  | Accept invite for feature | An invitation to an invite only feature was accepted. |\r\n|  | Create logstream endpoint for tailnet | A log streaming endpoint was created. |\r\n|  | Update logstream endpoint for tailnet | A log streaming endpoint destination was updated. |\r\n|  | Delete logstream endpoint for tailnet | A log streaming endpoint was deleted. |\r\n|  | Enable network flow logging for tailnet | [Network flow logs](https://tailscale.com/docs/features/logging/network-flow-logs) were enabled. |\r\n|  | Disable network flow logging for tailnet | Network flow logs were disabled. |\r\n|  | Enable tailnet lock | [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock) was enabled. |\r\n|  | Disable tailnet lock | Tailnet Lock was disabled. |\r\n|  | Sign node key for tailnet lock | A node's key was signed by a trusted Tailnet Lock key. |\r\n|  | Add trusted key to tailnet lock | A trusted key was added to Tailnet Lock. |\r\n|  | Remove trusted key from tailnet lock | A trusted key was removed from Tailnet Lock. |\r\n|  | Update tailnet lock trusted key | A trusted Tailnet Lock key was updated. |\r\n|  | Create webhook endpoint | A [webhook](https://tailscale.com/docs/features/webhooks) was created. |\r\n|  | Delete webhook endpoint | A webhook was deleted. |\r\n|  | Update secret for webhook endpoint | The [secret](https://tailscale.com/docs/features/webhooks#webhook-secret) for a webhook was updated. |\r\n|  | Update subscribed events for webhook endpoint | The set of subscribed [events](https://tailscale.com/docs/features/webhooks#events) for a webhook was updated. |\r\n|  | Enable posture identity collection | Collection of [device posture identifiers](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) (for example, serial numbers) was enabled. |\r\n|  | Disable posture identity collection | Collection of device posture identifiers was disabled. |\r\n|  | Create posture integration | A new [device posture integration](https://tailscale.com/docs/integrations/crowdstrike-zta) was added. |\r\n|  | Update posture integration | A device posture integration was updated. |\r\n|  | Remove posture integration | A device posture integration was removed. |\r\n| Billing | Create billing subscription for tailnet | Subscription was created. |\r\n|  | Update billing subscription for tailnet | Subscription was modified. This includes changes to the [selected plan](https://tailscale.com/pricing) and limits. _Note that the log will not include diffs for subscriptions. Information on the current subscription is available on the [Billing](https://login.tailscale.com/admin/settings/billing) page of the admin console._ |\r\n|  | Cancel billing subscription for tailnet | Subscription was canceled. |\r\n|  | Update billing address for tailnet | [Billing address](https://tailscale.com/docs/account/billing/modify-billing#change-the-billing-name-and-address) was modified. This includes physical address and name. |\r\n|  | Update billing email for tailnet | [Billing email](https://tailscale.com/docs/account/billing/modify-billing#change-the-billing-email-address) was modified. |\r\n|  | Update billing payment information for tailnet | [Billing payment information](https://tailscale.com/docs/account/billing/modify-billing) was modified, including payment method and [tax IDs](https://tailscale.com/docs/account/billing/modify-billing#manage-tax-ids). |\r\n| User | Create user | User joined the tailnet. |\r\n|  | Invite user to join tailnet | User is either sent or resent an [invite](https://tailscale.com/docs/features/sharing/how-to/invite-team-members) to join a tailnet. |\r\n|  | Approve user | User [was approved](https://tailscale.com/docs/features/access-control/user-approval). |\r\n|  | Update role for user | User's [role](https://tailscale.com/docs/reference/user-roles) was changed. |\r\n|  | Suspend user | User was [suspended](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users) from the tailnet. |\r\n|  | Restore user | User was [restored](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#restoring-users) to the tailnet. |\r\n|  | Delete user | User was [deleted](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#deleting-users) from the tailnet. |\r\n|  | Push user | User attributes were updated for a user [provisioned](https://tailscale.com/docs/features/user-group-provisioning) in a [SCIM-integrated](https://tailscale.com/learn/what-is-scim) identity provider. |\r\n| Group | Push group | A group was provisioned in a SCIM-integrated identity provider. |\r\n| Node | Create node | Node was added. For tailnets with [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) enabled, it may not yet be approved. |\r\n|  | Log in node | User logged in to or re-authenticated on a node. This includes re-authentication as part of [Tailscale SSH check mode](https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode). |\r\n|  | Approve node | Node was [approved](https://tailscale.com/docs/features/access-control/device-management/device-approval). |\r\n|  | Update name for node | [Node name](https://tailscale.com/docs/concepts/machine-names) updated. |\r\n|  | Enable key expiry for node | Node [key expiry](https://tailscale.com/docs/features/access-control/key-expiry) was enabled. |\r\n|  | Disable key expiry for node | Node key expiry was disabled. |\r\n|  | Update key expiry time for node | User re-authenticated the node, extending the node key validity, or node key expiry was [temporarily extended](https://tailscale.com/docs/features/access-control/key-expiry#renewing-keys-for-an-expired-device). |\r\n|  | Expire node key | Node key expired. |\r\n|  | Update approved routes for node | [Routes](https://tailscale.com/docs/features/subnet-routers) for this node were manually updated. |\r\n|  | Update auto approved routes for node | Routes for this node were automatically updated based on [auto approvers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers). |\r\n|  | Update exit settings for node | [Exit node](https://tailscale.com/docs/features/exit-nodes) advertised by the node updated. |\r\n|  | Update tags for node | Node [tags](https://tailscale.com/docs/features/tags) updated. |\r\n|  | Update node attribute | A [device posture attribute](https://tailscale.com/docs/features/device-posture#posture-attributes-api) was changed on the node. |\r\n|  | Update node posture identity | [Device posture identity](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) for the node was changed. |\r\n|  | Log out node | User logged out of node. |\r\n|  | Delete node | Node was deleted. |\r\n| Admin console | Log in to admin console | [Authorized user](https://tailscale.com/docs/reference/user-roles#permission-matrix) logged in to the admin console. |\r\n|  | Log out of admin console | Authorized user logged out of the admin console. |\r\n| login.tailscale.com | Log in using web interface | [Member](https://tailscale.com/docs/reference/user-roles#member) user logged in to the web interface. |\r\n|  | Log out using web interface | Member user logged out of the web interface. |\r\n| Invite | Create invite for node share | Node [share invite](https://tailscale.com/docs/features/sharing) was created by sharer tailnet. The invite target is the label entered when creating the invite. |\r\n|  | Accept invite for node share | Node share invite was accepted by sharee tailnet. |\r\n|  | Delete invite for node share | Node share invite was revoked by sharer tailnet. |\r\n| Share | Create node share | Shared node was added to sharee's tailnet. |\r\n|  | Update node share | Shared node was updated. This occurs when a shared node is shared with a sharee who already has the shared node. |\r\n|  | Delete node share | Shared node was deleted from sharee's tailnet. This could be an action by either the sharer (to revoke access to the shared node) or the sharee (to remove the shared node from their tailnet). |\r\n| API | Failed request | API call attempted with insufficient permission. |\r\n| API key | Create API key | [API access token](https://tailscale.com/docs/reference/tailscale-api) was generated. |\r\n|  | Revoke API key | API access token was revoked. |\r\n|  | API key expired | API access token expired. |\r\n| Auth key | Create API key | [Auth key](https://tailscale.com/docs/features/access-control/auth-keys) was generated. This includes tags and if the key is reusable, ephemeral, pre-approved. |\r\n|  | Revoke API key | Auth key was revoked. |\r\n|  | API key expired | Auth key expired. |\r\n\r\nNote that failed login attempts are not included in Tailscale events—these should be seen in your identity provider logs, not Tailscale logs.\r\n\r\n## [Multiple events for a single operation](https://tailscale.com/docs/features/logging/audit-logging\\#multiple-events-for-a-single-operation)\r\n\r\nMultiple events that occur as part of the same operation are logged individually. For example, when a user is deleted, there are log entries for deleting each of their nodes and each of their API access tokens, as well as deleting the user themselves. When a node is added to your tailnet, there are log entries for updating the name for a node, creating a node, updating the key expiry time for a node, logging into a node, and if applicable, approving the node.\r\n\r\n| **Operation** | **Events** |\r\n| --- | --- |\r\n| A user is added to the tailnet | - (If user was [sent an invite](https://tailscale.com/docs/features/sharing/how-to/invite-team-members)) Invite user to join tailnet<br>- Create user<br>- (If [user approval](https://tailscale.com/docs/features/access-control/user-approval) is enabled) Approve user |\r\n| A user is deleted | - Delete node, for each node <br>- Delete user |\r\n| A node is added to the tailnet | - Update name for node (name set from blank to node name)<br>- Create node<br>- Update [key expiry](https://tailscale.com/docs/features/access-control/key-expiry) time for node (key expiry set for current time + expiry period)<br>- Log in node<br>Shortly afterwards, if [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) is enabled:<br>- Approve node |\r\n| A node is logged out | - Enable key expiry for node (key expiry is enabled)<br>- Update key expiry time for node (key expiry is set to the current time)<br>- Log out node |\r\n| A node is re-authenticated | - Update key expiry time for node<br>- Log in node |\r\n| MagicDNS is enabled | - Enable [MagicDNS](https://tailscale.com/docs/features/magicdns) for tailnet<br>- Update [DNS](https://tailscale.com/docs/reference/dns-in-tailscale) configuration for tailnet |\r\n| MagicDNS is disabled | - Disable MagicDNS for tailnet<br>- Update DNS configuration for tailnet |\r\n\r\n## [Events for shared nodes](https://tailscale.com/docs/features/logging/audit-logging\\#events-for-shared-nodes)\r\n\r\nWhen using [shared nodes](https://tailscale.com/docs/features/sharing), some events are logged in both the sharer and sharee tailnets. Events related to invites are only logged in the sharer tailnet, and events related to the shared node are logged in both the sharer and sharee tailnets.\r\n\r\n| **Target** | **Action** | **Actor** | **Logged by sharer tailnet?** | **Logged by sharee tailnet?** |\r\n| --- | --- | --- | --- | --- |\r\n| Invite | Create invite for node share | Sharer admin | ✅ | ❌ |\r\n|  | Accept invite for node share | Sharee admin | ✅ | ❌ |\r\n|  | Delete invite for node share | Sharer admin | ✅ | ❌ |\r\n| Share | Create node share | Sharee admin | ✅ | ✅ |\r\n|  | Update node share | Sharee admin | ✅ | ✅ |\r\n|  | Delete node share | Sharer admin or Sharee admin | ✅ | ✅ |\r\n\r\n## [Service events](https://tailscale.com/docs/features/logging/audit-logging\\#service-events)\r\n\r\nThe log includes service events, which are actions performed by the Tailscale service, not performed by users directly. Service events include:\r\n\r\n| **Target** | **Action** | **Actor** | **Description** |\r\n| --- | --- | --- | --- |\r\n| Tailnet | Suspend user | Tailscale service: user and group provisioning | User deactivated or unassigned from the Tailscale app for tailnets using [user & group provisioning](https://tailscale.com/docs/features/user-group-provisioning) |\r\n| Tailnet | Restore user | Tailscale service: user and group provisioning | User reactivated or assigned the Tailscale app for tailnets using user & group provisioning |\r\n| Node | Delete node | Tailscale service: remove ephemeral node | Remove inactive [ephemeral node](https://tailscale.com/docs/features/ephemeral-nodes) |\r\n| API key or Auth key | API key expired | Tailscale service: expire API key | [Expire](https://tailscale.com/docs/reference/tailscale-api) key after 90 days |\r\n\r\n## [Events not included](https://tailscale.com/docs/features/logging/audit-logging\\#events-not-included)\r\n\r\nChanges to a tailnet that were initiated by a request to Tailscale's support team are currently not included. This includes:\r\n\r\n- Update [identity provider](https://tailscale.com/docs/integrations/identity#changing-identity-providers)\r\n- Complete identity provider configuration for [Okta](https://tailscale.com/docs/integrations/identity/okta#steps) or [OneLogin](https://tailscale.com/docs/integrations/identity/onelogin)\r\n- Update [tailnet ID](https://tailscale.com/docs/concepts/tailnet-name#tailnet-id)\r\n- Update custom [HTTPS domain](https://tailscale.com/docs/how-to/set-up-https-certificates)\r\n- Delete tailnet\r\n- Allowlist tailnet for alpha feature\r\n\r\nChanges that would have been included if performed by a user, but were instead initiated by a Support request are also not included:\r\n\r\n- Update the [tailnet ID](https://tailscale.com/docs/concepts/tailnet-name#tailnet-id)\r\n- Update role for user\r\n- Delete user\r\n- Create billing subscription for tailnet\r\n- Update billing subscription for tailnet\r\n- Cancel billing subscription for tailnet\r\n- Update billing address for tailnet\r\n- Update billing email for tailnet\r\n- Update billing payment information for tailnet\r\n- Update key expiry time for node\r\n- Enable device approval for tailnet\r\n- Disable device approval for tailnet\r\n\r\n## [Configuration audit logs streaming](https://tailscale.com/docs/features/logging/audit-logging\\#configuration-audit-logs-streaming)\r\n\r\nLog streaming lets you stream network flow logs into a security information and event management ( [SIEM](https://tailscale.com/learn/security-information-and-event-management)) system. For more information, refer to [Log streaming](https://tailscale.com/docs/features/logging/log-streaming).\r\n\r\n## [Limitations](https://tailscale.com/docs/features/logging/audit-logging\\#limitations)\r\n\r\n- Configuration audit logs only include actions that modify a tailnet's configurations. Read-only actions, such as a user viewing the admin console, are not included.\r\n- Changes to a tailnet that were initiated by Tailscale's support team are not currently included.\r\n- Configuration audit logs only include changes to configuration of a tailnet. Information about connections within a tailnet (data plane audit logs), such as network flow logs, are not included in configuration logs. You can use [Network flow logs](https://tailscale.com/docs/features/logging/network-flow-logs) to log information about connections with a tailnet.\r\n- Configuration audit logs are available as part of the admin console, exportable using the API, and as a [streaming source](https://tailscale.com/docs/features/logging/log-streaming) for SIEM systems.\r\n- There is currently no guarantee for a maximum delay between an event taking place and its inclusion in the audit logs. In practice, this occurs within seconds.\r\n- The period of time that configuration logs are stored cannot be configured. Configuration logs are stored for 90 days.\r\n- [Devices with the same node key](https://tailscale.com/docs/reference/troubleshooting/network-configuration/multiple-devices-same-100.x-ip-address) will appear in logs as the same node target.\r\n- When a user is suspended, the suspension of the user's nodes, API access tokens, and auth keys are not logged.\r\n- When a user is deleted, the deletion of the user's API access tokens and auth keys are not logged.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Configuration audit logging</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Configuration audit logs let you identify <em>who</em> did <em>what</em>, and <em>when</em>, in your tailnet. Configuration audit logs record actions that modify a tailnet's configuration, including the type of action, the actor, the target resource, and the time.</p>\n<p>You can export logs for long-term storage and/or for security analysis, threat detection, and incident investigation. You can also stream logs to a security information and event management ( <a href=\"https://tailscale.com/learn/security-information-and-event-management\">SIEM</a>) system.</p>\n<p>For changes to the tailnet policy file, the log includes a full diff of the previous and new files.</p>\n<p>Configuration audit logsare available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>All <a href=\"https://tailscale.com/docs/reference/user-roles\">users who have access to the admin console</a> can find configuration audit logs in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of the admin console, and can filter these logs to find specific events.</p>\n<p>Configuration audit logs are enabled by default for all tailnets, and are available for the most recent 90 days.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#log-structure\">Log structure</a></h2>\n<p>Logs include several components:</p>\n<ul>\n<li><strong>Timestamp</strong>: When the event happened. This is displayed in your browser's local time.</li>\n<li><strong>Action</strong>: What action happened. For example, approve a device, or modify the tailnet policy file.</li>\n<li><strong>Actor</strong>: Which user or process completed the action. If the action is made by a user, this value is the user's name. The user's email or GitHub username, as well as their name, is available in the events returned by the API. If the action is made by the Tailscale control plane, this value is the Tailscale service. For a list of actions made by the Tailscale control plane, refer to <a href=\"https://tailscale.com/docs/features/logging/audit-logging#service-events\">Service events</a>.</li>\n<li><strong>Target</strong>: Which resource the action applied to. For example, for an action modifying a user's role, the target is the user. For an action approving a device, the target is the device. Where the action is a tailnet-wide configuration, the target is the tailnet.</li>\n<li><strong>Diff</strong>: The old and the new values provided, if relevant. For example, if you renamed a node's machine name, or updated a list of tags, you will find both the old and new values. For access control policy changes, you'll find a full diff of the previous and updated versions, including non-substantive changes like comments. For re-authenticating a node, you'll find the old node key expiry and the new key expiry.</li>\n</ul>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Faudit-logging-page.f678414b.png&#x26;w=3840&#x26;q=75\" alt=\"The Logs page of the admin console listing example configuration logs.\"></p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#enabling-configuration-audit-logging\">Enabling configuration audit logging</a></h2>\n<p>Configuration audit logs are always enabled for all tailnets and cannot be disabled.</p>\n<p>Configuration audit logs are a subset of the logs that Tailscale uses to provide the service, in line with our <a href=\"https://tailscale.com/privacy-policy#the-information-we-collect\">privacy policy</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#accessing-configuration-audit-logs\">Accessing configuration audit logs</a></h2>\n<p>Configuration audit logs can be accessed in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of admin console or by using the API.</p>\n<h3><a href=\"https://tailscale.com/docs/features/logging/audit-logging#viewing-configuration-audit-logs-in-the-admin-console\">Viewing configuration audit logs in the admin console</a></h3>\n<p>All <a href=\"https://tailscale.com/docs/reference/user-roles\">users who have access to the admin console</a> can access configuration audit logs in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of the admin console, and can filter these logs to find specific events.</p>\n<p>Logs are shown in the order that events occurred, starting with the most recent.</p>\n<h4><a href=\"https://tailscale.com/docs/features/logging/audit-logging#filtering-configuration-audit-logs\">Filtering configuration audit logs</a></h4>\n<p>Events in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of the admin console can be filtered to more easily find events meeting certain criteria.</p>\n<p>Filters can be used on time, action, and actor. Multiple filters can be applied simultaneously to find events meeting all the filtering criteria.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Faudit-log-filter.74ba9f3f.png&#x26;w=1080&#x26;q=75\" alt=\"The &#x27;Action&#x27; dropdown expanded with filters. Several example filters have checkmarks.\"></p>\n<h4><a href=\"https://tailscale.com/docs/features/logging/audit-logging#time\">Time</a></h4>\n<p>Use the <strong>Timeframe</strong> filter to show only logs between two specified dates.</p>\n<h4><a href=\"https://tailscale.com/docs/features/logging/audit-logging#type-of-action\">Type of action</a></h4>\n<p>Use the <strong>Action</strong> filter to show only logs that match the selected actions. For example, you can review all events that include an update to your tailnet policy file.</p>\n<h4><a href=\"https://tailscale.com/docs/features/logging/audit-logging#actor\">Actor</a></h4>\n<p>Use the <strong>Actor</strong> filter to show only logs where actions were taken by the selected users.</p>\n<h3><a href=\"https://tailscale.com/docs/features/logging/audit-logging#accessing-configuration-audit-logs-using-the-tailscale-api\">Accessing configuration audit logs using the Tailscale API</a></h3>\n<p>You can export configuration audit logs from the Tailscale <a href=\"https://tailscale.com/docs/reference/tailscale-api\">API</a>. You need an <a href=\"https://tailscale.com/docs/reference/tailscale-api#authentication\">API access token</a> with the <code>logs:configuration:read</code> scope to access configuration audit logs.</p>\n<p>The response to the <code>logs</code> API call is in the form of the <code>TailnetLogsResponse</code> struct:</p>\n<pre><code class=\"language-go\">type TailnetLogsResponse struct {\r\n\tVersion string        `json:\"version\"`\r\n\tTailnet dbx.TailnetID `json:\"tailnetId\"`\r\n\r\n\tLogs []Log `json:\"logs\"` // Ordered chronologically\r\n}\n</code></pre>\n<p>You can use the following query parameters with the API:</p>\n<ul>\n<li><code>start</code>: Required. Start of the timeframe, in <a href=\"https://www.rfc-editor.org/rfc/rfc3339.html\">RFC3339</a> timestamp format, for the logs to retrieve. For example: <code>2022-07-20T00:00:00Z</code>.</li>\n<li><code>end</code>: Required. End of the timeframe, in RFC3339 timestamp format, for the logs to retrieve. For example, <code>2022-07-21T00:00:00Z</code>.</li>\n</ul>\n<p><code>start</code> and <code>end</code> times are inclusive within nanosecond resolution.</p>\n<p>This example assumes you have set up the following variables to use for your API call:</p>\n<ul>\n<li><code>$ACCESS_TOKEN</code>: An <a href=\"https://tailscale.com/docs/reference/tailscale-api#authentication\">API access token</a> to use when calling the Tailscale API. You can create an API access token in the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</li>\n<li><code>$TAILNET_ID</code>: The <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-id\">tailnet ID</a>. You can find your tailnet ID in the <a href=\"https://login.tailscale.com/admin/settings/general\">General</a> page of the admin console.</li>\n<li><code>$START</code>: The start of the timeframe for the logs to retrieve.</li>\n<li><code>$END</code>: The end of the timeframe for the logs to retrieve.</li>\n</ul>\n<pre><code class=\"language-shell\">export ACCESS_TOKEN=tskey-api-k123456CNTRL-0123456789abcdef\r\nexport TAILNET_ID=example.com\r\nexport START=2022-07-20T00:00:00Z\r\nexport END=2022-07-21T00:00:00Z\n</code></pre>\n<pre><code class=\"language-shell\">curl -u  $ACCESS_TOKEN:  -X GET \\\r\n  \"https://api.tailscale.com/api/v2/tailnet/{$TAILNET_ID}/logging/configuration?start={$START}&#x26;end={$END}\"\n</code></pre>\n<p>Optionally, use <code>json_pp</code> to prettify the JSON output:</p>\n<pre><code class=\"language-shell\">curl -u  $ACCESS_TOKEN: -X GET \\\r\n  \"https://api.tailscale.com/api/v2/tailnet/{$TAILNET_ID}/logging/configuration?start={$START}&#x26;end={$END}\" \\\r\n  | json_pp\n</code></pre>\n<p>The output will look like:</p>\n<pre><code class=\"language-json\">{\r\n\t\"logs\": [\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"UPDATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Alice Architect\",\\\r\n\t\t\t\t\"id\": \"123456CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"alice@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"12345\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T20:13:30.136022207Z\",\\\r\n\t\t\t\"new\": \"2023-01-14T20:13:30.134350003Z\",\\\r\n\t\t\t\"old\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"origin\": \"NODE\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"654321CNTRL\",\\\r\n\t\t\t\t\"name\": \"node1.yak-bebop.ts.net\",\\\r\n\t\t\t\t\"property\": \"KEY_EXPIRY_TIME\",\\\r\n\t\t\t\t\"type\": \"NODE\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t},\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"CREATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Alice Architect\",\\\r\n\t\t\t\t\"id\": \"123456CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"alice@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"23456\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T18:40:58.838529518Z\",\\\r\n\t\t\t\"new\": {\\\r\n\t\t\t\t\"capabilities\": [\"CONTROL_API_SCOPE_ALL_READ\", \"CONTROL_API_SCOPE_ALL\"],\\\r\n\t\t\t\t\"expires\": \"2022-10-18 18:40:58.653877012 +0000 UTC\"\\\r\n\t\t\t},\\\r\n\t\t\t\"origin\": \"ADMIN_UI\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"789123CNTRL\",\\\r\n\t\t\t\t\"name\": \"Control API key\",\\\r\n\t\t\t\t\"type\": \"API_KEY\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t},\\\r\n\t\t{\\\r\n\t\t\t\"action\": \"UPDATE\",\\\r\n\t\t\t\"actor\": {\\\r\n\t\t\t\t\"displayName\": \"Bob Builder\",\\\r\n\t\t\t\t\"id\": \"987654CNTRL\",\\\r\n\t\t\t\t\"loginName\": \"bob@example.com\",\\\r\n\t\t\t\t\"type\": \"USER\"\\\r\n\t\t\t},\\\r\n\t\t\t\"deferredAt\": \"0001-01-01T00:00:00Z\",\\\r\n\t\t\t\"eventGroupID\": \"34567\",\\\r\n\t\t\t\"eventTime\": \"2022-07-20T22:35:19.590021877Z\",\\\r\n\t\t\t\"new\": [\"...\", \"...\", \"10.0.0.0/24\", \"10.0.1.0/24\"],\\\r\n\t\t\t\"old\": [\"...\", \"...\"],\\\r\n\t\t\t\"origin\": \"ADMIN_UI\",\\\r\n\t\t\t\"target\": {\\\r\n\t\t\t\t\"id\": \"876543CNTRL\",\\\r\n\t\t\t\t\"name\": \"bob-workstation.yak-bebop.ts.net\",\\\r\n\t\t\t\t\"property\": \"ALLOWED_IPS\",\\\r\n\t\t\t\t\"type\": \"NODE\"\\\r\n\t\t\t},\\\r\n\t\t\t\"type\": \"CONFIG\"\\\r\n\t\t}\\\r\n\t],\r\n\t\"tailnetId\": \"example.com\",\r\n\t\"version\": \"1.1\"\r\n}\n</code></pre>\n<p>Currently, there is no pagination support and no maximum page size for the API. All events in the specified timeframe are returned.</p>\n<p>When <a href=\"https://tailscale.com/docs/features/logging/audit-logging#multiple-events-for-a-single-operation\">multiple events occur for a single operation</a>, the actions have the same value for <code>eventGroupID</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#reverting-access-control-policies-from-audit-logs\">Reverting access control policies from audit logs</a></h2>\n<p>This option is not available if you are using <a href=\"https://tailscale.com/docs/gitops\">GitOps for Tailscale</a>.</p>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> of a tailnet to revert a <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a> from audit logs.</p>\n<p>You can revert your tailnet policy file from a previous date and time.</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/logs\">Configuration logs</a> page of the admin console.</p>\n</li>\n<li>\n<p>Locate and expand the log entry containing the policy file change you want to revert to, then select <strong>Revert to previous version</strong>. In the confirmation dialog, select <strong>Revert</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Flog-acl-revert.1b1c75e4.png&#x26;w=3840&#x26;q=75\" alt=\"The policy file change display. Highlighting &#x27;Revert to previous version&#x27;.\"></p>\n</li>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console and verify the policy file was reverted with the expected changes.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">Events</a></h2>\n<p>Configuration audit logs include write actions that change the configuration of a tailnet, including changes that a user can make in the admin console or by using the Tailscale API.</p>\n<p>Any successfully completed event will create a corresponding log entry.</p>\n<p>Events included in configuration audit logs are:</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Description</strong> |\r\n| --- | --- | --- |\r\n| Tailnet | Create tailnet | Tailnet was created. |\r\n|  | Update policy file for tailnet | <a href=\"https://tailscale.com/docs/features/access-control/acls\">Tailnet policy file</a> was modified. This includes changes to <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\"><code>tagOwners</code></a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">autoApprovers</a>, and <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">Tailscale SSH</a> configurations. |\r\n|  | Update max key duration for tailnet | <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">Key expiry</a> was modified. |\r\n|  | Update DNS configuration for tailnet | <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS</a> configuration was updated. This includes adding global or restricted nameservers (Split DNS) and changes to MagicDNS. |\r\n|  | Enable device approval for tailnet | <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">Device approval</a> was enabled. |\r\n|  | Disable device approval for tailnet | Device approval was disabled. |\r\n|  | Enable user approval for tailnet | <a href=\"https://tailscale.com/docs/features/access-control/user-approval\">User approval</a> was enabled. |\r\n|  | Disable user approval for tailnet | User approval was disabled. |\r\n|  | User joined external tailnet | A user in your tailnet joined <a href=\"https://tailscale.com/docs/features/sharing/how-to/invite-any-user\">another tailnet</a>. |\r\n|  | User left external tailnet | A user in your tailnet left another tailnet. |\r\n|  | Enable MagicDNS for tailnet | <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> was enabled. |\r\n|  | Disable MagicDNS for tailnet | MagicDNS was disabled. |\r\n|  | Enable Mullvad VPN for tailnet | <a href=\"https://tailscale.com/docs/features/exit-nodes/mullvad-exit-nodes\">Mullvad Exit Nodes</a> were enabled. |\r\n|  | Disable Mullvad VPN for tailnet | Mullvad Exit Nodes were disabled. |\r\n|  | Enable Taildrop for tailnet | <a href=\"https://tailscale.com/docs/features/taildrop\">Taildrop</a> was enabled. |\r\n|  | Disable Taildrop for tailnet | Taildrop was disabled. |\r\n|  | Enable services collection for tailnet | <a href=\"https://tailscale.com/docs/features/services\">Services collection</a> was enabled. |\r\n|  | Disable services collection for tailnet | Services collection was disabled. |\r\n|  | Enable HTTPS domain for tailnet | <a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates\">HTTPS</a> was enabled. |\r\n|  | Disable HTTPS domain for tailnet | HTTPS was disabled. |\r\n|  | Update tailnet DNS name | <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-dns-name\">Tailnet DNS name</a> was changed. |\r\n|  | Enable user and group provisioning for tailnet | <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">User and group provisioning</a> was enabled. |\r\n|  | Disable user and group provisioning for tailnet | User and group provisioning was disabled. |\r\n|  | Update account email for tailnet | <a href=\"https://tailscale.com/docs/reference/contact-preferences#setting-the-account-changes-email\">Account email</a> was updated. |\r\n|  | Verify account email for tailnet | Account email was verified. |\r\n|  | Update configuration email for tailnet | <a href=\"https://tailscale.com/docs/reference/contact-preferences#setting-the-configuration-issues-email\">Configuration email</a> was updated. |\r\n|  | Verify configuration email for tailnet | Configuration email was verified. |\r\n|  | Update security email for tailnet | <a href=\"https://tailscale.com/docs/reference/contact-preferences#setting-the-security-issues-email\">Security email</a> was updated. |\r\n|  | Verify security email for tailnet | Security email was verified. |\r\n|  | Join waitlist for feature | A waitlist for an <a href=\"https://tailscale.com/docs/reference/invite-only-feature\">invite only feature</a> was joined. |\r\n|  | Accept invite for feature | An invitation to an invite only feature was accepted. |\r\n|  | Create logstream endpoint for tailnet | A log streaming endpoint was created. |\r\n|  | Update logstream endpoint for tailnet | A log streaming endpoint destination was updated. |\r\n|  | Delete logstream endpoint for tailnet | A log streaming endpoint was deleted. |\r\n|  | Enable network flow logging for tailnet | <a href=\"https://tailscale.com/docs/features/logging/network-flow-logs\">Network flow logs</a> were enabled. |\r\n|  | Disable network flow logging for tailnet | Network flow logs were disabled. |\r\n|  | Enable tailnet lock | <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a> was enabled. |\r\n|  | Disable tailnet lock | Tailnet Lock was disabled. |\r\n|  | Sign node key for tailnet lock | A node's key was signed by a trusted Tailnet Lock key. |\r\n|  | Add trusted key to tailnet lock | A trusted key was added to Tailnet Lock. |\r\n|  | Remove trusted key from tailnet lock | A trusted key was removed from Tailnet Lock. |\r\n|  | Update tailnet lock trusted key | A trusted Tailnet Lock key was updated. |\r\n|  | Create webhook endpoint | A <a href=\"https://tailscale.com/docs/features/webhooks\">webhook</a> was created. |\r\n|  | Delete webhook endpoint | A webhook was deleted. |\r\n|  | Update secret for webhook endpoint | The <a href=\"https://tailscale.com/docs/features/webhooks#webhook-secret\">secret</a> for a webhook was updated. |\r\n|  | Update subscribed events for webhook endpoint | The set of subscribed <a href=\"https://tailscale.com/docs/features/webhooks#events\">events</a> for a webhook was updated. |\r\n|  | Enable posture identity collection | Collection of <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">device posture identifiers</a> (for example, serial numbers) was enabled. |\r\n|  | Disable posture identity collection | Collection of device posture identifiers was disabled. |\r\n|  | Create posture integration | A new <a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta\">device posture integration</a> was added. |\r\n|  | Update posture integration | A device posture integration was updated. |\r\n|  | Remove posture integration | A device posture integration was removed. |\r\n| Billing | Create billing subscription for tailnet | Subscription was created. |\r\n|  | Update billing subscription for tailnet | Subscription was modified. This includes changes to the <a href=\"https://tailscale.com/pricing\">selected plan</a> and limits. <em>Note that the log will not include diffs for subscriptions. Information on the current subscription is available on the <a href=\"https://login.tailscale.com/admin/settings/billing\">Billing</a> page of the admin console.</em> |\r\n|  | Cancel billing subscription for tailnet | Subscription was canceled. |\r\n|  | Update billing address for tailnet | <a href=\"https://tailscale.com/docs/account/billing/modify-billing#change-the-billing-name-and-address\">Billing address</a> was modified. This includes physical address and name. |\r\n|  | Update billing email for tailnet | <a href=\"https://tailscale.com/docs/account/billing/modify-billing#change-the-billing-email-address\">Billing email</a> was modified. |\r\n|  | Update billing payment information for tailnet | <a href=\"https://tailscale.com/docs/account/billing/modify-billing\">Billing payment information</a> was modified, including payment method and <a href=\"https://tailscale.com/docs/account/billing/modify-billing#manage-tax-ids\">tax IDs</a>. |\r\n| User | Create user | User joined the tailnet. |\r\n|  | Invite user to join tailnet | User is either sent or resent an <a href=\"https://tailscale.com/docs/features/sharing/how-to/invite-team-members\">invite</a> to join a tailnet. |\r\n|  | Approve user | User <a href=\"https://tailscale.com/docs/features/access-control/user-approval\">was approved</a>. |\r\n|  | Update role for user | User's <a href=\"https://tailscale.com/docs/reference/user-roles\">role</a> was changed. |\r\n|  | Suspend user | User was <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users\">suspended</a> from the tailnet. |\r\n|  | Restore user | User was <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#restoring-users\">restored</a> to the tailnet. |\r\n|  | Delete user | User was <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#deleting-users\">deleted</a> from the tailnet. |\r\n|  | Push user | User attributes were updated for a user <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">provisioned</a> in a <a href=\"https://tailscale.com/learn/what-is-scim\">SCIM-integrated</a> identity provider. |\r\n| Group | Push group | A group was provisioned in a SCIM-integrated identity provider. |\r\n| Node | Create node | Node was added. For tailnets with <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> enabled, it may not yet be approved. |\r\n|  | Log in node | User logged in to or re-authenticated on a node. This includes re-authentication as part of <a href=\"https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode\">Tailscale SSH check mode</a>. |\r\n|  | Approve node | Node was <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">approved</a>. |\r\n|  | Update name for node | <a href=\"https://tailscale.com/docs/concepts/machine-names\">Node name</a> updated. |\r\n|  | Enable key expiry for node | Node <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">key expiry</a> was enabled. |\r\n|  | Disable key expiry for node | Node key expiry was disabled. |\r\n|  | Update key expiry time for node | User re-authenticated the node, extending the node key validity, or node key expiry was <a href=\"https://tailscale.com/docs/features/access-control/key-expiry#renewing-keys-for-an-expired-device\">temporarily extended</a>. |\r\n|  | Expire node key | Node key expired. |\r\n|  | Update approved routes for node | <a href=\"https://tailscale.com/docs/features/subnet-routers\">Routes</a> for this node were manually updated. |\r\n|  | Update auto approved routes for node | Routes for this node were automatically updated based on <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">auto approvers</a>. |\r\n|  | Update exit settings for node | <a href=\"https://tailscale.com/docs/features/exit-nodes\">Exit node</a> advertised by the node updated. |\r\n|  | Update tags for node | Node <a href=\"https://tailscale.com/docs/features/tags\">tags</a> updated. |\r\n|  | Update node attribute | A <a href=\"https://tailscale.com/docs/features/device-posture#posture-attributes-api\">device posture attribute</a> was changed on the node. |\r\n|  | Update node posture identity | <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device posture identity</a> for the node was changed. |\r\n|  | Log out node | User logged out of node. |\r\n|  | Delete node | Node was deleted. |\r\n| Admin console | Log in to admin console | <a href=\"https://tailscale.com/docs/reference/user-roles#permission-matrix\">Authorized user</a> logged in to the admin console. |\r\n|  | Log out of admin console | Authorized user logged out of the admin console. |\r\n| login.tailscale.com | Log in using web interface | <a href=\"https://tailscale.com/docs/reference/user-roles#member\">Member</a> user logged in to the web interface. |\r\n|  | Log out using web interface | Member user logged out of the web interface. |\r\n| Invite | Create invite for node share | Node <a href=\"https://tailscale.com/docs/features/sharing\">share invite</a> was created by sharer tailnet. The invite target is the label entered when creating the invite. |\r\n|  | Accept invite for node share | Node share invite was accepted by sharee tailnet. |\r\n|  | Delete invite for node share | Node share invite was revoked by sharer tailnet. |\r\n| Share | Create node share | Shared node was added to sharee's tailnet. |\r\n|  | Update node share | Shared node was updated. This occurs when a shared node is shared with a sharee who already has the shared node. |\r\n|  | Delete node share | Shared node was deleted from sharee's tailnet. This could be an action by either the sharer (to revoke access to the shared node) or the sharee (to remove the shared node from their tailnet). |\r\n| API | Failed request | API call attempted with insufficient permission. |\r\n| API key | Create API key | <a href=\"https://tailscale.com/docs/reference/tailscale-api\">API access token</a> was generated. |\r\n|  | Revoke API key | API access token was revoked. |\r\n|  | API key expired | API access token expired. |\r\n| Auth key | Create API key | <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">Auth key</a> was generated. This includes tags and if the key is reusable, ephemeral, pre-approved. |\r\n|  | Revoke API key | Auth key was revoked. |\r\n|  | API key expired | Auth key expired. |</p>\n<p>Note that failed login attempts are not included in Tailscale events—these should be seen in your identity provider logs, not Tailscale logs.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#multiple-events-for-a-single-operation\">Multiple events for a single operation</a></h2>\n<p>Multiple events that occur as part of the same operation are logged individually. For example, when a user is deleted, there are log entries for deleting each of their nodes and each of their API access tokens, as well as deleting the user themselves. When a node is added to your tailnet, there are log entries for updating the name for a node, creating a node, updating the key expiry time for a node, logging into a node, and if applicable, approving the node.</p>\n<p>| <strong>Operation</strong> | <strong>Events</strong> |\r\n| --- | --- |\r\n| A user is added to the tailnet | - (If user was <a href=\"https://tailscale.com/docs/features/sharing/how-to/invite-team-members\">sent an invite</a>) Invite user to join tailnet<br>- Create user<br>- (If <a href=\"https://tailscale.com/docs/features/access-control/user-approval\">user approval</a> is enabled) Approve user |\r\n| A user is deleted | - Delete node, for each node <br>- Delete user |\r\n| A node is added to the tailnet | - Update name for node (name set from blank to node name)<br>- Create node<br>- Update <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">key expiry</a> time for node (key expiry set for current time + expiry period)<br>- Log in node<br>Shortly afterwards, if <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> is enabled:<br>- Approve node |\r\n| A node is logged out | - Enable key expiry for node (key expiry is enabled)<br>- Update key expiry time for node (key expiry is set to the current time)<br>- Log out node |\r\n| A node is re-authenticated | - Update key expiry time for node<br>- Log in node |\r\n| MagicDNS is enabled | - Enable <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> for tailnet<br>- Update <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS</a> configuration for tailnet |\r\n| MagicDNS is disabled | - Disable MagicDNS for tailnet<br>- Update DNS configuration for tailnet |</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#events-for-shared-nodes\">Events for shared nodes</a></h2>\n<p>When using <a href=\"https://tailscale.com/docs/features/sharing\">shared nodes</a>, some events are logged in both the sharer and sharee tailnets. Events related to invites are only logged in the sharer tailnet, and events related to the shared node are logged in both the sharer and sharee tailnets.</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Actor</strong> | <strong>Logged by sharer tailnet?</strong> | <strong>Logged by sharee tailnet?</strong> |\r\n| --- | --- | --- | --- | --- |\r\n| Invite | Create invite for node share | Sharer admin | ✅ | ❌ |\r\n|  | Accept invite for node share | Sharee admin | ✅ | ❌ |\r\n|  | Delete invite for node share | Sharer admin | ✅ | ❌ |\r\n| Share | Create node share | Sharee admin | ✅ | ✅ |\r\n|  | Update node share | Sharee admin | ✅ | ✅ |\r\n|  | Delete node share | Sharer admin or Sharee admin | ✅ | ✅ |</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#service-events\">Service events</a></h2>\n<p>The log includes service events, which are actions performed by the Tailscale service, not performed by users directly. Service events include:</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Actor</strong> | <strong>Description</strong> |\r\n| --- | --- | --- | --- |\r\n| Tailnet | Suspend user | Tailscale service: user and group provisioning | User deactivated or unassigned from the Tailscale app for tailnets using <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user &#x26; group provisioning</a> |\r\n| Tailnet | Restore user | Tailscale service: user and group provisioning | User reactivated or assigned the Tailscale app for tailnets using user &#x26; group provisioning |\r\n| Node | Delete node | Tailscale service: remove ephemeral node | Remove inactive <a href=\"https://tailscale.com/docs/features/ephemeral-nodes\">ephemeral node</a> |\r\n| API key or Auth key | API key expired | Tailscale service: expire API key | <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Expire</a> key after 90 days |</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#events-not-included\">Events not included</a></h2>\n<p>Changes to a tailnet that were initiated by a request to Tailscale's support team are currently not included. This includes:</p>\n<ul>\n<li>Update <a href=\"https://tailscale.com/docs/integrations/identity#changing-identity-providers\">identity provider</a></li>\n<li>Complete identity provider configuration for <a href=\"https://tailscale.com/docs/integrations/identity/okta#steps\">Okta</a> or <a href=\"https://tailscale.com/docs/integrations/identity/onelogin\">OneLogin</a></li>\n<li>Update <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-id\">tailnet ID</a></li>\n<li>Update custom <a href=\"https://tailscale.com/docs/how-to/set-up-https-certificates\">HTTPS domain</a></li>\n<li>Delete tailnet</li>\n<li>Allowlist tailnet for alpha feature</li>\n</ul>\n<p>Changes that would have been included if performed by a user, but were instead initiated by a Support request are also not included:</p>\n<ul>\n<li>Update the <a href=\"https://tailscale.com/docs/concepts/tailnet-name#tailnet-id\">tailnet ID</a></li>\n<li>Update role for user</li>\n<li>Delete user</li>\n<li>Create billing subscription for tailnet</li>\n<li>Update billing subscription for tailnet</li>\n<li>Cancel billing subscription for tailnet</li>\n<li>Update billing address for tailnet</li>\n<li>Update billing email for tailnet</li>\n<li>Update billing payment information for tailnet</li>\n<li>Update key expiry time for node</li>\n<li>Enable device approval for tailnet</li>\n<li>Disable device approval for tailnet</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#configuration-audit-logs-streaming\">Configuration audit logs streaming</a></h2>\n<p>Log streaming lets you stream network flow logs into a security information and event management ( <a href=\"https://tailscale.com/learn/security-information-and-event-management\">SIEM</a>) system. For more information, refer to <a href=\"https://tailscale.com/docs/features/logging/log-streaming\">Log streaming</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/logging/audit-logging#limitations\">Limitations</a></h2>\n<ul>\n<li>Configuration audit logs only include actions that modify a tailnet's configurations. Read-only actions, such as a user viewing the admin console, are not included.</li>\n<li>Changes to a tailnet that were initiated by Tailscale's support team are not currently included.</li>\n<li>Configuration audit logs only include changes to configuration of a tailnet. Information about connections within a tailnet (data plane audit logs), such as network flow logs, are not included in configuration logs. You can use <a href=\"https://tailscale.com/docs/features/logging/network-flow-logs\">Network flow logs</a> to log information about connections with a tailnet.</li>\n<li>Configuration audit logs are available as part of the admin console, exportable using the API, and as a <a href=\"https://tailscale.com/docs/features/logging/log-streaming\">streaming source</a> for SIEM systems.</li>\n<li>There is currently no guarantee for a maximum delay between an event taking place and its inclusion in the audit logs. In practice, this occurs within seconds.</li>\n<li>The period of time that configuration logs are stored cannot be configured. Configuration logs are stored for 90 days.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/multiple-devices-same-100.x-ip-address\">Devices with the same node key</a> will appear in logs as the same node target.</li>\n<li>When a user is suspended, the suspension of the user's nodes, API access tokens, and auth keys are not logged.</li>\n<li>When a user is deleted, the deletion of the user's API access tokens and auth keys are not logged.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}