Audit logs on Grail

  • How-to guide
  • 1-min read
  • Published Jun 20, 2025

Dynatrace has a built-in audit logging based on Grail.

Regular DQL queries can be used to retrieve configuration changes and each single read/write operation to a Dynatrace resource. These events are stored for one year.

Enable audit logging

Grail-based audit logging is enabled by default and can't be turned off.

Permissions

The following table describes the required permissions to access the audit logs.

Permission
Description
ALLOW storage:system:read WHERE storage:event.kind="AUDIT_EVENT"
Allows reading access to system storage for events where the event kind is "AUDIT_EVENT".
ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events"
Allows reading access to storage buckets for the bucket named "dt_system_events".

For more details, refer to IAM policy reference.

To filter for events that are related to changes or actions performed within the settings of the system, use the following query:

fetch dt.system.events
| filter event.kind == "AUDIT_EVENT"
| filter event.provider == "SETTINGS"

Filter Dynatrace Notebooks system events

To filter system events to provide details about audit events specifically from changes to Dynatrace Notebooks, use the following query:

fetch dt.system.events
| filter event.kind == "AUDIT_EVENT"
| filter event.provider == "API_GATEWAY"
| filter contains(resource, "documents")
| filter app.id == "dynatrace.notebooks"
| filter event.type == "PATCH"

Retrieve user information from a user ID

Grail-based audit logs store the user ID instead of an email address to comply with data privacy regulations.

Permissions

The following permission is required to access the user information.

Permission
Description
ALLOW iam:users:read;
Allows reading access for IAM users.

Example

You can use a platform API to retrieve user details by providing the environment or account ID and the user ID. For example:

GET /platform/iam/v1/organizational-levels/{level-type}/{level-id}/users/{uuid}

For more details, refer to Identity and access management (IAM).

export default async function () {
var environmentID = "<environment-id>";
var userID = "<user-id>";
var myUrl = '/platform/iam/v1/organizational-levels/environment/'+environmentID+'/users/'+userID;
var myResponse= fetch(myUrl)
.then((response) => response.json())
.then((data) => data.email);
return myResponse;
}
Related tags
Log Analytics