# Premium Audit Log Reference

The Premium Audit Log has the following table columns. If your events don’t have a corresponding value for a specific column, that column will not show in the audit log.

Customers using the v5 BETA release may be using objects for different functions in v4 and v5 and may want to review differences. With a combination of requested_path_info and resource_id , you can identify that these are events that took place in v5. Further, you will note /entities is part of the path for v5.

| **Column Name** | **Data Type** | **Description** | **Examples** |
|  --- | --- | --- | --- |
| account_id | long | Treasure Data account ID |  |
| affected_user | string | e-mail address of the affected user of a completed change, such as API key changes |  |
| affected_user_id | long | The ID - viewable in the API only - of the user acted upon |  |
| amount | long | Number of records inserted, viewed, or downloaded |  |
| apikey_type | string | The type of API key used for an operation: master or write | master; write |
| attribute_name | string | When the resource attribute is changed, the name of the attribute is stored. For example, if a user changed their table schema, the attribute_name is "schema". | password schema |
| bytesize | long | Downloaded size of the data. Actions include job result download. | 24 |
| caller_account_id | long | The ID of the account which owns a delegation token |  |
| caller_user_id | long | The ID of the user who owns a delegation token |  |
| count | long | Number of items viewed | 200 |
| diagnostic_messages
 | string
 | Includes diagnostic information for detailed investigation by Treasure Data engineers.
 | String representation of JSON map object containing some of the following keys: task_arn, network_interface_id, error_message, ecs_stop_code, ecs_stopped_reason, ecs_container_status, ecs_container_status_reason.
Example: `{"task_arn":"arn:aws:ecs:us-east-1:671566194996:task/digdag-aws-development-aws-default-blue/b322c23709db43cbb76a4e83e949f00c","network_interface_id":"eni-0f4b1f34fa904290d","ecs_stop_code":"EssentialContainerExited"}`
 |
| docker_image | string | The docker image used for py>: task | digdag/digdag-python:3.9 |
| event_detail | string | Details about log-parsing events |  |
| event_name | string | The event. If the event is a component-specific operation, you see "event_name: cdp_create_segment" | sign-in job_result_download schedule_create |
| event_result | string | A user who does not have enough permissions tries to access the endpoint. In the Audience Studio and Master Segments, this value always shows as "denied" | denied |
| format | string | Data format |  |
| id | string | A random UUID (Universally Unique Identifier) for deduplication |  |
| ip_address | string | Of the connection that executed the audited event |  |
| is_scheduled | string | Identifies whether or not a workflow is scheduled | true or false |
| job | string | Database and job id of, usually, the data transfer | test_db.34596708 |
| job_type | string | Defines the type of job | 'ResultExportJob', 'BulkLoadJob', 'ExportJob' |
| new_value | string | When the resource attribute is changed, the new value is stored |  |
| old_value | string | The value before the value was changed |  |
| policy_id | long | The ID of the policy providing permission for an event |  |
| primary_keys | string | Primary keys used in Active Data Layer operations |  |
| query_text | string | Query text | SELECT * FROM table |
| reason | string | Reason for SSO user creation |  |
| requested_http_verb | string | The API action | GET, POST, DELETE |
| requested_path_info | string | The event path. | /users/sign_in v4/jobs/5736181/result v3/table/create/new_db/new_table… |
| required_visibility | string | The required visibility for a column visibility violation | blocked, clear, non_pii, pii |
| resource_id | long | Dependent upon on event. If the event is "table_create", the ID is the created table id. If "database_delete", the ID is the deleted database id. |  |
| resource_name | string | Name of the resource being accessed, such as the name of workflow or segmentation | cdp_audience_119770 |
| resource_namespace | string | The namespace of a target annotation |  |
| resource_path
 | string
 | Resource path set in relation to resource_id
 | cdp_test_dashboard_2
cdp_segment_9447
cdp_audience_8833.metering_audience.2316954.2320343
 |
| resource_type
 | string
 | The type of resource
 | audience.predictive_segment
audience.segment.syndications
audience.segment_query.job
 |
| revision_created_user | string | Includes details pertaining to the workflow revision creator. String representation of JSON map object consists of id, email, and ip_address. | `{"id":11,"email":"tom@treasure-data.com","ip_address":"111.99.66.223"}` |
| scheduled_time | long | The time specified for an event to occur |  |
| session_id | long | The workflow session id | 11388547 |
| setting_name | string | The name given to an SSO setting. |  |
| size | long | File size | 47 |
| source_account_id | long | The source account in a table transfer event. |  |
| source_user_email | string | The source user in a table transfer event. |  |
| source_user_id | long | The source user in a table transfer event. |  |
| target_account_id | long | The target account in a table transfer event |  |
| target_connection | string | Target connection in the connector configuration | fb_config |
| target_project | string | The target project ID of a workflow annotation event |  |
| target_resource_id | long | In the event that there are two resources involved, it is the information of the secondary object given that "resource_id" contains the information of the primary object i.e. table 2 id. |  |
| target_resource_name | string | In the event that there are two resources involved, it is the information of the secondary object given that "resource_name" contains the information of the primary object i.e. table 2 name. |  |
| target_resource_namespace | string | The namespace of a target annotation | POLICY, RESOURCE |
| target_table | string | Name of target DB and table. Actions include bulk import/loads, job creation, and execution. |  |
| target_user_email | string | The email of the target user in a table transfer event |  |
| target_user_id | long | The ID of the target user in a table transfer event | table_transfer |
| target_workflow | string | The target workflow ID of a workflow annotation event |  |
| task_created_at | long | UNIX time when a custom script task was submitted for execution | 1632901248 |
| task_duration | long | The elapsed time in seconds | 130 |
| task_exit_code | long | The exit status of the python script | 0, 1, and so on |
| task_finished_at | long | UNIX time when a custom script task finished execution | 1632901378 |
| time | int | UNIX timestamp for the event occurred time | 1586373958 |
| user_email | string | The Email of the operator |  |
| user_id | long | Operator's user-id |  |
| visibility | string | The visibility in a column visibility violation |  |


## Custom Script Log Reference

The Premium Audit Log includes the following columns for custom scripts.

`Treasure Data did not store IP information for workflow revisions ip_address` for scheduled workflows prior to October 2021, therefore the column data for `revision_created_user.ip_address` is accurately captured only for newly created workflows.

| **Column Name** | **Data Type** | **Description** | **Example** |
|  --- | --- | --- | --- |
| account_id | long | Treasure Data account ID | 1 |
| diagnostic_messages
 | string
 | Includes diagnostic information for detailed investigation by Treasure Data engineers.
 | String representation of JSON map object containing some of the following keys: task_arn, network_interface_id, error_message, ecs_stop_code, ecs_stopped_reason, ecs_container_status, ecs_container_status_reason.
Example: `{"task_arn":"arn:aws:ecs:us-east-1:671566194996:task/digdag-aws-development-aws-default-blue/b322c23709db43cbb76a4e83e949f00c","network_interface_id":"eni-0f4b1f34fa904290d","ecs_stop_code":"EssentialContainerExited"}`
 |
| docker_image | string | The docker image used for py>: task | digdag/digdag-python:3.9 |
| event_name | string | The type of audit event | custom_script_task_starts or custom_script_task_ends |
| id | string | Random UUID | 2f789cb5-f02b-4d11-b64b-532b8a498c87 |
| ip_address | string | The IP address for the user who initiated the workflow attempt or the corresponding IP address for a user who created the workflow revision for a scheduled workflow. | 111.98.77.226 |
| is_scheduled | string | Identifies whether or not a workflow is scheduled | true or false |
| resource_id | long | The workflow session attempt ID | 12011427 |
| resource_name | string | project_name[project_id].workflow_name@workflow_revision | yy_custom_script_test[41886].test1@cd7565b4-19ae-43c8-9030-36ba8a4ba180 |
| resource_path | string | The python script method specified in py>: task | tasks.example.print_arg |
| revision_created_user | string | Includes details pertaining to the workflow revision creator. String representation of JSON map object consists of id, email, and ip_address. | `{"id":11,"email":"tom@treasure-data.com","ip_address":"111.99.66.223"}` |
| session_id | long | The workflow session id | 11388547 |
| task_created_at | long | UNIX time when a custom script task was submitted for execution | 1632901248 |
| task_duration | long | The elapsed time in seconds | 130 |
| task_exit_code | long | The exit status of the python script | 0, 1, and so on |
| task_finished_at | long | UNIX time when a custom script task finished execution | 1632901378 |
| time | int | UNIX time when the event is ingested to TD table. | 1632901612 |
| user_email | string | User email address who initiated the workflow attempt. Or, email of the user who created the workflow revision for a scheduled workflow. | bob@treasure-data.com |
| user_id | long | ID for the user who initiated the workflow attempt or the corresponding ID for a user who created the workflow revision for a scheduled workflow. | 11 |