Skip to main content
Search and download organization audit logs from the CLI. Search audit logs within a time window. Results are ordered newest first.
If you omit the time flags, the command searches from 24 hours ago through now. The start is inclusive and the end is exclusive. Each time window can cover up to 30 days.
--limit controls the total number of CLI results. The CLI automatically requests API pages of up to 100 records until it reaches that limit or runs out of results.

Include GET requests

By default, the CLI returns matching requests for every HTTP method except GET. --include-get removes that default exclusion. --method selects exactly one method, so --method GET returns only GET requests.

kernel audit-logs download

Download matching audit logs in a time window as one gzip-compressed JSONL file.
--start and --end are required. The start is inclusive and the end is exclusive, and the time window can cover up to 30 days. Date-only values represent midnight UTC. For example, --start 2026-06-01 --end 2026-07-01 covers all of June in UTC.

Download behavior

The command downloads up to 50,000 records at a time and appends each chunk to <output>.partial. Before writing a chunk, it verifies the SHA-256 checksum returned by the API. A chunk is attempted up to seven times when a network error, HTTP 429, HTTP 5xx, truncated response, or checksum mismatch occurs. Retries use exponential backoff capped at eight seconds. The CLI renames the temporary file to the requested output only after every chunk transfers successfully. If a transfer fails, it removes the incomplete temporary file. If the final rename fails, the completed download remains at <output>.partial. Downloads don’t resume across CLI runs; rerunning the command starts again from the beginning. The command refuses to replace an existing output unless you pass --force.

Aliases

You can also use kernel audit-log, kernel auditlogs, or kernel auditlog.