> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-document-audit-logs-api.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit Logs

Search and download [organization audit logs](/info/audit-logs) from the CLI.

## `kernel audit-logs search`

Search audit logs within a time window. Results are ordered newest first.

```bash theme={null}
kernel audit-logs search \
  --start 2026-06-01 \
  --end 2026-06-08 \
  --search /browsers \
  --limit 500 \
  --output json
```

If you omit the time flags, the command searches from 24 hours ago through now. The start is inclusive and the end is exclusive. Each time window can cover up to 30 days.

| Flag                         | Description                                                                                       |
| ---------------------------- | ------------------------------------------------------------------------------------------------- |
| `--start <time>`             | Inclusive start, as RFC 3339 or `YYYY-MM-DD`. Defaults to 24 hours ago.                           |
| `--end <time>`               | Exclusive end, as RFC 3339 or `YYYY-MM-DD`. Defaults to now.                                      |
| `--search <text>`            | Search path, user ID, email, client IP, and status.                                               |
| `--method <method>`          | Return only requests that use this HTTP method.                                                   |
| `--exclude-method <method>`  | Exclude requests that use this HTTP method. GET remains excluded unless you pass `--include-get`. |
| `--include-get`              | Remove the default GET exclusion when `--method` is not set.                                      |
| `--service <service>`        | Filter by service.                                                                                |
| `--auth-strategy <strategy>` | Filter by authentication strategy.                                                                |
| `--user-id <id>`             | Add a user ID to the search. Repeat the flag for multiple IDs.                                    |
| `--limit <n>`                | Maximum total number of results. Defaults to `100`.                                               |
| `--output json`, `-o json`   | Output raw JSON array.                                                                            |

<Note>
  `--limit` controls the total number of CLI results. The CLI automatically requests API pages of up to 100 records until it reaches that limit or runs out of results.
</Note>

### Include GET requests

By default, the CLI returns matching requests for every HTTP method except GET. `--include-get` removes that default exclusion. `--method` selects exactly one method, so `--method GET` returns only GET requests.

```bash theme={null}
# Return all matching methods, including GET
kernel audit-logs search --include-get

# Return only GET requests
kernel audit-logs search --method GET
```

## `kernel audit-logs download`

Download matching audit logs in a time window as one gzip-compressed JSONL file.

```bash theme={null}
kernel audit-logs download \
  --start 2026-06-01 \
  --end 2026-07-01 \
  --to audit-june.jsonl.gz
```

`--start` and `--end` are required. The start is inclusive and the end is exclusive, and the time window can cover up to 30 days.

| Flag                         | Description                                                                                             |
| ---------------------------- | ------------------------------------------------------------------------------------------------------- |
| `--start <time>`             | Inclusive start, as RFC 3339 or `YYYY-MM-DD`. Required.                                                 |
| `--end <time>`               | Exclusive end, as RFC 3339 or `YYYY-MM-DD`. Required.                                                   |
| `--search <text>`            | Search path, user ID, email, client IP, and status.                                                     |
| `--method <method>`          | Return only requests that use this HTTP method.                                                         |
| `--exclude-method <method>`  | Exclude requests that use this HTTP method. GET remains excluded unless you pass `--include-get`.       |
| `--include-get`              | Remove the default GET exclusion when `--method` is not set.                                            |
| `--service <service>`        | Filter by service.                                                                                      |
| `--auth-strategy <strategy>` | Filter by authentication strategy.                                                                      |
| `--user-id <id>`             | Add a user ID to the search. Repeat the flag for multiple IDs.                                          |
| `--to <path>`                | Output `.jsonl.gz` path. For the example above, the default is `audit-logs-20260601-20260701.jsonl.gz`. |
| `--force`                    | Replace an existing output file.                                                                        |

Date-only values represent midnight UTC. For example, `--start 2026-06-01 --end 2026-07-01` covers all of June in UTC.

### Download behavior

The command downloads up to 50,000 records at a time and appends each chunk to `<output>.partial`. Before writing a chunk, it verifies the SHA-256 checksum returned by the API.

A chunk is attempted up to seven times when a network error, HTTP `429`, HTTP `5xx`, truncated response, or checksum mismatch occurs. Retries use exponential backoff capped at eight seconds.

The CLI renames the temporary file to the requested output only after every chunk transfers successfully. If a transfer fails, it removes the incomplete temporary file. If the final rename fails, the completed download remains at `<output>.partial`. Downloads don't resume across CLI runs; rerunning the command starts again from the beginning.

The command refuses to replace an existing output unless you pass `--force`.

## Aliases

You can also use `kernel audit-log`, `kernel auditlogs`, or `kernel auditlog`.
