This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Monitoring and usage

1: Track user activity with audit logs
2: Use Prometheus monitoring
3: Configure Slack alerts
4: View organization dashboard

1 - Track user activity with audit logs

Use W&B audit logs to track user activity within your organization and to conform to your enterprise governance requirements. Audit logs are available in JSON format. Refer to Audit log schema.

How to access audit logs depends on your W&B platform deployment type:

W&B Platform Deployment type	Audit logs access mechanism
Self-managed	Synced to instance-level bucket every 10 minutes. Also available using the API.
Dedicated Cloud with secure storage connector (BYOB)	Synced to instance-level bucket (BYOB) every 10 minutes. Also available using the API.
Dedicated Cloud with W&B managed storage (without BYOB)	Available only by using the API.
SaaS Cloud	Available for Enterprise plans only. Available only by using the API.

After fetching audit logs, you can analyze them using tools like Pandas, Amazon Redshift, Google BigQuery, or Microsoft Fabric. Some audit log analysis tools do not support JSON; refer to the documentation for your analysis tool for guidelines and requirements for transforming the JSON-formatted audit logs before analysis.

Audit log retention

If you require audit logs to be retained for a specific period of time, W&B recommends periodically transferring logs to long-term storage, either using storage buckets or the Audit Logging API.

If you are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), audit logs must be retained for a minimum of 6 years in an environment where they cannot be deleted or modified by any internal or exterrnal actor before the end of the mandatory retention period. For HIPAA-compliant Dedicated Cloud instances with BYOB, you must configure guardrails for your managed storage, including any long-term retention storage.

Audit log schema

This table shows all keys which may appear in an audit log entry, ordered alphabetically. Depending on the action and the circumstances, a specific log entry may include only a subset of the possible fields.

Key	Definition
`action`	The action of the event.
`actor_email`	The email address of the user that initiated the action, if applicable.
`actor_ip`	The IP address of the user that initiated the action.
`actor_user_id`	The ID of the logged-in user who performed the action, if applicable.
`artifact_asset`	The artifact ID associated with the action, if applicable.
`artifact_digest`	The artifact digest associated with the action, if applicable.
`artifact_qualified_name`	The full name of the artifact associated with the action, if applicable.
`artifact_sequence_asset`	The artifact sequence ID associated with the action, if applicable.
`cli_version`	The version of the Python SDK that initiated the action, if applicable.
`entity_asset`	The entity or team ID associated with the action, if applicable.
`entity_name`	The entity or team name associated with the action, if applicable.
`project_asset`	The project associated with the action, if applicable.
`project_name`	The name of the project associated with the action, if applicable.
`report_asset`	The report ID associated with the action, if applicable.
`report_name`	The name of the report associated with the action, if applicable.
`response_code`	The HTTP response code for the action, if applicable.
`timestamp`	The time of the event in RFC3339 format. For example, `2023-01-23T12:34:56Z` represents January 23, 2023 at 12:34:56 UTC.
`user_asset`	The user asset the action impacts (rather than the user performing the action), if applicable.
`user_email`	The email address of the user the action impacts (rather than the email address of the user performing the action), if applicable.

Personally identifiable information (PII)

Personally identifiable information (PII), such as email addresses and the names of projects, teams, and reports, is available only using the API endpoint option.

For Self-managed and Dedicated Cloud, an organization admin can exclude PII when fetching audit logs.
For SaaS Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.

Fetch audit logs

An organization or instance admin can fetch the audit logs for a W&B instance using the Audit Logging API, at the endpoint audit_logs/.

If a user other than an admin attempts to fetch audit logs, a HTTP 403 error occurs, indicating that access is denied.
If you are an admin of multiple Enterprise SaaS Cloud organizations, you must configure the organization where audit logging API requests are sent. Click your profile image, then click User Settings. The setting is named Default API organization.

Determine the correct API endpoint for your instance:
- Self-managed: <wandb-platform-url>/admin/audit_logs
- Dedicated Cloud: <wandb-platform-url>/admin/audit_logs
- SaaS Cloud (Enterprise required): https://api.wandb.ai/audit_logs
In proceeding steps, replace <API-endpoint> with your API endpoint.
Construct the full API endpoint from the base endpoint, and optionally include URL parameters:
- anonymize: if set to true, remove any PII; defaults to false. Refer to Exclude PII when fetching audit logs. Not supported for SaaS Cloud.
- numDays: logs will be fetched starting from today - numdays to most recent; defaults to 0, which returns logs only for today. For SaaS Cloud, you can fetch audit logs from a maximum of 7 days in the past.
- startDate: an optional date with format YYYY-MM-DD. Supported only on SaaS Cloud.
  
  startDate and numDays interact:
  - If you set both startDate and numDays, logs are returned from startDate to startDate + numDays.
  - If you omit startDate but include numDays, logs are returned from today to numDays.
  - If you set neither startDate nor numDays, logs are returned for today only.
Execute an HTTP GET request on the constructed fully qualified API endpoint using a web browser or a tool like Postman, HTTPie, or cURL.

The API response contains new-line separated JSON objects. Objects will include the fields described in the schema, just like when audit logs are synced to an instance-level bucket. In those cases, the audit logs are located in the /wandb-audit-logs directory in your bucket.

Use basic authentication

To use basic authentication with your API key to access the audit logs API, set the HTTP request’s Authorization header to the string Basic followed by a space, then the base-64 encoded string in the format username:API-KEY. In other words, replace the username and API key with your values separated with a : character, then base-64-encode the result. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.

Exclude PII when fetching audit logs

For Self-managed and Dedicated Cloud, a W&B organization or instance admin can exclude PII when fetching audit logs. For SaaS Cloud, the API endpoint always returns relevant fields for audit logs, including PII. This is not configurable.

To exclude PII, pass the anonymize=true URL parameter. For example, if your W&B instance URL is https://mycompany.wandb.io and you would like to get audit logs for user activity within the last week and exclude PII, use an API endpoint like:

https://mycompany.wandb.io/admin/audit_logs?numDays=7&anonymize=true.

Actions

This table describes possible actions that can be recorded by W&B, sorted alphabetically.

Action	Definition
`artifact:create`	Artifact is created.
`artifact:delete`	Artifact is deleted.
`artifact:read`	Artifact is read.
`project:delete`	Project is deleted.
`project:read`	Project is read.
`report:read`	Report is read. ¹
`run:delete_many`	Batch of runs is deleted.
`run:delete`	Run is deleted.
`run:stop`	Run is stopped.
`run:undelete_many`	Batch of runs is restored from trash.
`run:update_many`	Batch of runs is updated.
`run:update`	Run is updated.
`sweep:create_agent`	Sweep agent is created.
`team:create_service_account`	Service account is created for the team.
`team:create`	Team is created.
`team:delete`	Team is deleted.
`team:invite_user`	User is invited to team.
`team:uninvite`	User or service account is uninvited from team.
`user:create_api_key`	API key for the user is created. ¹
`user:create`	User is created. ¹
`user:deactivate`	User is deactivated. ¹
`user:delete_api_key`	API key for the user is deleted. ¹
`user:initiate_login`	User initiates log in. ¹
`user:login`	User logs in. ¹
`user:logout`	User logs out. ¹
`user:permanently_delete`	User is permanently deleted. ¹
`user:reactivate`	User is reactivated. ¹
`user:read`	User profile is read. ¹
`user:update`	User is updated. ¹

1: On SaaS Cloud, audit logs are not collected for:

Open or Public projects.
The report:read action.
User actions which are not tied to a specific organization.

2 - Use Prometheus monitoring

Use Prometheus with W&B Server. Prometheus installs are exposed as a kubernetes ClusterIP service.

Prometheus monitoring is only available with Self-managed instances.

Follow the procedure below to access your Prometheus metrics endpoint (/metrics):

Connect to the cluster with Kubernetes CLI toolkit, kubectl. See kubernetes’ Accessing Clusters documentation for more information.
Find the internal address of the cluster with:
```
kubectl describe svc prometheus
```
Start a shell session inside your container running in your Kubernetes cluster with kubectl exec. Hit the endpoint at <internal address>/metrics.

Copy the command below and execute it in your terminal and replace <internal address> with your internal address:
```
kubectl exec <internal address>/metrics
```

A test pod starts, which you can exec into just to access anything in the network:

kubectl run -it testpod --image=alpine bin/ash --restart=Never --rm

From there you can choose to keep access internal to the network or expose it yourself with a kubernetes nodeport service.

3 - Configure Slack alerts

Integrate W&B Server with Slack.

Watch a video demonstrating setting up Slack alerts on W&B Dedicated Cloud deployment (6 min).

Create the Slack application

Follow the procedure below to create a Slack application.

Visit https://api.slack.com/apps and select Create an App.
Provide a name for your app in the App Name field.
Select a Slack workspace where you want to develop your app in. Ensure that the Slack workspace you use is the same workspace you intend to use for alerts.

Configure the Slack application

On the left sidebar, select OAth & Permissions.
Within the Scopes section, provide the bot with the incoming_webhook scope. Scopes give your app permission to perform actions in your development workspace.

For more information about OAuth scopes for Bots, see the Understanding OAuth scopes for Bots tutorial in the Slack API documentation.
Configure the Redirect URL to point to your W&B installation. Use the same URL that your host URL is set to in your local system settings. You can specify multiple URLs if you have different DNS mappings to your instance.
Select Save URLs.
You can optionally specify an IP range under Restrict API Token Usage, allow-list the IP or IP range of your W&B instances. Limiting the allowed IP address helps further secure your Slack application.

Register your Slack application with W&B

Navigate to the System Settings or System Console page of your W&B instance, depending on your deployment
Depending on the System page you are on follow one of the below options:
- If you are in the System Console: go to Settings then to Notifications
- If you are in the System Settings: toggle the Enable a custom Slack application to dispatch alerts to enable a custom Slack application
Supply your Slack client ID and Slack secret then click Save. Navigate to Basic Information in Settings to find your application’s client ID and secret.
Verify that everything is working by setting up a Slack integration in the W&B app.

4 - View organization dashboard

Organization dashboard is only available with Dedicated Cloud and Self-managed instances.

View organization usage of W&B

Use the organization dashboard to get a holistic view of users that belong to your organization, how users of your organization use W&B, along with properties such as:

Name: The name of the user and their W&B username.
Last active: The time the user last used W&B. This includes any activity that requires authentication, including viewing pages in the product, logging runs or taking any other action, or logging in.
Role: The role of the user.
Email: The email of the user.
Team: The names of teams the user belongs to.

View the status of a user

The Last Active column shows if a user is pending an invitation or an active user. A user is one of three states:

Invite pending: Admin has sent invite but user has not accepted invitation.
Active: User has accepted the invite and created an account.
Deactivated: Admin has revoked access of the user.

View how your organization uses W&B in CSV format.

Select the three dots next to the Add user button.
From the dropdown, select Export as CSV.

This exports a CSV file that lists all users of an organization along with details about the user, such as their user name, time stamp of when they were last active, roles, email, and more.

View user activity

Use the Last Active column to get an Activity summary of an individual user.

Hover your mouse over the Last Active entry for a user.
A tooltip appears and provides a summary of information about the user’s activity.

A user is active if they:

log in to W&B.
view any page in the W&B App.
log runs.
use the SDK to track an experiment.
interact with the W&B Server in any way.

View active users over time

Use the Users active over time plot in the Organization dashboard to get an aggregate overview of how many users are active over time (right most plot in image below).

You can use the dropdown menu to filter results based on days, months, or all time.