Diagnostic log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

  • Azure Monitor's diagnostic settings service does not log all of these services. Services that are unavailable on Azure's diagnostic settings are labeled accordingly.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Diagnostic log services

The following services and their events are logged by default in diagnostic logs.

Note

The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Workspace-level services

Service name Description
accounts Events related to accounts, users, groups, and IP access lists.
clusters Events related to clusters.
clusterPolicies Events related to cluster policies.
dashboards Events related to AI/BI dashboard use.
databrickssql Events related to Databricks SQL use.
dbfs Events related to DBFS.
deltaPipelines Events related to Delta Live Table pipelines.
featureStore Events related to the Databricks Feature Store.
filesystem Events related to file management, which includes interacting with files using the Files API or in the volumes UI.
gitCredentials Events related to Git credentials for Databricks Git folders. See also repos.
globalInitScripts Events related to global init scripts.
groups Events related to account and workspace groups.
iamRole Events related to IAM role permissions.
ingestion Events related to file uploads.
instancePools Events related to pools.
jobs Events related to jobs.
mlflowAcledArtifact Events related to ML Flow artifacts with ACLs.
mlflowExperiment Events related to ML Flow experiments.
modelRegistry Events related to the model registry.
notebook Events related to notebooks.
remoteHistoryService Events related to adding a removing GitHub Credentials.
repos Events related to Databricks Git folders. See also gitCredentials.
secrets Events related to secrets.
sqlPermissions Events related to the legacy Hive metastore table access control.
ssh Events related to SSH access.
webTerminal Events related to the web terminal feature.
workspace Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name Description
accountBillableUsage Actions related to billable usage access in the account console.
accountsAccessControl Actions related to account-level access control rules.
accountsManager Actions related to network connectivity configurations.
unityCatalog Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Diagnostic log example schema

In Azure Databricks, diagnostic logs output events in a JSON format. In Azure Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following JSON sample is an example of an event logged when a user created a job:

{
    "TenantId": "<your-tenant-id>",
    "SourceSystem": "|Databricks|",
    "TimeGenerated": "2019-05-01T00:18:58Z",
    "ResourceId": "/SUBSCRIPTIONS/SUBSCRIPTION_ID/RESOURCEGROUPS/RESOURCE_GROUP/PROVIDERS/MICROSOFT.DATABRICKS/WORKSPACES/PAID-VNET-ADB-PORTAL",
    "OperationName": "Microsoft.Databricks/jobs/create",
    "OperationVersion": "1.0.0",
    "Category": "jobs",
    "Identity": {
        "email": "mail@contoso.com",
        "subjectName": null
    },
    "SourceIPAddress": "131.0.0.0",
    "LogId": "201b6d83-396a-4f3c-9dee-65c971ddeb2b",
    "ServiceName": "jobs",
    "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
    "SessionId": "webapp-cons-webapp-01exaj6u94682b1an89u7g166c",
    "ActionName": "create",
    "RequestId": "ServiceMain-206b2474f0620002",
    "Response": {
        "statusCode": 200,
        "result": "{\"job_id\":1}"
    },
    "RequestParams": {
        "name": "Untitled",
        "new_cluster": "{\"node_type_id\":\"Standard_DS3_v2\",\"spark_version\":\"5.2.x-scala2.11\",\"num_workers\":8,\"spark_conf\":{\"spark.databricks.delta.preview.enabled\":\"true\"},\"cluster_creator\":\"JOB_LAUNCHER\",\"spark_env_vars\":{\"PYSPARK_PYTHON\":\"/databricks/python3/bin/python3\"},\"enable_elastic_disk\":true}"
    },
    "Type": "DatabricksJobs"
}

Diagnostic log schema considerations

  • If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.
  • Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.
  • The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service Action Description Request parameters
accounts activateUser A user is reactivated after being deactivated. See Deactivate users in workspace. - targetUserName
- endpoint
- targetUserId
accounts aadBrowserLogin A user logs in to Databricks using a Microsoft Entra ID browser workflow. - user
accounts aadTokenLogin A user logs in to Databricks through the Microsoft Entra ID token. - user
accounts accountInHouseOAuthClientAuthentication An OAuth client is authenticated. - endpoint
accounts activateUser Admin adds a user to the Databricks account from the Azure portal. - warehouse
- targetUserName
- targetUserId
accounts add A user is added to an Azure Databricks workspace. - targetUserName
- endpoint
- targetUserId
accounts addPrincipalToGroup A user is added to a workspace-level group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts changeDatabricksSqlAcl A user's Databricks SQL permissions are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeDatabricksWorkspaceAcl Permissions to a workspace are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeDbTokenAcl When permissions on a token are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeServicePrincipalAcls When a service principal's permissions are changed. - shardName
- targetServicePrincipal
- resourceId
- aclPermissionSet
accounts createGroup A workspace-level group is created. - endpoint
- targetGroupId
- targetGroupName
accounts createIpAccessList An IP access list is added to the workspace. - ipAccessListId
- userId
accounts deactivateUser A user is deactivated in the workspace. See Deactivate users in workspace. - targetUserName
- endpoint
- targetUserId
accounts delete A user is deleted from the Azure Databricks workspace. - targetUserId
- targetUserName
- endpoint
accounts deleteIpAccessList An IP access list is deleted from the workspace. - ipAccessListId
- userId
accounts garbageCollectDbToken A user runs a garbage collect command on expired tokens. - tokenExpirationTime
- tokenClientId
- userId
- tokenCreationTime
- tokenFirstAccessed
accounts generateDbToken When someone generates a token from User Settings or when the service generates the token. - tokenExpirationTime
- tokenCreatedBy
- tokenHash
- userId
accounts IpAccessDenied A user attempts to connect to the service through a denied IP. - path
- userName
accounts ipAccessListQuotaExceeded - userId
accounts jwtLogin User logs into Databricks using a JWT. - user
accounts login User logs into the workspace. - user
accounts logout User logs out of the workspace. - user
accounts oidcTokenAuthorization When an API call is authorized through a generic OIDC/OAuth token. - user
accounts passwordVerifyAuthentication - user
accounts reachMaxQuotaDbToken When the current number of non-expired tokens exceeds the token quota
accounts removeAdmin A user is revoked of workspace admin permissions. - targetUserName
- endpoint
- targetUserId
accounts removeGroup A group is removed from the workspace. - targetGroupId
- targetGroupName
- endpoint
accounts removePrincipalFromGroup A user is removed from a group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts revokeDbToken A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account. - userId
accounts setAdmin A user is granted account admin permissions. - endpoint
- targetUserName
- targetUserId
accounts tokenLogin A user logs into Databricks using a token. - tokenId
- user
accounts updateIpAccessList An IP access list is changed. - ipAccessListId
- userId
accounts updateUser A change is made to a user's account. - warehouse
- targetUserName
- targetUserId
accounts validateEmail When a user validates their email after account creation. - endpoint
- targetUserName
- targetUserId

Clusters events

The following are cluster events logged at the workspace level.

Service Action Description Request parameters
clusters changeClusterAcl A user changes the cluster ACL. - shardName
- aclPermissionSet
- targetUserId
- resourceId
clusters create A user creates a cluster. - cluster_log_conf
- num_workers
- enable_elastic_disk
- driver_node_type_id
- start_cluster
- docker_image
- ssh_public_keys
- aws_attributes
- acl_path_prefix
- node_type_id
- instance_pool_id
- spark_env_vars
- init_scripts
- spark_version
- cluster_source
- autotermination_minutes
- cluster_name
- autoscale
- custom_tags
- cluster_creator
- enable_local_disk_encryption
- idempotency_token
- spark_conf
- organization_id
- no_driver_daemon
- user_id
- virtual_cluster_size
- apply_policy_default_values
- data_security_mode
clusters createResult Results from cluster creation. In conjunction with create. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters delete A cluster is terminated. - cluster_id
clusters deleteResult Results from cluster termination. In conjunction with delete. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters edit A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior. - cluster_log_conf
- num_workers
- enable_elastic_disk
- driver_node_type_id
- start_cluster
- docker_image
- ssh_public_keys
- aws_attributes
- acl_path_prefix
- node_type_id
- instance_pool_id
- spark_env_vars
- init_scripts
- spark_version
- cluster_source
- autotermination_minutes
- cluster_name
- autoscale
- custom_tags
- cluster_creator
- enable_local_disk_encryption
- idempotency_token
- spark_conf
- organization_id
- no_driver_daemon
- user_id
- virtual_cluster_size
- apply_policy_default_values
- data_security_mode
clusters permanentDelete A cluster is deleted from the UI. - cluster_id
clusters resize Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior. - cluster_id
- num_workers
- autoscale
clusters resizeResult Results from cluster resize. In conjunction with resize. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters restart A user restarts a running cluster. - cluster_id
clusters restartResult Results from cluster restart. In conjunction with restart. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters start A user starts a cluster. - init_scripts_safe_mode
- cluster_id
clusters startResult Results from cluster start. In conjunction with start. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service Action Description Request parameters
clusterLibraries installLibraries User installs a library on a cluster. - cluster_id
- libraries
clusterLibraries uninstallLibraries User uninstalls a library on a cluster. - cluster_id
- libraries
clusterLibraries installLibraryOnAllClusters A workspace admin schedules a library to install on all cluster. - user
- library
clusterLibraries uninstallLibraryOnAllClusters A workspace admin removes a library from the list to install on all clusters. - user
- library

Dashboards events

The following are dashboards events logged at the workspace level.

Service Action Description Request parameters
dashboards getDashboard A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard. - dashboard_id
dashboards getPublishedDashboard A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email. - dashboard_id
- credentials_embedded
dashboards executeQuery A user executes a query from a dashboard. - dashboard_id
- statement_id
dashboards cancelQuery A user cancels a query from a dashboard. - dashboard_id
- statement_id
dashboards getQueryResult A user receives the results of a query from a dashboard. - dashboard_id
- statement_id
dashboards sendDashboardSnapshot A PDF snapshot of a dashboard is sent through a scheduled email.

The request parameters values depend on the type of recipient. For a Databricks notification destination, only the destination_id is shown. For a Databricks user, the subscriber's user ID and email address are shown. If the recipient is an email address, only the email address is shown.
- dashboard_id
- subscriber_destination_id
- subscriber_user_details: {

user_id,

email_address }
dashboards getDashboardDetails A user accesses details of a draft dashboard, such as datasets and widgets. getDashboardDetails is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API. - dashboard_id
dashboards createDashboard A user creates a new AI/BI dashboard using the UI or API. - dashboard_id
dashboards updateDashboard A user makes an update to an AI/BI dashboard using the UI or API. - dashboard_id
dashboards cloneDashboard A user clones an AI/BI dashboard. - source_dashboard_id
- new_dashboard_id
dashboards publishDashboard A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API. - dashboard_id
- credentials_embedded
- warehouse_id
dashboards unpublishDashboard A user unpublishes a published AI/BI dashboard using the UI or API. - dashboard_id
dashboards trashDashboard A user moves an AI/BI dashboard to the trash using the UI or API. - dashboard_id
dashboards restoreDashboard A user restores an AI/BI dashboard from the trash. - dashboard_id
dashboards migrateDashboard A user migrates a DBSQL dashboard to an AI/BI dashboard. - source_dashboard_id
- new_dashboard_id
dashboards createSchedule A user creates an email subscription schedule. - dashboard_id
- schedule_id
dashboards updateSchedule A user makes an update to an AI/BI dashboard's schedule. - dashboard_id
- schedule_id
dashboards deleteSchedule A user deletes an AI/BI dashboard's schedule. - dashboard_id
- schedule_id
dashboards createSubscription A user subscribes an email destination to an AI/BI dashboard schedule. - dashboard_id
- schedule_id
- schedule
dashboards deleteSubscription A user deletes an email destination from an AI/BI dashboard schedule. - dashboard_id
- schedule_id

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service Action Description Request parameters
databrickssql addDashboardWidget A widget is added to a dashboard. - dashboardId
- widgetId
databrickssql cancelQueryExecution A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API. - queryExecutionId
databrickssql changeWarehouseAcls A warehouse manager updates permissions on a SQL warehouse. - aclPermissionSet
- resourceId
- shardName
- targetUserId
databrickssql changePermissions A user updates permissions on an object. - granteeAndPermission
- objectId
- objectType
databrickssql cloneDashboard A user clones a dashboard. - dashboardId
databrickssql commandSubmit Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request. - warehouseId
- commandId
- validation
- commandText
databrickssql commandFinish Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request. - warehouseId
- commandId
databrickssql createAlert A user creates an alert. - alertId
databrickssql createNotificationDestination A workspace admin creates a notification destination. - notificationDestinationId
- notificationDestinationType
databrickssql createDashboard A user creates a dashboard. - dashboardId
databrickssql createDataPreviewDashboard A user creates a data preview dashboard. - dashboardId
databrickssql createWarehouse A user with the cluster create entitlement creates a SQL warehouse. - auto_resume
- auto_stop_mins
- channel
- cluster_size
- conf_pairs
- custom_cluster_confs
- enable_databricks_compute
- enable_photon
- enable_serverless_compute
- instance_profile_arn
- max_num_clusters
- min_num_clusters
- name
- size
- spot_instance_policy
- tags
- test_overrides
databrickssql createQuery A user creates a new query. - queryId
databrickssql createQueryDraft A user creates a query draft. - queryId
databrickssql createQuerySnippet A user creates a query snippet. - querySnippetId
databrickssql createSampleDashboard A user creates a sample dashboard. - sampleDashboardId
databrickssql createVisualization A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. - queryId
- visualizationId
databrickssql deleteAlert A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI. - alertId
databrickssql deleteNotificationDestination A workspace admin deletes a notification destination. - notificationDestinationId
databrickssql deleteDashboard A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI. - dashboardId
databrickssql deleteDashboardWidget A user deletes a dashboard widget. - widgetId
databrickssql deleteWarehouse A warehouse manager deletes a SQL warehouse. - id
databrickssql deleteQuery A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI. - queryId
databrickssql deleteQueryDraft A user deletes a query draft. - queryId
databrickssql deleteQuerySnippet A user deletes a query snippet. - querySnippetId
databrickssql deleteVisualization A user deletes a visualization from a query in the SQL Editor. - visualizationId
databrickssql downloadQueryResult A user downloads a query result from the SQL Editor. Excludes downloads from dashboards. - fileType
- queryId
- queryResultId
- credentialsEmbedded
- credentialsEmbeddedId
databrickssql editWarehouse A warehouse manager makes edits to a SQL warehouse. - auto_stop_mins
- channel
- cluster_size
- confs
- enable_photon
- enable_serverless_compute
- id
- instance_profile_arn
- max_num_clusters
- min_num_clusters
- name
- spot_instance_policy
- tags
databrickssql executeAdhocQuery Generated by one of the following:

- A user runs a query draft in the SQL editor
- A query is executed from a visualization aggregation
- A user loads a dashboard and executes underlying queries
- dataSourceId
databrickssql executeSavedQuery A user runs a saved query. - queryId
databrickssql executeWidgetQuery Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include:

- Refreshing a single panel
- Refreshing an entire dashboard
- Scheduled dashboard executions
- Parameter or filter changes operating over more than 64,000 rows
- widgetId
databrickssql favoriteDashboard A user favorites a dashboard. - dashboardId
databrickssql favoriteQuery A user favorites a query. - queryId
databrickssql forkQuery A user clones a query. - originalQueryId
- queryId
databrickssql listQueries A user opens the query listing page or calls the list query API. - filter_by
- include_metrics
- max_results
- page_token
databrickssql moveAlertToTrash A user moves an alert to the trash. - alertId
databrickssql moveDashboardToTrash A user moves a dashboard to the trash. - dashboardId
databrickssql moveQueryToTrash A user moves a query to the trash. - queryId
databrickssql restoreAlert A user restores an alert from the trash. - alertId
databrickssql restoreDashboard A user restores a dashboard from the trash. - dashboardId
databrickssql restoreQuery A user restores a query from the trash. - queryId
databrickssql setWarehouseConfig A warehouse manager sets the configuration for a SQL warehouse. - data_access_config
- enable_serverless_compute
- instance_profile_arn
- security_policy
- serverless_agreement
- sql_configuration_parameters
- try_create_databricks_managed_starter_warehouse
databrickssql snapshotDashboard A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots. - dashboardId
databrickssql startWarehouse A SQL warehouse is started. - id
databrickssql stopWarehouse A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses. - id
databrickssql transferObjectOwnership A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event. - newOwner
- objectId
- objectType
databrickssql unfavoriteDashboard A user removes a dashboard from their favorites. - dashboardId
databrickssql unfavoriteQuery A user removes a query from their favorites. - queryId
databrickssql updateAlert A user makes updates to an alert. ownerUserName is populated if the alert ownership is transferred using the API. - alertId
- queryId
- ownerUserName
databrickssql updateNotificationDestination A workspace admin makes an update to a notification destination. - notificationDestinationId
databrickssql updateDashboardWidget A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include:

- Change to widget size or placement
- Adding or removing widget parameters
- widgetId
databrickssql updateDashboard A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include:

- Change in dashboard name
- Change to the SQL warehouse
- Change to Run As settings
- dashboardId
databrickssql updateOrganizationSetting A workspace admin makes updates to the workspace's SQL settings. - has_configured_data_access
- has_explored_sql_warehouses
- has_granted_permissions
databrickssql updateQuery A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API. - queryId
- ownerUserName
databrickssql updateQueryDraft A user makes an update to a query draft. - queryId
databrickssql updateQuerySnippet A user makes an update to a query snippet. - querySnippetId
databrickssql updateVisualization A user updates a visualization from either the SQL Editor or the dashboard. - visualizationId

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service Action Description Request parameters
dataMonitoring CreateMonitor User creates a monitor. - data_classification_config
- full_table_name_arg
- assets_dir
- schedule
- output_schema_name
- notifications
- inference_log
dataMonitoring UpdateMonitor User makes an update to a monitor. - data_classification_config
- table_name
- full_table_name_arg
- drift_metrics_table_name
- dashboard_id
- custom_metrics
- assets_dir
- monitor_version
- profile_metrics_table_name
- baseline_table_name
- status
- output_schema_name
- inference_log
- slicing_exprs
dataMonitoring DeleteMonitor User deletes a monitor. - full_table_name_arg
dataMonitoring RunRefresh Monitor is refreshed, either by schedule or manually. - full_table_name_arg

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service Action Description Request parameters
dbfs addBlock User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS. - handle
- data_length
dbfs create User opens a stream to write a file to DBFs. - path
- bufferSize
- overwrite
dbfs delete User deletes the file or directory from DBFs. - recursive
- path
dbfs mkdirs User creates a new DBFS directory. - path
dbfs move User moves a file from one location to another location within DBFs. - dst
- source_path
- src
- destination_path
dbfs put User uploads a file through the use of multipart form post to DBFs. - path
- overwrite

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service Action Description Request parameters
dbfs mount User creates a mount point at a certain DBFS location. - mountPoint
- owner
dbfs unmount User removes a mount point at a certain DBFS location. - mountPoint

Delta pipelines events

Service Action Description Request parameters
deltaPipelines changePipelineAcls A user changes permissions on a pipeline. - shardId
- targetUserId
- resourceId
- aclPermissionSet
deltaPipelines create A user creates a Delta Live Tables pipeline. - allow_duplicate_names
- clusters
- configuration
- continuous
- development
- dry_run
- id
- libraries
- name
- storage
- target
- channel
- edition
- photon
deltaPipelines delete A user deletes a Delta Live Tables pipeline. - pipeline_id
deltaPipelines edit A user edits a Delta Live Tables pipeline. - allow_duplicate_names
- clusters
- configuration
- continuous
- development
- expected_last_modified
- id
- libraries
- name
- pipeline_id
- storage
- target
- channel
- edition
- photon
deltaPipelines startUpdate A user restarts a Delta Live Tables pipeline. - cause
- full_refresh
- job_task
- pipeline_id
deltaPipelines stop A user stops a Delta Live Tables pipeline. - pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service Action Description Request parameters
featureStore addConsumer A consumer is added to the feature store. - features
- job_run
- notebook
featureStore addDataSources A data source is added to a feature table. - feature_table
- paths, tables
featureStore addProducer A producer is added to a feature table. - feature_table
- job_run
- notebook
featureStore changeFeatureTableAcl Permissions are changed in a feature table. - aclPermissionSet
- resourceId
- shardName
- targetUserId
featureStore createFeatureTable A feature table is created. - description
- name
- partition_keys
- primary_keys
- timestamp_keys
featureStore createFeatures Features are created in a feature table. - feature_table
- features
featureStore deleteFeatureTable A feature table is deleted. - name
featureStore deleteTags Tags are deleted from a feature table. - feature_table_id
- keys
featureStore getConsumers A user makes a call to get the consumers in a feature table. - feature_table
featureStore getFeatureTable A user makes a call to get feature tables. - name
featureStore getFeatureTablesById A user makes a call to get feature table IDs. - ids
featureStore getFeatures A user makes a call to get features. - feature_table
- max_results
featureStore getModelServingMetadata A user makes a call to get Model Serving metadata. - feature_table_features
featureStore getOnlineStore A user makes a call to get online store details. - cloud
- feature_table
- online_table
- store_type
featureStore getTags A user makes a call to get tags for a feature table. - feature_table_id
featureStore publishFeatureTable A feature table is published. - cloud
- feature_table
- host
- online_table
- port
- read_secret_prefix
- store_type
- write_secret_prefix
featureStore searchFeatureTables A user searches for feature tables. - max_results
- page_token
- text
featureStore setTags Tags are added to a feature table. - feature_table_id
- tags
featureStore updateFeatureTable A feature table is updated. - description
- name

Files events

The following filesystem events are logged at the workspace level.

Service Action Description Request parameters
filesystem filesGet User downloads a file using the Files API or the volumes UI. - path
- transferredSize
filesystem filesPut User uploads a file using the Files API or the volumes UI. - path
- receivedSize
filesystem filesDelete User deletes a file using the Files API or the volumes UI. - path
filesystem filesHead User gets information about a file using the Files API or the volumes UI. - path

Git credential events

The following gitCredentials events are logged at the workspace level.

Service Action Description Request parameters
gitCredentials getGitCredential A user gets a git credentials. - id
gitCredentials listGitCredentials A user lists all git credentials none
gitCredentials deleteGitCredential A user deletes a git credential. - id
gitCredentials updateGitCredential A user updates a git credential. - id
- git_provider
- git_username
gitCredentials createGitCredential A user creates a git credential. - git_provider
- git_username

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service Action Description Request parameters
globalInitScripts create A workspace admin creates a global initialization script. - name
- position
- script-SHA256
- enabled
globalInitScripts update A workspace admin updates a global initialization script. - script_id
- name
- position
- script-SHA256
- enabled
globalInitScripts delete A workspace admin deletes a global initialization script. - script_id

IAM role events

The following iamRole event is logged at the workspace level.

Service Action Description Request parameters
iamRole changeIamRoleAcl A workspace admin changes permissions for an IAM role. - targetUserId
- shardName
- resourceId
- aclPermissionSet

Ingestion events

The following ingestion event is logged at the workspace level.

Service Action Description Request parameters
ingestion proxyFileUpload A user uploads a file to their Azure Databricks workspace. - x-databricks-content-length-0
- x-databricks-total-files

Instance pool events

The following instancePools events are logged at the workspace level.

Service Action Description Request parameters
instancePools changeInstancePoolAcl A user changes an instance pool's permissions. - shardName
- resourceId
- targetUserId
- aclPermissionSet
instancePools create A user creates an instance pool. - enable_elastic_disk
- preloaded_spark_versions
- idle_instance_autotermination_minutes
- instance_pool_name
- node_type_id
- custom_tags
- max_capacity
- min_idle_instances
- aws_attributes
instancePools delete A user deletes an instance pool. - instance_pool_id
instancePools edit A user edits an instance pool. - instance_pool_name
- idle_instance_autotermination_minutes
- min_idle_instances
- preloaded_spark_versions
- max_capacity
- enable_elastic_disk
- node_type_id
- instance_pool_id
- aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service Action Description Request parameters
jobs cancel A job run is cancelled. - run_id
jobs cancelAllRuns A user cancels all runs on a job. - job_id
jobs changeJobAcl A user updates permissions on a job. - shardName
- aclPermissionSet
- resourceId
- targetUserId
jobs create A user creates a job. - spark_jar_task
- email_notifications
- notebook_task
- spark_submit_task
- timeout_seconds
- libraries
- name
- spark_python_task
- job_type
- new_cluster
- existing_cluster_id
- max_retries
- schedule
- run_as
jobs delete A user deletes a job. - job_id
jobs deleteRun A user deletes a job run. - run_id
jobs getRunOutput A user makes an API call to get a run output. - run_id
- is_from_webapp
jobs repairRun A user repairs a job run. - run_id
- latest_repair_id
- rerun_tasks
jobs reset A job is reset. - job_id
- new_settings
jobs resetJobAcl A user requests the change of a job's permissions. - grants
- job_id
jobs runCommand Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook. - jobId
- runId
- notebookId
- executionTime
- status
- commandId
- commandText
jobs runFailed A job run fails. - jobClusterType
- jobTriggerType
- jobId
- jobTaskType
- runId
- jobTerminalState
- idInJob
- orgId
- runCreatorUserName
jobs runNow A user triggers an on-demand job run. - notebook_params
- job_id
- jar_params
- workflow_context
jobs runStart Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include:

- dashboardId (for a SQL dashboard task)
- filePath (for a SQL file task)
- notebookPath (for a notebook task)
- mainClassName (for a Spark JAR task)
- pythonFile (for a Spark JAR task)
- projectDirectory (for a dbt task)
- commands (for a dbt task)
- packageName (for a Python wheel task)
- entryPoint (for a Python wheel task)
- pipelineId (for a pipeline task)
- queryIds (for a SQL query task)
- alertId (for a SQL alert task)
- taskDependencies
- multitaskParentRunId
- orgId
- idInJob
- jobId
- jobTerminalState
- taskKey
- jobTriggerType
- jobTaskType
- runId
- runCreatorUserName
jobs runSucceeded A job run is successful. - idInJob
- jobId
- jobTriggerType
- orgId
- runId
- jobClusterType
- jobTaskType
- jobTerminalState
- runCreatorUserName
jobs runTriggered A job schedule is triggered automatically according to its schedule or trigger. - jobId
- jobTriggeredType
- runId
jobs sendRunWebhook A webhook is sent either when the job begins, completes, or fails. - orgId
- jobId
- jobWebhookId
- jobWebhookEvent
- runId
jobs setTaskValue A user sets values for a task. - run_id
- key
jobs submitRun A user submits a one-time run via the API. - shell_command_task
- run_name
- spark_python_task
- existing_cluster_id
- notebook_task
- timeout_seconds
- libraries
- new_cluster
- spark_jar_task
jobs update A user edits a job's settings. - job_id
- fields_to_remove
- new_settings
- is_from_dlt

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service Action Description Request parameters
mlflowAcledArtifact readArtifact A user makes call to read an artifact. - artifactLocation
- experimentId
- runId
mlflowAcledArtifact writeArtifact A user makes call to write to an artifact. - artifactLocation
- experimentId
- runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service Action Description Request parameters
mlflowExperiment createMlflowExperiment A user creates an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment deleteMlflowExperiment A user deletes an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment moveMlflowExperiment A user moves an MLflow experiment. - newPath
- experimentId
- oldPath
mlflowExperiment restoreMlflowExperiment A user restores an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment renameMlflowExperiment A user renames an MLflow experiment. - oldName
- newName
- experimentId
- parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service Action Description Request parameters
modelRegistry approveTransitionRequest A user approves a model version stage transition request. - name
- version
- stage
- archive_existing_versions
modelRegistry changeRegisteredModelAcl A user updates permissions for a registered model. - registeredModelId
- userId
modelRegistry createComment A user posts a comment on a model version. - name
- version
modelRegistry createModelVersion A user creates a model version. - name
- source
- run_id
- tags
- run_link
modelRegistry createRegisteredModel A user creates a new registered model - name
- tags
modelRegistry createRegistryWebhook User creates a webhook for Model Registry events. - orgId
- registeredModelId
- events
- description
- status
- creatorId
- httpUrlSpec
modelRegistry createTransitionRequest A user creates a model version stage transition request. - name
- version
- stage
modelRegistry deleteComment A user deletes a comment on a model version. - id
modelRegistry deleteModelVersion A user deletes a model version. - name
- version
modelRegistry deleteModelVersionTag A user deletes a model version tag. - name
- version
- key
modelRegistry deleteRegisteredModel A user deletes a registered model - name
modelRegistry deleteRegisteredModelTag A user deletes the tag for a registered model. - name
- key
modelRegistry deleteRegistryWebhook User deletes a Model Registry webhook. - orgId
- webhookId
modelRegistry deleteTransitionRequest A user cancels a model version stage transition request. - name
- version
- stage
- creator
modelRegistry finishCreateModelVersionAsync Completed asynchronous model copying. - name
- version
modelRegistry generateBatchInferenceNotebook Batch inference notebook is autogenerated. - userId
- orgId
- modelName
- inputTableOpt
- outputTablePathOpt
- stageOrVersion
- modelVersionEntityOpt
- notebookPath
modelRegistry generateDltInferenceNotebook Inference notebook for a Delta Live Tables pipeline is autogenerated. - userId
- orgId
- modelName
- inputTable
- outputTable
- stageOrVersion
- notebookPath
modelRegistry getModelVersionDownloadUri A user gets a URI to download the model version. - name
- version
modelRegistry getModelVersionSignedDownloadUri A user gets a URI to download a signed model version. - name
- version
- path
modelRegistry listModelArtifacts A user makes a call to list a model's artifacts. - name
- version
- path
- page_token
modelRegistry listRegistryWebhooks A user makes a call to list all registry webhooks in the model. - orgId
- registeredModelId
modelRegistry rejectTransitionRequest A user rejects a model version stage transition request. - name
- version
- stage
modelRegistry renameRegisteredModel A user renames a registered model - name
- new_name
modelRegistry setEmailSubscriptionStatus A user updates the email subscription status for a registered model
modelRegistry setModelVersionTag A user sets a model version tag. - name
- version
- key
- value
modelRegistry setRegisteredModelTag A user sets a model version tag. - name
- key
- value
modelRegistry setUserLevelEmailSubscriptionStatus A user updates their email notifications status for the whole registry. - orgId
- userId
- subscriptionStatus
modelRegistry testRegistryWebhook A user tests the Model Registry webhook. - orgId
- webhookId
modelRegistry transitionModelVersionStage A user gets a list of all open stage transition requests for the model version. - name
- version
- stage
- archive_existing_versions
modelRegistry triggerRegistryWebhook A Model Registry webhook is triggered by an event. - orgId
- registeredModelId
- events
- status
modelRegistry updateComment A user post an edit to a comment on a model version. - id
modelRegistry updateRegistryWebhook A user updates a Model Registry webhook. - orgId
- webhookId

Notebook events

The following notebook events are logged at the workspace level.

Service Action Description Request parameters
notebook attachNotebook A notebook is attached to a cluster. - path
- clusterId
- notebookId
notebook cloneNotebook A user clones a notebook. - notebookId
- path
- clonedNotebookId
- destinationPath
notebook createNotebook A notebook is created. - notebookId
- path
notebook deleteFolder A notebook folder is deleted. - path
notebook deleteNotebook A notebook is deleted. - notebookId
- notebookName
- path
notebook detachNotebook A notebook is detached from a cluster. - notebookId
- clusterId
- path
notebook downloadLargeResults A user downloads query results too large to display in the notebook. - notebookId
- notebookFullPath
notebook downloadPreviewResults A user downloads the query results. - notebookId
- notebookFullPath
notebook importNotebook A user imports a notebook. - path
notebook moveFolder A notebook folder is moved from one location to another. - oldPath
- newPath
- folderId
notebook moveNotebook A notebook is moved from one location to another. - newPath
- oldPath
- notebookId
notebook renameNotebook A notebook is renamed. - newName
- oldName
- parentPath
- notebookId
notebook restoreFolder A deleted folder is restored. - path
notebook restoreNotebook A deleted notebook is restored. - path
- notebookId
- notebookName
notebook runCommand Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.

executionTime is measured in seconds.
- notebookId
- executionTime
- status
- commandId
- commandText
- commandLanguage
notebook takeNotebookSnapshot Notebook snapshots are taken when either the job service or mlflow is run. - path

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service Action Description Request parameters
remoteHistoryService addUserGitHubCredentials User adds Github Credentials none
remoteHistoryService deleteUserGitHubCredentials User removes Github Credentials none
remoteHistoryService updateUserGitHubCredentials User updates Github Credentials none

Git folder events

The following repos events are logged at the workspace level.

Service Action name Description Request parameters
repos checkoutBranch A user checks out a branch on the repo. - id
- branch
repos commitAndPush A user commits and pushes to a repo. - id
- message
- files
- checkSensitiveToken
repos createRepo A user creates a repo in the workspace - url
- provider
- path
repos deleteRepo A user deletes a repo. - id
repos discard A user discards a commit to a repo. - id
- file_paths
repos getRepo A user makes a call to get information about a single repo. - id
repos listRepos A user makes a call to get all repos they have Manage permissions on. - path_prefix
- next_page_token
repos pull A user pulls the latest commits from a repo. - id
repos updateRepo A user updates the repo to a different branch or tag, or to the latest commit on the same branch. - id
- branch
- tag
- git_url
- git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service Action name Description Request parameters
secrets createScope User creates a secret scope. - scope
- initial_manage_principal
- scope_backend_type
secrets deleteAcl User deletes ACLs for a secret scope. - scope
- principal
secrets deleteScope User deletes a secret scope. - scope
secrets deleteSecret User deletes a secret from a scope. - key
- scope
secrets getAcl User gets ACLs for a secret scope. - scope
- principal
secrets getSecret User gets a secret from a scope. - key
- scope
secrets listAcls User makes a call to list ACLs for a secret scope. - scope
secrets listScopes User makes a call to list secret scopes none
secrets listSecrets User makes a call to list secrets within a scope. - scope
secrets putAcl User changes ACLs for a secret scope. - scope
- principal
- permission
secrets putSecret User adds or edits a secret within a scope. - string_value
- key
- scope

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service Action name Description Request parameters
sqlPermissions changeSecurableOwner Workspace admin or owner of an object transfers object ownership. - securable
- principal
sqlPermissions createSecurable User creates a securable object. - securable
sqlPermissions denyPermission Object owner denies privileges on a securable object. - permission
sqlPermissions grantPermission Object owner grants permission on a securable object. - permission
sqlPermissions removeAllPermissions User drops a securable object. - securable
sqlPermissions renameSecurable User renames a securable object. - before
- after
sqlPermissions requestPermissions User requests permissions on a securable object. - requests
sqlPermissions revokePermission Object owner revokes permissions on their securable object. - permission
sqlPermissions showPermissions User views securable object permissions. - securable
- principal

SSH events

The following ssh events are logged at the workspace level.

Service Action name Description Request parameters
ssh login Agent login of SSH into Spark driver. - containerId
- userName
- port
- publicKey
- instanceId
ssh logout Agent logout of SSH from Spark driver. - userName
- containerId
- instanceId

Web terminal events

The following webTerminal events are logged at the workspace level.

Service Action name Description Request parameters
webTerminal startSession User starts a web terminal sessions. - socketGUID
- clusterId
- serverPort
- ProxyTargetURI
webTerminal closeSession User closes a web terminal session. - socketGUID
- clusterId
- serverPort
- ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service Action name Description Request parameters
workspace changeWorkspaceAcl Permissions to the workspace are changed. - shardName
- targetUserId
- aclPermissionSet
- resourceId
workspace deleteSetting A setting is deleted from the workspace. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
workspace fileCreate User creates a file in the workspace. - path
workspace fileDelete User deletes a file in the workspace. - path
workspace fileEditorOpenEvent User opens the file editor. - notebookId
- path
workspace getRoleAssignment User gets a workspace's user roles. - account_id
- workspace_id
workspace mintOAuthAuthorizationCode Recorded when in-house OAuth authorization code is minted at the workspace level. - client_id
workspace mintOAuthToken OAuth token is minted for workspace. - grant_type
- scope
- expires_in
- client_id
workspace moveWorkspaceNode A workspace admin moves workspace node. - destinationPath
- path
workspace purgeWorkspaceNodes A workspace admin purges workspace nodes. - treestoreId
workspace reattachHomeFolder An existing home folder is re-attached for a user that is re-added to the workspace. - path
workspace renameWorkspaceNode A workspace admin renames workspace nodes. - path
- destinationPath
workspace unmarkHomeFolder Home folder special attributes are removed when a user is removed from the workspace. - path
workspace updateRoleAssignment A workspace admin updates a workspace user's role. - account_id
- workspace_id
- principal_id
workspace updatePermissionAssignment A workspace admin adds a principal to the workspace. - principal_id
- permissions
workspace setSetting A workspace admin configures a workspace setting. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
- settingValueForAudit
workspace workspaceConfEdit Workspace admin makes updates to a setting, for example enabling verbose audit logs. - workspaceConfKeys
- workspaceConfValues
workspace workspaceExport User exports a notebook from a workspace. - workspaceExportDirectDownload
- workspaceExportFormat
- notebookFullPath
workspace workspaceInHouseOAuthClientAuthentication OAuth client is authenticated in workspace service. - user

Deprecated log events

Databricks has deprecated the following databrickssql diagnostic events:

  • createAlertDestination (now createNotificationDestination)
  • deleteAlertDestination (now deleteNotificationDestination)
  • updateAlertDestination (now updateNotificationDestination)
  • muteAlert
  • unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

  • changeEndpointAcls
  • createEndpoint
  • editEndpoint
  • startEndpoint
  • stopEndpoint
  • deleteEndpoint
  • setEndpointConfig