1. Slack Help Center
  2. Workspace administration
  3. Slack data & analytics
    4. Audit logs in Slack

Audit logs in Slack

Audit logs provide a record of changes and usage that help keep your Slack Enterprise organization secure and protect against misuse. You can view audit logs right in Slack, export them as a CSV, and use the Audit Logs API to create custom monitoring tools.  


View audit logs

  1. From your desktop, click your organization name in the sidebar.
  2. Select Tools & settings from the menu, then click Organization settings.
  3. Click  Security in the left sidebar and select Audit logs.
  4. Click   Filter at the top of the list to filter entries by Date range, Acting user, Affects (either user, workspace, or organization), or Events
  5. To export audit logs, click Export in the top-right corner of the page and select Export CSV or Export JSON.

Note: If Slackbot has taken action on behalf of a user (like creating or editing a canvas), you’ll see acting_agent: Slackbot in the detailed audit log entry or the Audit Logs API output.


Export search query logs

The Org Primary Owner and Roles Admins can create and assign a custom role (which must include the Access search query logs and Read audit logs permissions) that has permission to export a list of search query logs. When you export search query logs, you can sort the list of completed searches by member, search term, and date range.

  1. From your desktop, click your organization name in the sidebar.
  2. Select Tools & settings from the menu, then click Organization settings.
  3. Click  Security in the left sidebar and select Audit logs.
  4. Click Export in the top-right corner, then select Export search queries.
  5. Customize your search query export and click Export.

Note: Search query log exports will only contain results from the last 90 days.


Monitor anomaly events

Anomaly events can surface potentially suspicious user and app activity in your organization. Use the audit logs or the Audit Logs API to monitor anomaly events and help determine whether the activity is expected. 

  1. From your desktop, click your organization name in the sidebar.
  2. Select Tools & settings from the menu, then click Organization settings.
  3. Click  Security in the left sidebar and select Audit logs.
  4. Click the Security Detections tab.

Tip: To manually sign members out, click the   three dots icon next to an anomaly audit log entry and select Sign Out Of Slack. If you'd like, you can also configure an automatic anomaly event response


Use the Audit Logs API

Enterprise organizations can use the Audit Logs API to programmatically monitor audit events in Slack. You can use the Audit Logs API to:

  • Send data to a security information and event management (SIEM) tool.
  • Watch for potential security issues or malicious attempts to access your org.
  • Build custom apps for better insight into how your company uses Slack. 

Note: The availability of audit log data prior to upgrading to an Enterprise plan depends on your previous plan. To learn more about audit logs, contact our Support team.  

Who can use this feature?

  • Org Owners and members with the Audit Logs Admin system role
  • Available on Enterprise plans

Awesome!

Thanks so much for your feedback!

If you’d like a member of our support team to respond to you, please send a note to feedback@slack.com.

Was this article helpful?Yes, thanks!Not really
Sorry about that! What did you find most unhelpful?
0/600
Submit article feedback

If you’d like a member of our support team to respond to you, please send a note to feedback@slack.com.

Oops! We're having trouble. Please try again later!