# uip or audit-logs > Syntax and options for `uip or audit-logs`, which lists the tenant audit log for compliance review and incident investigation. `uip or audit-logs` lists the tenant's **audit log** — the record of who did what and when. Audit entries track changes to users, processes, assets, queues, jobs, folders, machines, roles, settings, schedules, and other entities. Use it for compliance review, incident investigation, or to watch a specific user's activity. ## Synopsis ``` uip or audit-logs list [options] ``` The verb honors the [global options](./global-options.md) (`--output`, `--output-filter`, `--log-level`, `--log-file`). Exit codes follow the [standard contract](./exit-codes.md). ## Verbs | Verb | Purpose | |---|---| | `list` | List audit entries, filtered by component, action, user, or time range. Optionally export to CSV. | ## uip or audit-logs list List audit log entries. Filters compose with AND semantics. With `--export`, the logs are exported server-side to CSV and downloaded when ready. ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | | — | `--component` | text | — | Filter by component (for example, `Users`, `Assets`, `Processes`, `Queues`, `Jobs`, `Folders`, `Machines`, `Roles`, `Settings`, `Schedules`). | | — | `--action` | text | — | Filter by action (for example, `Create`, `Update`, `Delete`, `StartJob`, `StopJob`, `Upload`, `Download`). | | — | `--user` | username | — | Exact-match on username. | | — | `--created-after` | ISO 8601 | — | Entries on or after this date. | | — | `--created-before` | ISO 8601 | — | Entries strictly before this date. | | `-l` | `--limit` | number | `50` | Page size. | | — | `--offset` | number | `0` | Skip count. | | — | `--order-by` | field | `ExecutionTime desc` | OData sort expression. | | — | `--export` | flag | off | Export matching entries to CSV via the server-side export API. | | `-o` | `--output` | path | `audit-logs-export.csv` | Output CSV path. Only with `--export`. | ### Examples ```bash # Most recent audit entries across the tenant uip or audit-logs list # Filter to the Users component uip or audit-logs list --component Users --limit 100 # Everything one user did in a window uip or audit-logs list --user admin@example.com \ --created-after 2026-04-01 --created-before 2026-04-08 # Export to CSV uip or audit-logs list --component Jobs --export -o ./jobs-audit.csv ``` ### Data shape (--output json) Inline mode: ```json { "Code": "AuditLogList", "Data": [ { "serviceName": "UiPath.Orchestrator.Web.Api.OData.Controllers.UsersController", "methodName": "Post", "executionTime": "2025-04-15T09:10:00Z", "action": "Create", "component": "Users", "displayName": "jane.doe@example.com", "entityId": 1001, "operationText": "User admin@example.com created user jane.doe@example.com", "userName": "admin@example.com", "userType": "DirectoryUser", "entities": [ { "auditLogId": 1000001, "customData": "{\"Id\":1001,\"UserName\":\"jane.doe\"}", "entityId": 1001, "entityName": "User", "action": "Create", "id": 2000001 } ], "userId": 42, "userIsDeleted": false, "userIsActive": true, "id": 1000001 } ] } ``` With `--export`, the `Code` is `AuditLogsExported` and the payload is: ```json { "Code": "AuditLogsExported", "Data": { "FileName": "jobs-audit.csv", "Size": 52318, "ExportId": 4711 } } ``` ## Related commands - [`uip or jobs`](./uip-orchestrator-jobs.md) — the Jobs component of audit logs records job lifecycle events. - [`uip or users`](./uip-orchestrator-users.md) — resolve usernames seen in audit entries. ## See also - [Global options](./global-options.md) — `--output`, `--output-filter`, `--log-level`, `--log-file`. - [Exit codes](./exit-codes.md) — standard exit-code contract.