Audit Logs
Overview
Audit logs record security-relevant events in the platform. Use them to track user actions, monitor for suspicious activity, and meet compliance requirements.
Navigation
Menu: System > Audit Logs
Page Layout
Statistics Cards
The top of the page displays two statistics cards:
| Card | Description |
|---|---|
| Today’s Events | Number of events recorded today |
| Total Events (30 days) | Aggregated events over the last 30 days |
Controls Card
A separate card contains filtering and action controls:
| Control | Description |
|---|---|
| Filter by event type | Dropdown to filter logs by specific event type |
| Refresh | Reload the audit log list |
| Cleanup Old Logs | Delete events older than retention period (red button) |
Audit Log Table
| Column | Description |
|---|---|
| Time | Event timestamp in local format |
| Event | Event type with colored tag |
| Method | HTTP method (GET, POST, PUT, DELETE) |
| Path | API endpoint path |
| IP Address | Source IP of the request |
| Resource | Resource type and ID (truncated) |
Pagination
- Default page size: 50 items
- Available sizes: 20, 50, 100, 200, 500 items per page
- Shows total count (e.g., “Total 1,234 events”)
Event Types
User Events
| Event Type | Color | Description |
|---|---|---|
| user.login | Green | User logged in |
| user.logout | Gray | User logged out |
| user.register | Cyan | New user registered |
Host Events
| Event Type | Color | Description |
|---|---|---|
| host.created | Blue | New host added |
| host.updated | Blue | Host information modified |
| host.deleted | Red | Host removed |
Credential Events
| Event Type | Color | Description |
|---|---|---|
| credential.created | Purple | New SSH credential added |
| credential.deleted | Red | SSH credential removed |
Scan Events
| Event Type | Color | Description |
|---|---|---|
| scan.started | Processing (animated) | Compliance scan initiated |
| scan.completed | Green | Compliance scan finished |
Hardening Events
| Event Type | Color | Description |
|---|---|---|
| hardening.started | Orange | Hardening job started |
| hardening.completed | Green | Hardening job finished |
| hardening.failed | Red | Hardening job failed |
Schedule Events
| Event Type | Color | Description |
|---|---|---|
| schedule.created | Geek Blue | New schedule created |
| schedule.updated | Geek Blue | Schedule modified |
| schedule.deleted | Red | Schedule removed |
Settings Events
| Event Type | Color | Description |
|---|---|---|
| setting.updated | Gold | System setting changed |
Event Details
Each event includes basic information in the table columns. Click on a row to expand and see additional details.
Expanded Row Details
| Field | Description |
|---|---|
| User Agent | Browser/client information |
| User ID | Which user performed the action (UUID or “-” if anonymous) |
| Details | Additional context in JSON format (scrollable, max 200px height) |
The Details JSON may contain:
- Old and new values for update events
- Additional parameters
- Error information for failed events
Filtering Events
By Event Type
- Click the Filter by event type dropdown
- Select an event type (e.g., “user.login”)
- The table automatically updates to show only matching events
- Click the X in the dropdown to clear the filter
Navigation
Use pagination to navigate through events:
- Events are sorted by time (newest first)
- Change page size using the dropdown at bottom
- Click page numbers to navigate
Event Retention
Retention Period
- Default: 90 days
- Configurable in Settings
- Older events are automatically eligible for cleanup
Manual Cleanup
Click Cleanup Old Logs to:
- Remove events older than retention period
- Free up database storage
- A success message shows deleted count and retention days
Security Monitoring
Suspicious Activity Indicators
Monitor for:
- Multiple failed logins from same IP
- Unusual login times (outside business hours)
- Actions from unexpected IP addresses
- Mass deletions (host.deleted, schedule.deleted)
- Configuration changes (setting.updated)
- New user registrations (user.register)
Regular Review
- Review audit logs weekly for normal operations
- Daily review for high-security environments
- Investigate unusual patterns immediately
- Document security incidents
Compliance Use Cases
Access Tracking
Track who accessed what:
- User login history
- Resource modifications
- Configuration changes
- Time and source of access
Change Management
Document changes:
- When changes were made (timestamp)
- Who made them (user_id)
- What was changed (resource_type, resource_id)
- Before/after values (in details JSON)
Incident Investigation
Investigate security incidents:
- Timeline of events (sorted by time)
- User actions (filter by user events)
- Affected resources (resource column)
- Source identification (IP address)
Best Practices
Regular Monitoring
- Review logs daily for critical systems
- Set up SIEM integration for real-time alerts
- Investigate anomalies promptly
- Keep records of investigations
Retention Policy
- Set retention based on compliance requirements
- Export logs before cleanup if needed for legal purposes
- Consider PCI-DSS (1 year), HIPAA (6 years), GDPR (varies) requirements
- Balance storage costs with compliance needs
Access Control
- Limit access to audit logs
- Audit log access should itself be logged
- Protect log integrity
- Consider read-only access for auditors
API Access
Retrieve audit logs programmatically:
GET /api/v1/audit?limit=50&offset=0&event_type=user.loginParameters:
limit- Number of events to returnoffset- Pagination offsetevent_type- Filter by event type (optional)
Get statistics:
GET /api/v1/audit/statsReturns aggregated event counts by type and date.
Troubleshooting
Missing Events
- Verify event occurred after logging was enabled
- Check event type filter is not excluding the event
- Refresh the page
- Verify the event is within retention period
Too Many Events
- Use event type filter to narrow down
- Reduce page size for faster loading
- Export data for offline analysis
- Consider shorter retention period
Performance Issues
- Use smaller page sizes (20-50 items)
- Apply specific filters
- Export data and analyze offline
- Run cleanup to reduce database size
Cleanup Not Working
- Verify retention period setting
- Check if there are events to delete
- Ensure sufficient database permissions
- Check for database errors in server logs
Related Pages
- Settings - Configure retention period
- Jobs - View hardening job details
- Compliance Scanning - View scan details