Audit Log
The Audit Log provides a tamper-evident, platform-wide record of all administrative actions and active user sessions. It is the primary tool for compliance review, incident investigation, and access governance.
Navigate to Admin > Audit Log to access this page.
The page is divided into two tabs: Activity Log and Sessions.
Activity Log
The Activity Log records every API-level action performed by any user on the platform, including configuration changes, resource creation and deletion, role assignments, and login events.
Columns
| Column | Description |
|---|---|
| Timestamp | Date and time the action occurred, formatted according to your platform date settings. |
| User | Email address of the authenticated user who performed the action. |
| Action | The operation type (see action types below). |
| Resource | The resource type and a truncated resource ID that was acted upon. |
| Status | Success or Failure — whether the API call completed without error. |
| IP Address | The remote IP address from which the request originated. |
Action Types
| Action | Colour | Meaning |
|---|---|---|
create | Green | A new resource was created. |
update | Blue | An existing resource was modified. |
delete | Red | A resource was permanently deleted. |
revoke | Orange | A session or certificate was revoked. |
assign | Purple | A role or policy was assigned to a user or group. |
unassign | Yellow | A role or policy was removed. |
sync | Indigo | A configuration sync was triggered to an edge device. |
export | Grey | Data was exported from the platform. |
Expanding a Row
Click any row to expand it and view the full request details:
- HTTP method and path of the API call.
- HTTP response status code.
- A structured key-value view of the
detailspayload. Sensitive fields (private keys, passwords) are shown as[REDACTED].
Filters
Use the filter bar to narrow results before reviewing or exporting.
| Filter | Description |
|---|---|
| Search | Free-text search across actions, resource names, and user emails. |
| Tenant | (Super Admin only) Filter to a specific tenant's activity. |
| Resource Type | Scope to a single resource category: Edge, User, Connector, WireGuard, Tenant, Role, Config Template, Peering, or ACL. |
| From / To | Date range picker to restrict results to a specific window. |
Results are paginated at 20 rows per page.
Auto-Refresh
Enable the Auto-refresh (30s) toggle to have the table silently reload every 30 seconds. This is useful for live monitoring during an active incident or change window. New rows appear at the top without resetting the current filter state or page position.
Exporting
Click Export to download the current filtered result set as a ZIP archive containing a CSV file. The export honours all active filters (search, tenant, resource type, date range), so narrow your filters before exporting to limit the output to relevant records.
The downloaded file is named activity-log-YYYY-MM-DD.zip.
Only Super Admins can view activity across all tenants. Tenant Admins see only activity within their own tenant scope.
Sessions Tab
The Sessions tab lists all active, expired, and revoked login sessions on the platform. Each row represents a single authenticated session established via the native login flow.
Columns
| Column | Description |
|---|---|
| User | Email and display name of the session owner. |
| IP Address | The client IP from which the session was established. |
| User Agent | Browser or client identifier string. |
| Created | When the session was first established. |
| Last Activity | Most recent API request made under this session token. |
| Expires | Absolute expiry time for the session token. |
| Status | Active, Expired, or Revoked. |
Revoking a Session
Active sessions can be force-terminated by clicking Revoke on the row. The token is immediately invalidated server-side. The affected user will be logged out on their next request and redirected to the login page.
Session revocation is immediate and cannot be undone. Notify the user before revoking if the action is administrative rather than a security response.
Filtering and Export
Sessions support the same search, tenant, and status filters as the Activity Log. The Export button downloads a sessions-YYYY-MM-DD.zip archive with a CSV of the filtered results.
Assume Identity Audit Trail
When a Super Admin uses the Assume Identity feature to act on behalf of another user, all actions performed under that assumed session are recorded in the Activity Log with both the originating Super Admin's identity and the assumed user context. This ensures that privilege escalation is fully attributable and auditable.
Look for entries where the details payload contains an assumedBy field identifying the Super Admin who initiated the assumption.
Route
The Audit Log is accessible at /admin/audit-log. Access requires Admin or Super Admin role. Viewer-role users do not have access to this page.