Audit log
A record of every configuration change in your organization — filterable, exportable, and retained per plan
The audit log records every configuration-changing action in your organization. It's the answer to "who changed what, and when?" — useful for compliance reviews, incident retros, and figuring out why a setting looks different from yesterday.
What the audit log captures
Every action that changes the state of your organization is recorded:
| Category | Examples |
|---|---|
| Team | Invitations sent, resent, revoked, accepted; role changes; user removals |
| Projects | Project created, renamed, deleted; AI analysis context updated |
| Log sources | Source connected, edited, disconnected, tested |
| Repos | Repo connected, disconnected, default branch changed |
| Channels | Channel added, edited, disabled, severity threshold changed, removed |
| Watchdog | Rule created, edited, enabled, disabled, deleted |
| API keys | Key created, scopes changed, revoked |
| Billing | Plan changed, payment method updated, invoice settings changed |
| Organization | Organization name changed, SSO configured, default thresholds changed |
Each entry includes:
- Timestamp — when the action happened
- User — who performed the action (or
systemfor automated changes) - Action — a human-readable label, e.g. "Invited user", "Updated channel"
- Resource — what was affected, e.g. a project name, channel ID, or member email
- Details — the relevant before/after values for the change
What the audit log does NOT capture
The audit log is for configuration, not content:
- Analysis results, root causes, and AI-generated content are not in the audit log
- Raw log lines fetched from your sources are not in the audit log (and aren't stored anywhere — see Data flow)
- Read actions (someone viewing an analysis or browsing a project) are not logged
- Login events and session activity are tracked separately, not in the configuration audit log
If you need analysis activity, see the project's analysis history. If you need watchdog firing history, see the Watchdog activity feed.
Viewing the audit log
The audit log is available under Organization → Team, below the Members and Pending invitations sections.
| Filter | What it does |
|---|---|
| Action type | Narrow to a single action category, e.g. only role changes |
| User | Show only entries from a specific actor |
| Time range | Restrict to a date window |
The table is paginated. Sort is reverse-chronological (newest first).
Permissions
| Role | Can view audit log |
|---|---|
| Owner | Yes |
| Admin | Yes |
| Member | No |
| Viewer | No |
Members and viewers don't see the audit log section at all — it's hidden by permission gate, not just blank. If a member needs to review a change, an admin or owner has to look it up for them.
Retention by plan
How far back the audit log goes depends on your plan:
| Plan | Retention |
|---|---|
| Starter | Not available |
| Pro | 30 days |
| Business | 90 days |
| Enterprise | Unlimited |
Older entries are pruned automatically. If you need entries to survive longer than your plan's retention window, export them regularly (see below) and keep the CSVs in your own storage.
Exporting
Click Export CSV above the audit log table to download the
currently-filtered view as a CSV file. The export contains the same
columns as the table plus the details JSON for each entry.
Common reasons to export:
- SOC 2 / ISO 27001 reviews — auditors often want a full year of configuration changes; export monthly to your evidence store
- Incident retros — pull the window around an incident and attach the CSV to the retro doc
- Long-term retention beyond your plan's window — schedule a recurring export and archive the files
Exports respect the active filters. If you've narrowed the view to "role changes in the last 7 days", the CSV contains exactly those rows. To export everything, clear filters first.
Related
- Roles & permissions — who can view and act on the log
- Data flow — what we do and don't store
- Plans & quotas — full retention and quota matrix