Audit Trail
Learn how to use the audit trail for compliance and troubleshooting.
What is the Audit Trail?
The audit trail is a comprehensive log of all significant actions in your PUGUH organization. It provides:
- Accountability: Who did what and when
- Compliance: Evidence for regulatory requirements
- Troubleshooting: Debug issues by reviewing history
- Security: Detect unauthorized actions
Accessing the Audit Trail
Navigate to Control > Audit Trail to view the log.
Audit Entry Structure
Each entry contains:
json
{
"audit_id": "uuid",
"timestamp": "2025-01-20T10:30:00.123Z",
"actor": {
"user_id": "uuid",
"email": "jane@company.com",
"type": "user"
},
"action": "webhook.created",
"resource": {
"type": "webhook",
"id": "wh-123",
"name": "Production Webhook"
},
"organization_id": "uuid",
"application_id": "uuid",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"details": {
"conditions": {...},
"actions": {...}
},
"result": "success"
}Action Types
Authentication Actions
| Action | Description |
|---|---|
auth.login | User logged in |
auth.logout | User logged out |
auth.failed | Failed login attempt |
auth.password_reset | Password was reset |
auth.mfa_enabled | MFA was enabled |
User Management
| Action | Description |
|---|---|
user.invited | User was invited |
user.joined | User accepted invite |
user.suspended | User was suspended |
user.removed | User was removed |
user.role_changed | Role was changed |
Webhook Actions
| Action | Description |
|---|---|
webhook.created | Webhook endpoint created |
webhook.updated | Webhook configuration changed |
webhook.deleted | Webhook endpoint deleted |
webhook.tested | Test ping sent to webhook |
Application Actions
| Action | Description |
|---|---|
application.created | Application was created |
application.updated | Application settings changed |
application.deleted | Application was deleted |
application.member_added | Member added to application |
Billing Actions
| Action | Description |
|---|---|
billing.plan_changed | Subscription plan changed |
billing.payment_succeeded | Payment completed |
billing.payment_failed | Payment failed |
Organization Actions
| Action | Description |
|---|---|
organization.settings_updated | Settings changed |
organization.plan_changed | Subscription changed |
organization.application_created | Application created |
Filtering the Audit Trail
By Date Range
Select start and end dates to filter:
- Last 24 hours
- Last 7 days
- Last 30 days
- Custom range
By Actor
Filter by who performed the action:
- Specific user
- Service account
- System (automated)
By Action Type
Filter by category:
- Authentication
- User management
- Webhooks
- Applications
- Billing
By Resource
Find actions on specific resources:
- Specific webhook
- Specific application
- Specific user
By Result
Filter by outcome:
- Success
- Failure
- Partial
Searching
Use the search bar for text search across:
- User emails
- Resource names
- Action details
Example searches:
jane@company.com- All actions by Janewebhook.created- All webhook creationsfailed- All failed actions
Exporting Audit Logs
Export Options
| Format | Use Case |
|---|---|
| CSV | Spreadsheet analysis |
| JSON | Integration/API |
| Compliance reports |
Export Process
- Apply desired filters
- Click "Export"
- Select format
- Choose fields to include
- Download file
Scheduled Exports
Pro+ plans can schedule automatic exports:
- Go to Settings > Scheduled Exports
- Configure schedule (daily/weekly/monthly)
- Choose destination (email/S3/SFTP)
Retention Policies
| Plan | Retention Period |
|---|---|
| Free | 7 days |
| Starter | 30 days |
| Pro | 1 year |
| Enterprise | Custom (unlimited) |
Older entries are archived but can be retrieved on request (Enterprise).
Compliance Features
Immutability
Audit logs cannot be modified or deleted:
- Entries are append-only
- No edit or delete capabilities
- Cryptographic verification available (Enterprise)
Chain of Custody
Enterprise plans provide:
- Tamper-evident logging
- Cryptographic signatures
- Third-party attestation
Compliance Reports
Generate reports for:
- SOC 2 audits
- ISO 27001
- GDPR data access logs
- Custom frameworks
API Access
Query Audit Trail
javascript
const entries = await client.queryAuditTrail({
start_date: '2025-01-01',
end_date: '2025-01-31',
actions: ['webhook.created', 'application.created'],
limit: 100
});Stream Audit Events
javascript
client.streamAuditEvents({
filter: { actions: ['auth.failed'] }
}, (event) => {
console.log('Security event:', event);
});Security Monitoring
Suspicious Activity Detection
Watch for:
- Multiple failed logins
- Unusual access patterns
- Off-hours activity
- Bulk deletions
Setting Up Alerts
- Go to Control > Alerts
- Click "New Alert"
- Configure trigger conditions
- Set notification method
- Activate alert
Example Alerts
yaml
alert: Failed Login Spike
trigger:
action: auth.failed
count: > 5
window: 5m
notification:
email: security@company.com
slack: #security-alertsBest Practices
- Regular Review: Schedule weekly audit log reviews.
- Set Up Alerts: Configure alerts for critical actions.
- Export for Compliance: Maintain offline copies for compliance.
- Correlate with Other Systems: Cross-reference with other security logs.
- Document Access: Track who reviews audit logs and when.
Troubleshooting with Audit Trail
Finding Webhook Changes
"Why did this webhook stop receiving events?"
- Filter by webhook resource
- Look for
webhook.updatedorwebhook.deletedactions - Compare before/after configuration
Tracing Application Changes
"Who changed this application's settings?"
- Find the
application.updatedentry - Check the actor and timestamp
- Review the details field for what changed
Identifying Access Issues
"Why can't user X access resource Y?"
- Filter by user
- Look for
auth.failedor permission errors - Check role changes