Audit Log
A tamper-evident record of who did what and when in your FreshGuard workspace.
The Audit Log gives workspace administrators a chronological record of every significant change made to your workspace — who made it, when, and what the previous state was. It is designed for post-mortems, compliance reviews, and security investigations.
Accessing the Audit Log
Go to Settings → Audit & Compliance in the dashboard. You must be a workspace admin to view audit logs.
You can filter events by:
- Category — Auth, data changes, configuration, security violations
- User — Filter to a specific team member’s actions
- Action — Search for a specific event type (e.g.
rule.deleted) - Date range — Narrow to a specific window of time
What Is Captured
Every entry records:
| Field | Description |
|---|---|
| Timestamp | Exact time the action was performed (UTC) |
| User | Email address of the team member who performed the action |
| Action | What happened (see event reference below) |
| Target | The resource that was affected, with its ID |
| Before / After | Previous and new values for mutation events |
| IP Address | Source IP of the request |
Info
Audit events are written at the time the action completes successfully. If a request fails before completing, no audit event is recorded.
Event Reference
Alert Events
| Event | Severity | Description |
|---|---|---|
alert.acknowledged | Info | An alert was acknowledged. Records who acknowledged it and any notes added. |
alert.snoozed | Info | An alert was snoozed. Records the snooze duration, who snoozed it, and any notes. |
Rule Events
| Event | Severity | Description |
|---|---|---|
rule.created | Info | A new monitoring rule was created. Records the rule name, type, table, and check interval. |
rule.updated | Info | A monitoring rule’s configuration was changed. Records the previous and new values for changed fields. |
rule.toggled | Info | A monitoring rule was enabled or disabled. Records the previous and new active state. |
rule.deleted | Warning | A monitoring rule was permanently deleted. Records the rule name before deletion. |
Data Source Events
| Event | Severity | Description |
|---|---|---|
source.created | Info | A new data source was connected. Records the source name and type. |
source.updated | Info | A data source was renamed or had its credentials updated. Records the previous name and what fields changed. |
source.deleted | Warning | A data source was permanently deleted. Records the source name and type before deletion. Cascade-deletes all associated rules. |
Alert Destination Events
| Event | Severity | Description |
|---|---|---|
destination.created | Info | A new alert destination was added to the workspace. Records the name and destination type (email, Slack, webhook). |
destination.updated | Info | An alert destination was modified. Records which fields changed (name, active state, or configuration). |
destination.deleted | Warning | An alert destination was permanently deleted. Records the name and type before deletion. |
destination.bound | Info | An alert destination was linked to a monitoring rule. Records the rule ID, destination ID, and severity filter. |
destination.unbound | Info | An alert destination was unlinked from a monitoring rule. Records the rule ID and destination ID. |
Workspace & Team Events
| Event | Severity | Description |
|---|---|---|
workspace.updated | Info | Workspace settings (name or VAT ID) were changed. Records the new values. |
workspace.member.role_changed | Info | A team member’s role was changed. Records the previous and new role. |
workspace.member.removed | Warning | A team member was removed from the workspace. Records the member’s user ID and role before removal. |
workspace.invite.created | Info | An invite link was created. Records the role granted and expiry. |
workspace.invite.revoked | Warning | An invite link was revoked before it was used. Records the role it was for. |
workspace.invite.accepted | Info | A user accepted an invite and joined the workspace. Records the role granted. |
User & Auth Events
| Event | Severity | Description |
|---|---|---|
user.profile.updated | Info | A user changed their display name or profile information. |
Tip
When investigating an incident, start by filtering to the rule or alert involved and expanding the time window to cover the 24 hours before the problem was first detected. The before/after values on rule.updated events often reveal configuration changes that contributed to the issue.
Retention
Audit log retention depends on your plan:
| Plan | Retention |
|---|---|
| Free | 30 days |
| Starter | 90 days |
| Professional | 1 year |
| Enterprise | Configurable (contact us) |
What Is Not Captured
The audit log records user-initiated changes. It does not log:
- Scheduled check executions — these are system-driven and are tracked separately in alert history
- Read-only access — viewing dashboards, browsing rules, or reading alert details
- Automatic alert resolution — when data starts flowing again, the alert resolves automatically; this appears in alert history, not the audit log