Audit log pages
Browsing the audit trail in the UI: project vs organization scope, the action and actor filters, JSON/CSV export with date presets, and the entry detail with metadata, field-level changes, and old/new snapshots. For what gets audited, the HMAC chain, retention, and SIEM forwarding, see Audit & SIEM.
Open it from the top menu: Audit Logs.
Scope switch
A Project / Organization segmented switch in the header selects the view:
- Project — entries scoped to the current project (the project selector decides which).
- Organization — org-wide entries: logins, user and role changes, settings, license, LDAP, and everything not tied to a single project.
The audit list
| Column | Content |
|---|---|
| Timestamp | Local time of the event. |
| Actor | Display name of the user (or empty for system events). A column filter lets you type an actor name to narrow the rows. |
| Action | Colour-coded tag with a friendly label — e.g. Certificate Issued (green), Login Failed (red), Settings Updated (blue), Distribution Dry Run (orange). Unmapped actions fall back to the raw METHOD /path string coloured by HTTP method. |
| Resource Type | Human label — Certificate, User, DNS Credential, Module, Target, Approval Request, … |
| Resource ID | Truncated ID; hover for the full value. |
| IP | Source IP of the actor. |
- The Action column has preset filters by prefix: Auth, Certificate, Distribution, Job, Settings, User.
- Both the action and actor filters are client-side — they narrow the rows on the page you're looking at, not the full server-side result set.
- Pagination uses the default page size from Settings → General (UI preferences).
Clicking a row opens the entry detail.
Action categories
The UI maps well over a hundred action codes to readable labels. The broad families:
| Family | Examples |
|---|---|
| Auth & sessions | login, login failed, logout, token refresh, token reuse detected, OTP verified/failed, TOTP setup/disable, password changed |
| Certificates | issue/renew/reissue/revoke requested, issued, renewed, revoked, failed/dead/cancelled variants, policy updates, deleted, downloaded |
| Approvals | approval requested (per operation), approved, rejected, executed, retried, cancelled |
| Distribution | executed, dry run, rollback (and rolled back), linked/unlinked, module/credential/target/target-group/path-set/action-set CRUD |
| DNS & CA | DNS credential CRUD + tested, zone CRUD, ACME account CRUD + validated, MSCA connection CRUD + tested + templates synced |
| Discovery & domains | source CRUD, scan triggered, finding status changed, domain tracking CRUD, check triggered |
| Admin | user CRUD, roles updated, password reset, project/organization CRUD, general settings, LDAP, syslog, OTP policy, license, variables |
| Meta | job retried/cancelled, bulk action created, audit chain verified |
Entry detail
Clicking a row opens /audit/<id> with a Back to Audit Logs button and:
- Summary table — entry ID (copyable), timestamp, action tag, actor name and actor ID, source IP, project ID (or an Org-wide tag), org ID, resource type and resource ID, and the entry checksum (the HMAC-chain value for this entry — see HMAC chain).
- Metadata — a key/value table of event-specific context, when the action recorded any.
- Changes — for update actions, a field-level diff table: Path, From, To.
- Snapshots — collapsible Old Value / New Value panels with the full before/after JSON documents, when the action captured them.
Sensitive fields (credentials, keys) are stored encrypted or redacted server-side and never appear in snapshots.
Export
The header has a date range picker (presets: last 7 / 14 / 30 days; default last 30) and an Export dropdown with two formats:
- JSON — one entry per line, suitable for SIEM ingestion or offline chain re-verification.
- CSV — for spreadsheets and quick audits.
The export respects the current scope: in Project view it exports that project's entries, in Organization view the org-wide log. The download opens in a new tab and is served by the API using your session — so it is subject to the same role checks as viewing the log. Larger, scripted exports (legal hold, DR) are better done with the CLI (audit export).
Entries are retained for 30 days (retention). If you need history beyond that, set up syslog forwarding or scheduled exports before you need them — the UI can only show what's still in the database.
Chain verification
There is no chain-verification button in the web UI. The audit log is HMAC-chained, and verification runs through the CLI:
certautopilot audit verify --since 2026-01-01
See Verifying the chain. Each verification run is itself recorded in the log as an Audit Chain Verified entry, so you can confirm from the UI that the scheduled verification is actually happening.