Audit Logs
Track all activity in your ops0 organization. Audit logs provide a complete record of who did what and when.
Accessing Audit Logs
Go to Settings
Navigate to the Settings section.
Select Audit Logs
Click on Audit Logs in the sidebar navigation.
Page Layout
Search Box
Search log entries.
Filters
Filter by type, user, date.
Export
Download logs.
Log Table
All audit entries.
Log Entry Columns
| Column | Description |
|---|---|
| Timestamp | When event occurred |
| User | Who performed action |
| Action | What was done |
| Resource | What was affected |
| IP Address | User's IP |
| Status | Success, Failed |
Viewing Log Entries
Log List
Each row shows:
┌────────────────────────────────────────────────────────────────────┐
│ 2024-01-15 10:30:45 john@example.com deployed vpc-production │
│ Action: terraform apply │
│ IP: 192.168.1.100 Status: Success │
└────────────────────────────────────────────────────────────────────┘
Click for Details
Select Entry
Click on any log entry in the table.
View Details
The detail panel opens on the right.
Analyze
Review full event information including changes and request data.
Entry Details
| Field | Description |
|---|---|
| Event ID | Unique identifier |
| Timestamp | Exact time (with timezone) |
| User | Email and user ID |
| Action | Event type |
| Resource | Resource type and ID |
| Changes | What changed |
| Request | API request details |
| Response | API response |
| IP Address | Source IP |
| User Agent | Browser/client |
Event Categories
Authentication Events
user.login
User logged in
user.logout
User logged out
user.login_failed
Failed login attempt
user.password_changed
Password updated
user.2fa_enabled
2FA turned on
user.session_revoked
Session ended
User Management Events
| Event | Description |
|---|---|
| user.invited | User invitation sent |
| user.joined | User accepted invite |
| user.removed | User removed from org |
| user.role_changed | Role assignment changed |
| user.disabled | User account disabled |
Project Events
| Event | Description |
|---|---|
| project.created | New project created |
| project.updated | Project modified |
| project.deleted | Project deleted |
| project.file_created | File added |
| project.file_updated | File modified |
| project.file_deleted | File removed |
Deployment Events
deployment.started
Deployment began
deployment.completed
Deployment finished
deployment.failed
Deployment failed
deployment.cancelled
Deployment stopped
deployment.approved
Approval granted
deployment.rejected
Approval denied
Integration Events
| Event | Description |
|---|---|
| integration.created | Integration added |
| integration.updated | Credentials updated |
| integration.deleted | Integration removed |
| integration.tested | Connection tested |
Policy Events
| Event | Description |
|---|---|
| policy.created | Policy created |
| policy.updated | Policy modified |
| policy.deleted | Policy removed |
| policy.violation | Violation detected |
Workflow Events
| Event | Description |
|---|---|
| workflow.created | Workflow created |
| workflow.updated | Workflow modified |
| workflow.executed | Workflow ran |
| workflow.completed | Workflow finished |
| workflow.failed | Workflow failed |
Filtering Logs
By Date Range
1Click Date Range filter
2
Select preset:
- Last 24 hours
- Last 7 days
- Last 30 days
- Last 90 days
- Custom range
3For custom, select start/end dates
By User
1Click User filter
2Select specific user
3Shows only that user's actions
By Action Category
1Click Category filter
2
Select:
- All
- Authentication
- Users
- Projects
- Deployments
- Integrations
- Policies
- Workflows
- Settings
By Status
1Click Status filter
2
Select:
- All
- Success
- Failed
By Resource
1Click Resource filter
2Enter resource name or ID
3Shows events for that resource
Searching Logs
Search Box
1Type in Search box
2
Searches across:
- Action names
- Resource names
- User emails
- Event details
3Real-time filtering
Search Examples
| Search | Finds |
|---|---|
deploy | All deployment events |
john@ | All John's actions |
vpc-prod | Events for vpc-prod project |
failed | Failed events |
Exporting Logs
Export Options
1Click Export button
2
Select format:
- CSV
- JSON
3Select date range
4Click Download
Export Fields
Exports include:
- Timestamp
- User email
- Action
- Resource
- Status
- IP address
- Full details
Scheduled Exports
1Click Schedule Export
2Select frequency (Daily, Weekly)
3Select format
4Enter email recipient
5Click Schedule
Log Retention
Retention Period
Free
7 days
Pro
90 days
Enterprise
1 year+
After Retention
- Logs are automatically deleted
- Export before expiration for compliance
- Contact support for extended retention
Real-Time Logs
Live View
1Click Live toggle
2New events appear immediately
3Auto-scrolls to latest
Pause Live View
1Click Pause button
2View freezes
3Click Resume to continue
Security Analysis
Failed Login Detection
Filter for suspicious activity:
1Filter: Category = Authentication
2Filter: Status = Failed
3Review IP addresses and patterns
Permission Changes
Track sensitive changes:
1Filter: Category = Users
2Look for role_changed events
3Review who made changes
Unusual Activity
Signs to Watch For
- Many failed logins
- Actions at unusual times
- Actions from unusual IPs
- Bulk deletions
Compliance Use Cases
SOC 2
Demonstrate:
- Access controls (role changes)
- Change management (deployments)
- Security events (login attempts)
GDPR
Track:
- Data access events
- User data modifications
- Consent changes
Creating Compliance Reports
1Set date range for audit period
2Export relevant categories
3Include in compliance documentation
API Access
Programmatic Access
Query logs via API:
curl -X GET \
-H "Authorization: Bearer $API_KEY" \
"https://api.ops0.io/v1/audit-logs?start=2024-01-01&end=2024-01-31"
API Filters
| Parameter | Description |
|---|---|
start | Start date |
end | End date |
user | User email |
action | Action type |
status | success/failed |
limit | Max results |
offset | Pagination offset |
Best Practices
Review Regularly
Check logs weekly for anomalies and security events.
Set Up Alerts
Configure notifications for critical events like failed logins.
Export for Compliance
Schedule regular exports before retention period expires.
Monitor Failed Events
Failed actions are often the first indicator of security issues.
Track Deployments
Maintain audit trail for change management requirements.
Document Reviews
Record when and what you reviewed for audit evidence.
Troubleshooting
Missing Events
Events not appearing
Check date filter is set to correct range.
Can't find user's events
Verify user email is spelled correctly in filter.
Gaps in timeline
Check retention period - old logs may have been deleted.
Export Issues
Export too large
Reduce date range or filter to specific categories.
Timeout
Try smaller date range or use scheduled exports.
Missing fields
Check export format - JSON includes all fields, CSV is summarized.
Example: Investigating a Failed Deployment
Using audit logs to trace and understand a deployment failure.
Initial Alert
Notification: Deployment Failed
─────────────────────────────────────
Project: api-infrastructure
Time: 2024-01-15 14:30:45 UTC
User: sarah@acme.com
Step 1: Filter to Deployment Events
Settings → Audit Logs
─────────────────────────────────────
Filter: Category = Deployments
Filter: Status = Failed
Filter: Date = Today
Results: 1 event found
Step 2: View Event Details
Event Details
─────────────────────────────────────
Event ID: evt_abc123xyz
Timestamp: 2024-01-15 14:30:45 UTC
User: sarah@acme.com (usr_456)
Action: deployment.failed
Resource: api-infrastructure
IP Address: 192.168.1.50
User Agent: Chrome/120.0
Changes:
error: "Policy violation: S3 encryption required"
resources_planned: 5
resources_applied: 2
Request:
deployment_id: dep_789
trigger: manual
Step 3: Find Related Events
Filter: Resource = api-infrastructure
Filter: Date = Last 24 hours
─────────────────────────────────────
14:30:45 deployment.failed sarah@acme.com
14:30:42 deployment.started sarah@acme.com
14:28:10 project.file_updated sarah@acme.com (main.tf)
14:25:33 user.login sarah@acme.com
Step 4: Identify Root Cause
Timeline Analysis
─────────────────────────────────────
14:25 Sarah logged in
14:28 Sarah updated main.tf
14:30 Sarah started deployment
14:30 Deployment failed: policy violation
Root Cause: Code change introduced unencrypted S3 bucket
Fix: Add encryption configuration to S3 resource
Result
Incident Report
─────────────────────────────────────
Issue: Deployment blocked by policy
Detected: Immediately via policy check
Impact: No production impact (blocked)
Root Cause: Missing S3 encryption config
Resolution: Add encryption, redeploy
Time to Fix: 15 minutes
The audit log provided complete visibility into what happened and when.
Next Steps
- General Settings - Profile settings
- IAM Settings - Users and roles
- Integrations - Connect providers