Logs & Compliance
The Logs section of the Auris Console provides a comprehensive audit trail of all administrative and authentication events in your tenant. Every action taken by users, administrators, and automated processes is recorded. The audit log is the primary tool for security investigations, compliance reporting, and operational monitoring.
Access the audit log at Console → Logs.
Audit Log
What Is Logged
Auris logs 30+ distinct event types across four categories:
Authentication Events
| Event | Description |
|---|---|
user.login | Successful login |
user.login_failed | Failed login attempt (wrong password, locked account, etc.) |
user.logout | User logged out |
user.mfa_enrolled | MFA method enrolled |
user.mfa_removed | MFA method removed |
user.mfa_challenged | MFA step presented during login |
user.mfa_passed | MFA step completed successfully |
user.mfa_failed | MFA step failed (wrong code) |
user.password_reset | Password reset completed |
user.email_verified | Email address verified |
user.social_login | Login via social provider |
user.sso_login | Login via enterprise SSO |
User Management Events
| Event | Description |
|---|---|
user.created | New user account created |
user.updated | User profile updated |
user.deleted | User moved to trash |
user.deleted_permanently | User permanently deleted |
user.restored | Deleted user restored |
user.disabled | User account disabled |
user.enabled | User account re-enabled |
user.role_assigned | Role added to user |
user.role_removed | Role removed from user |
user.session_revoked | User session revoked by administrator |
Administrative Events
| Event | Description |
|---|---|
application.created | Application registered |
application.updated | Application settings changed |
application.deleted | Application deleted |
application.secret_rotated | Client secret rotated |
role.created | Role created |
role.updated | Role name or description changed |
role.deleted | Role deleted |
role.permission_changed | Permission toggled on or off for a role |
organization.created | Organization created |
organization.member_added | User added to organization |
organization.member_removed | User removed from organization |
organization.sso_connection_activated | SSO connection made live |
Security Events
| Event | Description |
|---|---|
security.account_locked | Account locked due to brute-force threshold |
security.account_unlocked | Locked account manually or automatically unlocked |
security.suspicious_login | Suspicious login detected |
security.ip_blocked | Login rejected by IP block rule |
security.captcha_failed | CAPTCHA verification failed |
action.executed | Actions Engine action ran |
action.error | Actions Engine action encountered an error |
Log Entry Structure
Each audit log entry contains:
| Field | Description |
|---|---|
| Timestamp | ISO 8601 datetime with millisecond precision |
| Actor | Who performed the action: user ID and email, or system for automated events |
| Action | The event type (for example, user.login, role.permission_changed) |
| Resource Type | The type of entity affected (user, role, application, etc.) |
| Resource ID | The unique identifier of the affected entity |
| IP Address | IP address from which the request originated |
| User Agent | Browser or client information for end-user actions |
| Severity | info, warn, or error |
| Before | The state of the affected resource before the change (for update events) |
| After | The state of the affected resource after the change (for update events) |
| Metadata | Additional event-specific data |
Viewing Logs
The Logs page displays log entries in reverse chronological order (newest first). The interface has three main areas:
Log Stats Bar
At the top, a bar shows the breakdown of recent events by severity (info / warn / error) and by source (authentication, user management, administrative, security). Click a badge to filter the log to that category.
Log Table
Each row in the log table shows:
- A colored severity indicator dot
- The action type as a styled badge
- A summary of the event (actor → action → resource)
- The time, shown as a relative value (“3 minutes ago”) with the full timestamp visible on hover
Log Detail Sheet
Click any row to open a side panel with the full log entry:
- All fields listed in the table above
- Formatted before/after diff for changes (highlighted additions in green, removals in red)
- Links to the affected resource (opens the user’s detail page, application detail page, etc.)
- Copy buttons for the raw JSON payload, actor ID, and resource ID
Filtering Logs
The filter panel appears above the log table. Multiple filters can be active simultaneously.
Available Filters
| Filter | Options |
|---|---|
| Date Range | Last hour, Last 24 hours, Last 7 days, Last 30 days, Custom range |
| Severity | Info, Warn, Error |
| Action Type | Select from the full list of event types |
| Resource Type | User, Role, Application, Organization, etc. |
| Keyword Search | Full-text search across action, actor, and metadata fields |
Active Filter Badges
Each active filter appears as a removable badge below the filter panel. Click the x on any badge to remove that filter. Click Clear All to reset all filters.
Auto-Refresh
Toggle Auto-Refresh (the refresh icon in the top toolbar) to enable 15-second polling. When active, new log entries appear at the top of the table automatically. A “Live” indicator badge appears next to the toggle.
Use auto-refresh during incident investigation or security monitoring to watch events as they occur without manually reloading the page.
Log Streaming
Log streaming exports audit log events to external systems in real time. Configure streams to send logs to your SIEM, log aggregation platform, or cloud storage for long-term retention and advanced analysis.
Supported Destinations
| Destination | Description |
|---|---|
| Webhook | HTTP POST to any URL with HMAC-SHA256 signed payload |
| Amazon S3 | Write logs as JSON files to an S3 bucket |
| Datadog | Send logs to Datadog Logs via the HTTP API |
| Splunk | Send logs to Splunk HEC (HTTP Event Collector) |
Configuring a Log Stream
Open Log Streaming settings
Go to Console → Settings → Log Streaming and click Add Stream.
Choose the destination type
Select from Webhook, Amazon S3, Datadog, or Splunk.
Configure destination-specific settings
Webhook
| Field | Description |
|---|---|
| Name | Display name for this stream |
| URL | The HTTPS endpoint to POST events to |
| Secret | Optional HMAC secret for signature verification |
Each delivered event is an HTTP POST with the body:
{
"type": "log.audit",
"timestamp": "2025-02-18T14:30:00Z",
"tenant_id": "your-tenant-id",
"event": {
"action": "user.login",
"actor": { "id": "usr_abc", "email": "[email protected]" },
"resource": { "type": "user", "id": "usr_abc" },
"severity": "info",
"ip": "203.0.113.42",
"metadata": {}
}
}If a secret is configured, Auris includes an X-Auris-Signature header:
X-Auris-Signature: sha256=<HMAC-SHA256 of request body using your secret>Amazon S3
| Field | Description |
|---|---|
| Bucket Name | The S3 bucket to write to |
| Region | AWS region |
| Access Key ID | AWS credentials with s3:PutObject permission on the bucket |
| Secret Access Key | AWS credentials |
| Key Prefix | Optional path prefix for log files (for example, auris-logs/) |
Logs are batched and written as JSON files with keys in the format {prefix}{date}/{hour}/events.json.
Datadog
| Field | Description |
|---|---|
| API Key | Your Datadog API key |
| Site | Datadog site region (for example, datadoghq.com, datadoghq.eu) |
| Tags | Optional comma-separated tags to add to all log entries |
Splunk
| Field | Description |
|---|---|
| HEC URL | The Splunk HTTP Event Collector endpoint URL |
| HEC Token | The Splunk HEC authentication token |
| Index | The Splunk index to write to |
| Source | The source field value in Splunk |
Configure event filter
Optionally filter which event types are sent to this stream. By default, all event types are streamed. To reduce volume, you may want to stream only error severity events, or only specific action types (for example, only security.* events to your SIEM).
Save and activate
Click Save. The stream is active immediately. Send a test event using the Test button to verify connectivity before relying on the stream for compliance purposes.
GDPR Compliance Tools
Auris provides built-in tools for data subject rights requests under GDPR, CCPA, and similar data protection regulations.
Data Export (Right of Access)
Export all personal data associated with a user:
- Go to Users → find the user
- Open the user’s detail page
- Click Export User Data
- A JSON file is generated containing: profile data, metadata, role assignments, organization memberships, audit log entries where this user is the actor, and session history
The export is available for download immediately and is also sent to the administrator’s email address.
Data Erasure (Right to Erasure)
Permanently delete a user’s personal data while preserving audit log integrity:
- Go to Users → find the user (or search Administration → Deleted Users if already soft-deleted)
- Click Delete Permanently
- Confirm by typing the user’s email address
Permanent deletion:
- Removes the user account and all profile data
- Anonymizes all audit log entries that reference this user (replaces name and email with
[deleted_user_{id}]) - Removes the user from all organization memberships
- Revokes all active sessions
- Cannot be undone
Permanent deletion is irreversible. Ensure you have exported the user’s data first if the data subject’s access request requires providing them a copy before erasure.
Consent Management
Auris records consent events when users accept terms of service, privacy policies, or cookie policies via the hosted login flow. Go to a user’s detail page → Activity History to view consent events with timestamps and the version of the terms they accepted.
Data Retention
Audit Log Retention
By default, audit log entries are retained for 90 days. After this period, entries are permanently deleted.
Configure retention period in Settings → Tenant → Data Retention:
| Setting | Description | Default |
|---|---|---|
| Audit Log Retention | Number of days to retain audit log entries | 90 |
| Action Log Retention | Number of days to retain Actions Engine execution logs | 30 |
| Session Log Retention | Number of days to retain session records for inactive sessions | 90 |
Note: Longer retention periods increase storage requirements. If you need long-term audit log retention (for example, 7 years for certain compliance frameworks), configure a Log Stream to Amazon S3 and use bucket lifecycle policies for extended retention at lower cost.
Exporting Logs Before Deletion
Before retention-based deletion occurs, you can export logs:
- Go to Logs
- Apply a date range filter to the period you want to export
- Click Export (download icon in the toolbar)
- Choose format: JSON (full detail) or CSV (summary)
The export downloads immediately. For large date ranges, the export runs as a background job and you receive an email with the download link when it is ready.
Related Guides
- Log Streaming API — Manage log streams programmatically
- Security Monitoring — Using audit logs for threat detection
- GDPR Compliance Reference — Data protection framework for Auris tenants
- User Import & Export — Bulk user data operations