Skip to content

Audit Log

The Audit Log records every administrative action — who did what, when, and to which resource.

Viewing the Audit Log

Go to System → Audit Log to browse all recorded events.

Filters

  • Tenant Filter — (super-admin only) filter events by tenant
  • Action Type — filter by specific action (dropdown populated dynamically):
  • user_create, user_delete
  • device_delete, device_unlock
  • tenant_create, tenant_delete
  • dns_create, dns_delete
  • password_change
  • token_regenerate
  • And more as features are used
  • Limit — show 50, 100, 250, or 500 events
  • Refresh — reload the log
  • Clear Filters — reset all filters

Events Table

Column Description
Timestamp When the action occurred
Admin User Who performed the action
Action Color-coded action type badge
Resource The affected resource (device ID, username, tenant, etc.)
Details Additional context about the action

Events are sorted newest-first.

What Gets Logged

All administrative actions are recorded, including:

  • User creation, deletion, and password changes
  • Device approval, deletion, and tenant unlocking
  • Tenant creation and deletion
  • DNS record changes
  • SSH certificate issuance and revocation
  • Provisioning profile changes
  • License activation and revocation
  • Token regeneration

Retention

By default, audit rows are kept for 90 days and then deleted by a background sweeper that runs once a day. Two env vars override the defaults:

Variable Default Effect
WATCHGRID_AUDIT_RETENTION_DAYS 90 Window in days. Set to 0 to disable the sweep (rows are kept forever — use with care on busy tenants).
WATCHGRID_AUDIT_RETENTION_SWEEP_HOURS 24 How often the sweeper runs. A shorter interval reduces the "over-retained" window after you reduce the retention setting.

The sweeper runs against both admin_audit_log and device_security_log. Delete activity and row counts are emitted to the server log ([AuditRetention]).

Longer retention for regulated customers

If your compliance regime requires multi-year retention:

  1. Raise WATCHGRID_AUDIT_RETENTION_DAYS to match the requirement (e.g. 2555 for 7 years).
  2. For very long windows, offload closed rows to cheaper storage rather than keeping them in the hot Postgres table:
  3. Run a nightly COPY (SELECT ... WHERE timestamp < now() - interval '90 days') TO PROGRAM '...' that ships JSONL to S3 / GCS / an append-only SIEM.
  4. Reduce WATCHGRID_AUDIT_RETENTION_DAYS back to 90 once the archive pipeline is in place.
  5. Document the archive location in your incident-response runbook — the dashboard UI only shows rows still in Postgres.