Audit Log
Every action logged.
Every change detected.
Every event in Flowtriq (incident opened, PCAP downloaded, node added, API key rotated, maintenance window started) is recorded with timestamp, actor, source IP, and full context. Each entry is hash-chained to the previous one - any tampering breaks the chain and is immediately detectable. A complete compliance trail for SOC 2 audits and incident reviews.
Sample Log
Everything that happens, recorded
| Timestamp (UTC) | Event | Actor | Node / Resource | IP |
|---|---|---|---|---|
| 2026-03-09 09:44:19 | Incident Opened | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:44:22 | PCAP Started | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:48:03 | Incident Resolved | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:52:14 | PCAP Downloaded | [email protected] | nyc-edge-01 · a3f7c2b1 | 203.0.113.42 |
| 2026-03-09 14:04:01 | Maintenance Start | deploy-bot | fra-core-01 | 10.0.1.5 |
| 2026-03-09 14:30:00 | Maintenance End | system (auto) | fra-core-01 | |
| 2026-03-09 16:30:00 | API Key Rotated | [email protected] | fra-core-01 | 198.51.100.7 |
| 2026-03-09 17:12:44 | Node Added | [email protected] | sgp-edge-04 | 203.0.113.42 |
What Gets Logged
Every category of action, captured
The audit log covers all action categories across the Flowtriq platform. Security-relevant events (key rotations, access, downloads) include the source IP. System-generated events (detections, resolutions) are tagged as actor "system" to distinguish them from human actions.
Incidents
Opened, acknowledged, resolved, manually closed. Includes detection timestamp, UUID, and peak metrics.
PCAP Access
Every capture started, upload completed, and download generated, with actor, IP, and file hash.
Node Management
Node added, renamed, removed, configuration changed, interface changed.
Keys & Auth
API key created, rotated, revoked. User login, logout, failed login attempts.
Maintenance Windows
Window created, started, ended (manually or automatically), cancelled.
Configuration
Alert channels added/removed, thresholds changed, IOC patterns added.
Export & Query
Queryable via API. Exportable as JSON or CSV.
The audit log supports filtering by actor, event type, node, and time range. Export full log archives for SIEM ingestion or compliance reporting directly from the Audit Log dashboard page. Enterprise customers can configure automatic nightly exports to an S3-compatible bucket.
┌──────────────────────┬────────────────┬───────────────┬──────────┐
│ Timestamp │ Event │ Actor │ IP │
├──────────────────────┼────────────────┼───────────────┼──────────┤
│ 2026-03-09 09:52:14 │ pcap.download │ alice@acme │ 203.0.… │
│ 2026-03-07 14:11:03 │ pcap.download │ bob@acme │ 198.51.… │
│ 2026-03-04 22:38:50 │ pcap.download │ alice@acme │ 203.0.… │
└──────────────────────┴────────────────┴───────────────┴──────────┘
3 events [Export CSV] [Export JSON]
FAQ
Common questions about the audit log
How does the audit log prevent tampering?
Every audit log entry is hash-chained to the previous entry using SHA-256. Each entry's hash is computed from its contents plus the previous entry's hash, forming a cryptographic chain. If any entry is modified, deleted, or inserted out of order, the chain breaks and the tampering is immediately detectable. There is no API endpoint or dashboard action that allows modification of log entries. You can verify chain integrity at any time from the Audit Log dashboard.
How long are audit log entries retained?
Audit log entries are retained for 90 days on the Per Node plan. Enterprise customers can configure retention up to 1 year. Automatic export to your own storage (S3-compatible) allows indefinite archival under your own retention policy.
Can I use the audit log for SOC 2 compliance?
Yes. The audit log is designed to satisfy SOC 2 Type II requirements for access control, change management, and security event logging. The log captures who accessed PCAP data, when, from which IP, directly relevant to SOC 2 CC6 controls. Flowtriq can provide a log export in the format required by your auditor.
Does the audit log capture failed access attempts?
Yes. Failed login attempts, requests with invalid API keys, and attempts to access resources in other workspaces are all logged with the source IP, timestamp, and attempted action. These entries are valuable for detecting credential stuffing and unauthorized access attempts.
Related Features