Audit log¶
The audit log is a record of significant actions taken in an organisation. It lets admins answer who changed what, and when. Open Admin > Audit to view it.
What is recorded¶
Each significant administrative and security-relevant action creates a log entry, including:
- Member changes: add, remove, and role change.
- Project changes: create, update, and delete.
- Notification channel changes: create, update, and delete.
- Cost alert changes: create, update, and delete.
- SSO and SMTP configuration changes.
- Organisation settings changes.
Every entry stores a timestamp, the acting user, the source IP address, the action, the target of the action, and a short detail field.
Automated events show as System
Actions performed by a human are attributed to that user. Actions performed automatically by OpenWatch (for example, background maintenance) are attributed to "System".
Who can see it¶
The audit log is visible to organisation admins only, and it is scoped to the active organisation. If you administer several organisations, switch organisation in the admin sidebar to see each one's log.
Reading and filtering¶
- Entries are shown newest first, paginated at 25 per page.
- Use the action filter dropdown to narrow the list to a single action type (for example, only member changes or only project changes).
- Each row shows the timestamp, user, IP address, action, target and detail so you can reconstruct a change.
Retention¶
Audit entries are kept for 30 days and older entries are purged automatically. If you need longer retention for compliance, export or copy the entries you need before they age out.
Investigating an incident
If you suspect an unexpected change, filter by the relevant action type and scan the user and IP columns. Combine this with the sign-in history on your account security page to understand session activity.